The California Consumer Privacy Act (CCPA) will come into effect on January 1st, 2020 which will leave businesses and organizations, like yours, who market to California consumers less than one year to make the relevant changes to the way they manage online personal data and ensure that they abide fully by the new legislation. Meant to be an effective replacement for a much broader privacy law that was on the state ballot for November, the CCPA has been likened and compared to Europe’s General Data Protection Regulation (GDPR).
We can say that CCPA is poised to disrupt many data-driven businesses in the state. California’s decisions about consumer privacy are likely to have lasting and pervasive effects as this law becomes more well-defined. It is worth mentioning that before the requirements of this law go into effect in January 2020, you should know and understand what CCPA is, how it is applicable to your business, what steps you need to take to comply, and how it may change your job.
What is the CCPA?
The California Consumer Privacy Act is one of the most stringent privacy laws in the U.S., and it is also the most comprehensive privacy law in the country. The law will implement guidelines on personal information collection as well as post-data-acquisition data usage by various businesses. The CCPA requires businesses to tell customers what data they are collecting and gives consumers the legal right to say no to the sale of confidential information.
California will be the first state in the country to roll out this expansive and comprehensive data protection regulation. You should know that the CCPA is targeted to organizations that collect and/or sell personal information, such as insurance companies. The act is designed to provide the residents of California more control over their personal data. We can argue that the CCPA and GDPR have some similar principles, particularly in terms of extensive rights for individual customers, and extraterritorial scope, but there are some differences as well.
To Whom Does The CCPA Apply?
The law is applicable to businesses that:
- Have yearly gross revenues of more than $25 million
- Shares or sells for commercial purposes annually buys, or receives for the commercial purposes of the business, either alone or in combination with other businesses, the personal information of at least 50,000 consumers, devices or households.
- Derives at least 50% of its yearly revenues from selling customers’ personal information.
If your business meets one or more of the above thresholds, then you will have to comply with the CCPA. You should keep in mind that CCPA creates numerous exceptions and it is vital that your business performs suitable internal diligence in order to determine if one or more exceptions apply and to what extent.
Rights of Consumers under CCPA
For your business to comply with the act, you need to be aware of consumers’ rights under the act. These rights are:
- The right to know all data that a business collects about you
- The right to decline the sale of your personal information
- The right to know the commercial or business purpose of collecting your information
- The right to request that a business delete your personal data
- The right to take suitable private action against the company in case your personal information isn’t removed after the request.
- The right to know if your information was being stored at any time in a non-encrypted format, like an excel sheet, and the business does not delete that information upon your request, you can sue.
- The right to be informed about what categories or types of data would be collected about you before its collection, and to be timely informed regarding any changes to this collection
- The right to know the types of third parties or businesses with whom your personal data is shared
- The right to have a mandated opt-in prior to the sale of children’s information (children under the age of sixteen)
What this Means for Marketers
There is no denying that marketers use data within nearly all areas of their role, from email to segmentation, website analytics to A/B testing. Although the results are often scrutinized, keep in mind that the quality of the data is rarely under scrutiny. Tactically speaking, the increasing number of challenges to both third- and second-party data provide marketers a great incentive to invest time and other resources in building their own first-party data.
Also, note that on a broad level, the mounting consumer sentiment which led to the passage of the act implies that marketers must think about the way they can easily bring the value exchange between brands and consumers out into the open and build consumer trust again.
It is worth pointing out that the CCPA does not intend to tie data acquisition and protection initiatives up in red tape; rather, it is designed to regulate them properly. In addition to handing enhanced and more stringent privacy controls to consumers, the act will also strengthen and refine the requirements regarding collecting personal data with more emphasis on when you may collect as well as process data, and how you can secure it.
There are two main ways you could approach the act: as an opportunity to make needed changes or as an onerous piece of legislation. It goes without saying that if your business comes out of this consumer privacy flashpoint with its reputation intact, it is likely to be one of those that go far beyond just the letter of the law while making data transparency its priority.
As industry leaders and government officials continue to make strides toward privacy requirements, you should know that it is imperative that marketers do their own work in order to comprehend their data infrastructure and thoroughly prepare themselves for these new regulations which are likely to shake up their existing strategies.
Achieving CCPA Compliance
To ensure compliance with the California Consumer Privacy Act, businesses should take the following steps:
1. Establish Processes to Facilitate Consumer Requests
Your business needs to implement mechanisms to efficiently and effectively respond to all consumer requests to access as well as delete their personal data and opt out of having the data sold. It is worth noting that although CCPA will go into effect on January 1st, 2020, and consumers will have the legal right to their personal information from the preceding twelve months. This implies that your business will have to be prepared to offer this personal information dating back to January 1st, 2019, which highlights the importance of initiating compliance efforts early. Proactive companies will come out on top.
2. Reevaluate all the Data Fields on Your Customer Profiles and Forms
It is clear that the CCPA is an integral part of a major shift towards data transparency. This act spurs companies to make greater and better use of data that they collect directly from their customers which will help promote compliance with the act. For example, there might be information that you are currently collecting through third-parties that you can ask prospects and consumers directly. It is worth mentioning that longer and detailed forms can increase abandonment rates; however, smart and progressive profiling can help maximize completion rates if done at the right moments.
3. Bolster Vendor and Partner Controls and Evaluations
Many consumer experiences nowadays are enabled by a variety of APIs and SDKs. A majority of companies are likely to be considerably affected by the data collection, selling and sharing practices of both their vendors and partners under the California Consumer Privacy Act. This creates a need for corporate and legal teams to thoroughly vet all parties that are involved.
If your business buys third-party data beyond what’s publicly available regarding your prospects or customers, it would eventually come to light through a CCPA request. In this case, if you think that your company would not be comfortable explaining that to its customers, then you’re better off halting the practice.
4. Do Not Sell Information about Your Users or Customers
Under the CCPA you are required to maintain a record of all sales for the past 12 months if you intend to sell user or customer information to other companies. In addition to that, you have to provide a “conspicuous and clear” link on your site with a clear call-to-action “Don’t Sell My Personal Information” so that consumers may opt-out of that practice if they want.
And not surprisingly, selling the personal data of children who are sixteen years old or younger carries even more stringent requirements. Of course, such a call-to-action button and various other permission requests are likely to raise security and privacy concerns for potential customers. That being said, your business can avoid the requirement for such a button if you do not sell customer information.
5. Create an Effective Mechanism that Could Delete Consumers’ Information, If Requested
Both CCPA and the European GDPR mandate that all consumers have the legal right to be forgotten. As a result, they can request that any personal data that your business has on them be deleted. Keep in mind that there’re some caveats when it comes to what personal data a company can retain for compliance, legal, and business reasons; however, a mechanism must be there to quickly delete all the other personal information about a consumer.
While the changes proposed by the act might seem daunting now, it is important to keep in mind that it is still possible to reach your prospects and consumers in a more courteous way, respecting people who decide not to have their personal data shared while honoring others who are comfortable sharing their data but do want it protected and secured by the company.
It definitely takes a clear methodology and organizational commitment to develop and maintain a robust data ethics program which goes above and beyond government regulation. The promise of transparency and mutual understanding between stakeholders will keep businesses in good light and shouldn’t deter them from creating engaging, meaningful, and relevant marketing and advertising experiences for both customers and prospects.
If you would like to learn more about CCPA and other recent developments related to marketing practices and ethics, join our upcoming event, Operating in the Gray Zones on May 30th.