Inspired by the GDPR, the CCPA requires organizations to manage the personal data of California residents in a new way and grant them rights to their personal information. Is your firm prepared?

Data privacy laws such as the GDPR continue to be an international trend, with the California Consumer Privacy Act (CCPA) being one of the latest examples. It was passed in 2018 and became effective January 1, 2020. Enforcement will begin in 6 months on July 1. So, how can firms know if the CCPA applies to them, and how do they comply?

Who does the law affect?

The CCPA gives California individuals rights to the data that a company has on them. It addresses the growing concern by customers regarding their data privacy and also will play a part in lessening privacy issues and data breaches in the future. Before going any further, here’s how to know if the CCPA applies to your firm.

The CCPA applies to any for-profit company that collects or processes personal information on customers, does business in the State of California, and meets at least one of the following requirements:

  1. Has an annual gross revenue of $25 million or more
  2. Annually buys, receives, sells or shares the personal information of 50,000 or more customers, households or devices (that are California residents)
  3. Earns more than half of its annual revenue from selling customers’ personal information

This means that even if a firm doesn’t sell customer data, it could still be covered by the CCPA because of the size of the company’s customer database or its annual revenue. And while the law only applies to companies that do business in California, it’s likely that more states will adopt the same standards in the near future, so take notice. It’s not too early to start thinking about how your firm’s customer data is organized and how you can work towards greater transparency and privacy.

While the law only applies to companies that do business in California, it’s likely that more states will adopt the same standards in the near future.

What this means for customers

While one purpose of the CCPA is to single out data vendors, the overall purpose is to enable customers to access and control any personal information that companies have collected about them. Companies could have received this data from customers’ email subscriptions, contact form submissions, transactions, or by purchasing the data. Personal information is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular customer or household.” The includes identifiers such as real name, address, unique personal identifier, email address, and SSN; commercial information; biometric information; Internet activity; geolocation data; professional or employment-related information; and any inferences drawn from this information to create a profile on a customer’s preferences and characteristics.

The following includes the various rights that the CCPA is giving California residents:

  • Right to Be Informed: A business must disclose to customers what personal information it collects and the purposes for which it is used
  • Right to Access: Customers have the right to request to access what specific pieces of personal information a company has collected about them, the sources from where it came, the purposes for it, and the categories of third parties with which it’s shared. This must be provided free of charge within 45 days of the request.
  • Right to Delete: Customers can request that a company delete any of their personal information, and the company is required to do so for all verified requests.
  • Right to Opt-Out of Sale: Companies must offer ways for customers to opt out of the sale or sharing of their personal information. There must be a link to the opt-out page on the home page of a company’s website.
  • Non-Discrimination: Companies cannot discriminate by charging extra or refusing service to those who exercise their rights to their personal information.

 How to prepare

While it’s easy to get overwhelmed by the legal jargon and high-level ideas, here’s a list of practical steps firms should take to be compliant. For firms that already made changes to comply with GDPR, know that there is overlap here and you will already be partially prepared.

  1. Start with taking inventory on all of your firm’s data. Marketers need to make sure they know what customer data they have, where it’s stored, how it’s organized, and how it’s used (and identify which categories of personal information are used/shared). This is essential to all other steps of compliance.
  2. Review and update your firm’s privacy policy to comply with the disclosure requirements. This needs to be updated and visible on a company’s website. Contact legal counsel for help.
  3. The CCPA explicitly requires businesses to provide “a clear and conspicuous link” on the business’s website homepage titled “Do Not Sell My Personal Information” that leads to a web page with an option to opt-out. The business cannot require the customer to create an account to do this. Note that the form should include a way to verify and authenticate the request. At a minimum, this would involve verifying the person has access to the email provided.
  4. Create a way for customers to request to access, change or delete the personal data a firm has collected as well.
  5. Businesses also need to provide a toll-free telephone number as an option for access, deletion and opt-out requests.
  6. Train employees to handle and respond to these requests. They must know how to authenticate requests, access the data, delete if necessary, and efficiently respond within the limited time frame. The CCPA also requires businesses to retain all records of customer requests and company responses for 24 months in order to prove the business is following all regulations.
  7. Make sure company email marketing, landing pages, and other data-collecting tactics comply with CCPA standards.

Start working towards compliance now

Enforcement of the CCPA begins July 1, 2020, which gives companies 6 months to prepare and time for the California Attorney General to modify and make topics such as the definition of personal information less broad. Fines will be enforced for violations, but even for firms not affected by the CCPA, this is still a relevant opportunity to organize and streamline all client and customer data systems and processes as the CCPA is likely to spark national dialogue around data privacy, leading to more laws in the future.