What ALL businesses need to know about CCPA by WRAP Partners, John Heffernan and Emily Collins, EVC Marketing
Not based in California? Sorry, that get-out clause may not apply.
And that may be just one of the concerns within the myths and madness surrounding CCPA and its impact on US businesses.
The UK and Europe launched their own version of data protection legislation in 2018, the general data protection regulations (GDPR). Much of the hype surrounding its implementation focused on the heavy fines and penalties for non-compliance.
As usual, businesses that acted, reinforced their data protection, and implemented GDPR activities have encountered little change other than the positivity of cleaner marketing databases and more targeted client/prospect marketing interactions.
Where CCPA applies, US businesses ahead of the curve can enjoy the same positive impact.
From June 28, 2018, the CCPA was confirmed in law and, subject to specific criteria, may affect your business, your website, and most importantly, your customers with effect from Jan 1, 2020.
Confused? Actually, the CCPA law is mapped out to confirm if, and when, you need to take action.
Before we start: A brief disclaimer.
We are not providing legal counsel. This content is not intended to be legal advice or counsel and we do not make any warranties or statements regarding the legal acceptability of the information provided.
Any action you may undertake as a result of this content are of your own choosing. We strongly recommend you seek professional legal counsel.
So, what is the CCPA and what is it all about?
The CCPA is about personal rights, personal privacy, and how personal information can be obtained, stored, used and managed by businesses.
Actual enforcement will be effective from July 1, 2020. However, as the law accommodates data access requests concerning personal information dating back 12 months, you need to have your data collection and sharing process in place NOW!
Will CCPA impact your business?
The CCPA applies to your business if:
- You have personal clients in OR process data for people based in California.
- You meet specific business status criteria including:
- You are a for-profit company;
- You have gross annual revenue in excess of $25 million;
- You annually buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; and
- You obtain 50 percent or more of your annual revenue by selling consumers personal information.
And, if the above criteria apply, the law will be enforced if your business is engaged in the following activities:
- Collecting consumer personal information;
- Collect personal information about a consumer or about consumers;
- Selling or disclosing a consumer’s personal information / data;
- Selling personal information to a third party; and
- Selling consumers personal information to third parties
California Personal Rights provide client transparency
- The Right to know what personal information is being collected about them;
- The Right to know whether their personal information is sold or disclosed and to whom;
- The Right to say no to the sale of personal information;
- The Right to access their personal information; and
- The Right to equal service and price even if they exercise their privacy rights.
Defining “PERSONAL INFORMATION”
- Personal Identifiers;
- Real name, alias;
- Postal address;
- Unique personal identifier;
- Online identifier;
- Internet Protocol (IP) address;
- Email address;
- Account name;
- Social security number;
- Driver’s license number; and
- Passport number.
or other similar identifiers.
Internet or other electronic network activity information, including, but not limited to:
- Browsing history; and
- Search history
As well as information regarding a consumer’s interaction with an Internet website, application, or advertisement. This may be provided where you use web analytics such as Google Analytics.
What are the requirements outlined by the CCPA?
There are a number of CCPA requirements for your business including transparency of data access (right to know) and disclosure (at or before collection).
The Privacy Notice: Displayed on your website must contain the following:
- A description of consumers’ rights to request Personal Information collected/shared/sold;
- A description of consumers’ rights not to be discriminated against for exercising any CCPA rights.;
- One or more designated means for consumers to submit requests, including (at minimum) a toll-free number.;
- A notice of the consumers’ right to request deletion of Personal Information collected/shared/sold and/or opt-out/data erasure processes;
- Information about the transfer and sale of Personal Information to third parties.
- Specifics about the categories of Personal Information collected/shared/sold; and
- A process to object to the sale of Personal Information: Consumers have the right to opt-out of the sale of their Personal Information.
What are the penalties for non-compliance under the CCPA?
The simple answer is to comply and not to worry about penalties!
Penalties under the California Consumer Privacy Act aggregate per violation.
A violation can be designated for each individual consumer record, and these will compound. A non-intentional violation can carry a fine of up to $2,500 per record.
If the violation is found to be intentional, the fine can be up to $7,500 per record.
The law also gives the right to individuals to file private actions, which can further drive up penalties.
What are cookies and why do they matter?
Quite simply, a cookie is a data file set by a website onto your computer.
They allow the website to store information during your site exploration. This information can include your history on the site, and page views and interactions.
Using cookies in this way allows businesses to intelligently track consumers around the internet based on interests, engagement and related past content.
Preparing for the CCPA: 5 steps your company should be taking now
- Check whether or not the CCPA applies to your business;
- Understand what platforms are loading across your web properties. Note: Under the CCPA, your website, where data is being collected, is responsible for all Personal Information collected, shared, and sold from the site including third-party platforms.
- Understand what (and possibly why) data is collected by each platform;
- Identify, for each platform, if any of the data points collected are considered “Personal Information”; and
- For any platform collecting “Personal Information,” map the data and ensure all requirements under CCPA are being met.
When data is collected, you need to determine where this data is going, how it is used and how required protections are being complied with.
Where CCPA applies you need to take action now.
Be prepared well in advance of January 2020
CustomerCount and the CCPA
Bob Kobek, president of CustomerCount says: “The CCPA may never really happen, though it is set to kick off in 2020. It is a very watered-down version of the first iteration. At last count, there were 27 different pieces of privacy legislation in the US, meaning 27 different laws. So, it’s very complicated.
“What is a greater priority is to understand the various bills that have been introduced in the Federal Legislature that will eventually be melded into one that will look and smell like GDPR.
“To that end, and to accommodate the state laws, CustomerCount is completely compliant with the GDPR and the likely Federal laws. It is counter intuitive to remove data from a survey tool, but we have found way to comply and retain the intelligence.”
Give us a call today for further information on + 1 317-816-6000 or email Bob directly on firstname.lastname@example.org.