As we approach 2020, there’s a buzz brewing across California’s marketers. It has to do with the California Consumer Privacy Act of 2018 (CCPA). In January 1, 2020, the CCPA is set to go into effect, and many businesses must get ready. How much do you invest in being CCPA compliant? What businesses does the CCPA affect? What consumer protection does it provide?
The San Francisco chapter of the AMA, along with the support of multiple sponsors, set up a panel of marketing pros with experience in privacy and data security to answer our most pressing questions.
Here are a few takeaways from the event, California’s New Privacy Regulations: What Marketers Need to Know Now, held at General Assembly in San Francisco.
What is the intent of the CCPA?
The CCPA promises to be one of the most stringent privacy laws and the most comprehensive privacy law in the country, with similar directives as the EU General Data Protection Regulation (GDPR) that took effect in Europe in 2018. California’s law will require consumer consent for data to be sold to second and third parties. It will also give the consumer the right to request that a business delete their personal data.
What businesses must comply?
- Has more than $25 million in annual gross revenue
- Shares, sells, buys or receives for commercial purposes the information of at least 50,000 consumers, devices, or households
- Derives at least 50% of its yearly revenues from selling customers’ personal information
Note: There are a number of exceptions, and you should determine if any of them apply to your business and to what extent.
How much should I invest in this?
Penalty levels for non-compliance are based on a company’s worldwide revenue. Companies will want to assess their appetite for risk then it comes to whether they want to spend the money to update their systems for CCPA compliance.
Additionally, more established companies typically haven’t operated with modern day privacy issues in mind, and will likely have non-compliant systems. In this case, you may want to assess whether your databases should be updated (using the power of manual process and an army of rules) or replaced entirely with a modern (and potentially costly) system.
Startups will benefit from their lack of historic data. Regardless of your current size, you have an opportunity to be good stewards at the outset and embrace CCPA-compliant systems, which can also integrate potentially stricter cyber and privacy requirements in the future. And remember, if you maintain data of EU residents, you’ll want to apply the even stricter privacy guidelines of the GDPR to your cyber operations.
If you do it right, CCPA can be a boon for your organization, particularly in today’s age of consumer mistrust.
What data is covered?
The law applies to your data of California consumers, regardless of where your company is located. It doesn’t matter if you do business out of Florida or Finland: If your data list includes residents of California, you must manage that data in compliance with the CCPA or face possible fines and penalties for noncompliance.
Can I anonymize data instead of delete it?
Yes. If you de-identify, aka anonymize, data so that it cannot be linked to the consumer, then you have converted it to non-personal information, which the CCPA does not impose restrictions on. The CCPA relates only to personal information. Therefore, you are not obligated to delete or not share anonymized data for business purposes should a consumer request this of their personal information.
Surely, the buzz is only going to get louder as we approach the go live date of the act. To date, (according to the panelists) about 65 percent of companies haven’t started preparing for the CCPA. But there’s still time: Even though the law starts on January 1, it won’t be enforced until June 2020, at the earliest.
Public comments were received at public forums held during 2018 and 2019 as part of the preliminary rulemaking process. Additionally, the California Department of Justice (DOJ) received comments via email and post mail through March 8, 2019. The California DOJ anticipates publishing the proposed procedures and guidance in the fall of 2019, which will help businesses better understand how to integrate CCPA compliance into their operations.
Special thanks to our panelists and the event’s sponsors:
Raj Raghavan. CEO @ Credio
Raj Raghavan is the CEO of Credio, Inc. Credio, Inc. is focused on privacy with an emphasis on data protection. Credio, Inc. is proud to champion women in privacy movement.
Raj has spent the last 20 years helping large corporations protect their digital assets while enabling business transformation. Raj believes in a balance of cybersecurity and privacy with business impact to ensure the investments are made in the relevant initiatives.
Raj has also worked on social projects in Asia and Africa on micropayments funded by The Gates foundation.
Carrie Rasmussen. Chief Information Officer (CIO) @ Save Mart Companies
Carrie Rasmussen is a technology leader experienced in technology innovation. She is responsible for helping to define The Save Mart Companies’ long term strategic direction ensuring that the IT organization is aligned and executing to achieve the company’s business goals. She is the companies ‘go to’ leader to create highly motivated teams that can respond to fast pace changing demands. 20 years of progressive executive leadership experienced in back office, supply chain, marketing and retail technology.
Tom Myers. Data Compliance Director @ FocusVision
During Tom’s 18+ year tenure with FocusVision he has been actively involved in helping market researchers through the increasingly complicated world of privacy related rules, guidelines and laws. In 2007, when research respondent privacy became the hot topic for market researchers, Tom understood that tackling this subject head-on was the only way to avoid confusion, misinterpretation and, ultimately, research paralysis. When GDPR became law, Tom took on the director of compliance role to focus on privacy law and is once again encouraging clients to engage in “the privacy conversation”. Given that most new laws are intentionally ambiguous, and CCPA is no exception, clarity is the key factor to taking correct and appropriate action.
Travis Killion. Director of Digital Product Management @ Albertsons Companies
Travis Killion is an executive who has been working with Internet technologies for over 20 years. The majority of the first decade was in software development and the second decade in product management. Regardless of the focus, Travis has always kept the customer at the center of the thought process in order to connect technology and business to create great customer experiences and business outcomes. The business domains have spanned from Realtor.com and creating the first online MLS aggregated search, SmartZip.com for using data to help provide insight into real-estate purchases, oDesk.com (now upwork.com) for helping form the online consulting platform, and at Albertsons building a word class loyalty platform where digital technologies meet brick and mortar stores. In every case, data has been the foundation to build upon.
Lisa Hawke. VP Security & Compliance @ Everlaw
Lisa Hawke is the VP Security and Compliance at Everlaw, a legal technology company based in Oakland, CA with operations in North America, Europe and Australia. At Everlaw, Lisa is responsible for the company’s security, privacy and compliance program development and implementation. She created and scaled the program as the company grew from 25 to over 160 people, and achieved SOC 2 Type 2 certification in Security, Privacy, Confidentiality and Availability as well as FedRAMP In Process. She is admitted to the bar in New York and Massachusetts and a Board Member and Vice-Chair of Women in Security and Privacy (www.wisporg.com). Follow her on Twitter @ldhawke.
The only insights software technology company that can bring you close enough to your customers to have full understanding of how they think, feel and act.
At L&E we make connections to create conversations that help our clients make better decisions, so allowing us to give back to our communities and grow our connections. Since 1984, L&E has successfully recruited consumers, healthcare professionals, and business professionals – for virtually every type of market research project. We believe great conversations are facilitated by a combination of human talent and technology. Discover our top-notch facilities in Austin, Charlotte, Cincinnati, Columbus, Denver, Kansas City, Minneapolis, Raleigh, San Francisco – East Bay Area, St. Louis and Tampa.