CCPA california consumer privacy act

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.