The clock is ticking for companies that do business in the USA, and California in particular. With a compliance deadline of January 2020, the California Consumer Privacy Act (CCPA) is poised to severely impact businesses.
The CCPA is widely regarded as being the start of GDPR-like privacy legislation in the USA. The two acts are similar, with comparable requirements and details.
While it deals with individuals’ privacy, not business data, it’s still important for any business that operates in California – which effectively includes any company that does business in the USA.
California Consumer Privacy Act: How to Make Sure You’re Compliant
While the CCPA is a state law, it covers out-of-state businesses that sell to Californians, or even display a website in the state. Realistically, companies will need to comply with the CCPA if they do business in the USA at all.
Companies aren’t going to implement totally separate processes for California and the rest of the USA – especially as the societal trend in general is in favor of wider privacy legislation.
What is the CCPA, Exactly?
Quick disclaimer: we’re marketers, not lawyers; this article is intended to be informational, and shouldn’t be regarded as legal advice. Our information is sourced directly from the CCPA initiative document itself, which can be found here.
Much like GDPR in Europe, the California Consumer Privacy Act enables consumers (in this context, any resident of California regardless of whether there’s an existing relationship with the business) to force companies to divulge the personal information they have collected on them.
Consumers can also make companies delete that data, or forbid them from sharing it with third parties.
Here’s a quick summary. The CCPA gives consumers the right to:
- Request disclosure of your business’ data collection and sales practices relating to that consumer, including: categories of personal data you’ve collected, the source of that data, and how you use that information. Additionally, if that information was sold or disclosed to third parties, consumers can request the categories of personal information disclosed and the categories of third parties to whom the information was disclosed.
- Request a copy of the specific personal information collected about them during the 12 months preceding the request.
- Have this information deleted.
- Request that their information not be sold to third parties.
- Not be discriminated against because they exercised any of these rights.
The CCPA’s definition of “personal data” includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household.
The CCPA also defines “collection” of personal data as “buying, renting, gathering, obtaining, storing, using, monitoring, accessing, or making inferences based upon, any personal information pertaining to a consumer by any means.”
Does the CCPA Apply to Every Company?
No. The CCPA applies to three types of businesses:
- Companies with more than $25 million in gross revenue.
- Businesses with data on more than 50,000 consumers.
- Firms that make more than 50% of their revenue selling consumer data (i.e. data brokers).
How to Make Sure You’re Compliant
- A description of the new rights granted by the CCPA, clarifying that a consumer may only make a personal information request twice in a 12-month period, that the business will need to collect information from the requesting party to verify their identify, and that the business will respond within 45 days of receiving the request.
- A description of how to submit a personal information or erasure request. These methods must include at least two channels, at a minimum a web page and toll-free telephone number. This section should also describe the process for making a request, preferably including a link to the web page.
- A link to an opt-out page on the website. If your business provides access to or disclose personal information to a third party for monetary gain or other value (a “sale” in the context of the CCPA), then you also need to provide a link titled “Do Not Sell My Personal Information” leading to a web page where the consumer can opt out. This link must also appear in your website home page footer.
- A list of all the categories of personal information that has been collected in the past 12 months. This includes information collected in any format, from any source. (An outline of these categories can be found below.)
- The sources of each category of personal information. This might be the person submitting the information, a third party the business receives the information from, or the business observing activities and recording the information (such as cookies).
- The purposes for using each category of collected information. For example, if you collect identifiers (like contact information) for marketing purposes, you need to disclose that.
- A list of the categories of personal information disclosed for a business purpose in the last 12 months. Similar to the previous point; see below for the definition of “business purposes”.
Categories of Personal Information
- Identifiers such as contact information, government IDs, cookies.
- Information protected against security breaches such as your driver’s license, social security number, user name/password, health and medical information.
- Protected classification information such as race, gender, ethnicity.
- Commercial information
- Internet/electronic activity
- Audio/video data
- Professional/employment-related information
- Educationg information
- Inferences from the other categories
Business Purposes According to CCPA
Business purpose as defined by the CCPA means “the use of personal information for the business’s operation purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which it is specifically permitted.”
The CCPA further details the definition:
- Auditing relating to a current interaction with the consumer and concurrent transactions, including but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use provided the personal information is not disclosed to another person and is not used to build a profile about the consumer, or otherwise alter an individual consumer’s experience outside the current interaction.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business.
What Does This Mean for Businesses?
Initially, it means time and effort spent in updating privacy policies and processes – and before that can happen, you’ll need to dive into exactly what sort of data you have on your contacts.
When the law comes into effect at the start of 2020, consumers will be able to submit personal information requests for any data companies have collected on them in the past 12 months, so as a matter of practicality, it’s a good idea to have all of your data from 2019 already prepared.
The last thing you want is for a request to come through and find yourself scrambling to assemble the data you need.
Should CCPA-like legislation be adopted across the USA, it could dramatically impact tech giants such as Google and Facebook, who rely on personal data to provide targeted advertising.
There are still concerns for smaller businesses. For example, if you’re leveraging cold email lead generation and have a large contact list including people in the states, you’ll want to ensure you’re compliant, just in case.
Once again, note that this article is intended solely for informational purposes and is not intended to constitute legal advice in any form.