Getting CCPA Compliant in California
In 2018, sweeping regulations on using consumer data, known as GDPR, went into effect in the EU. Starting on January 1st, 2020, California follows suit with its own set of data privacy regulations, known as the California Consumer Privacy Act, or CCPA. What is in the CCPA? How is it different from the GDPR? And what do you need to do for your business to be CCPA compliant? Read on to find out!
WHAT THE CCPA DOES
Simply put, the CCPA allows for consumers to have more control over the collection of their personal data in the state of California (which by the way, is the most populous state in the US, and, if it were its own country, would have the 5th largest GDP in the world). As the bill (also known as AB 375) states:
Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
The bill offers transparency and more control over how consumer data is used and affords legal action for California’s citizens to take if regulations are not met.
WHO THE CCPA EFFECTS
If you run campaigns or market in California, you must be compliant with the CCPA, even if your business is located in another state or even another country. To be more specific, here are the criteria for your company to fall into the confines of the CCPA: A for-profit company that does business in California and fits into one or more of these categories:
- Generates a gross revenue of $25 million or more
- Shares or receives personal data of more than 50,000 individuals
- Earns at least 50% of its yearly revenue by selling the data of California residents
Chances are, if you are marketing to customers in the US, you probably want to make yourself CCPA compliant.
The bill is far-reaching (we suggest you read the whole thing) and may be amended, but here are some of the relevant points:
- Consumers have a right to know what personal information (such as names, real and online addresses, social security numbers, geolocation, biometrics, purchasing histories, etc, and any profiles created with this data) a company is collecting about them, AND for what purpose
- Consumers have a right to access this data
- A footer must be clearly visible on websites that offer the consumer the option of opting out of data sharing
- Individuals can opt-out of all or part of a company’s data collection, and can choose what (if anything) gets shared with 3rd parties. This means that your data must be highly structured, categorized, and easily deletable.
- Consumers have a right to receive equal service and price whether or not they opt out of data collection
- However, a company CAN provide incentives to consumers if they agree to share their information
- For the first time, a CA individual has a right to proceed with class-action lawsuits for damages if they believe their data is not being handled according to the CCPA guidelines.
- Individuals can sue regardless of whether there are data breaches
- If a data breach does occur, penalties of $100-$750 or actual damages (whichever is greater) can be assigned to companies per consumer per incident
- Companies have 30 days to comply when they are notified of a violation. If the violation is not resolved, a fine of up to $7,500 will be enforced.
One last thing to note: a consumer has the right to receive all information a company has on them from the last 12 months of the request. And the CCPA goes into effect on January 1st, 2020. That means companies should already have their data tracking systems in place by now. If your company has not yet done so, we suggest you get started…
HOW IS CCPA DIFFERENT FROM GDPR?
In many ways, CCPA is very similar to GDPR. That’s great news if your company is already GDPR compliant. However, there are some key differences. CCPR allows California individuals much greater access to their data records than their EU counterparts. And, in terms of responses to data breaches, CCPA is actually more lax. There are slight differences throughout, and fortunately, we’ve created a chart if you’re looking for a quick rundown!
HOW TO BE CCPA READY
The best thing your company can do to be CCPA-ready is to adopt a system that allows for data to be aggregated, managed, and deleted.
Lineate’s Consent Manager makes this process simple. Initially designed as a tool to help businesses prepare for GDPR, Consent Manager “allows brands to give customers access to their data while providing a central way of managing, tracking, and optimizing for consent collection on an operational level.” In other words? Consent Manager makes it easy for brands to provide consumers the ability to access, limit, or erase their data from a company’s database as outlined in the bill.
This tool also ensures safer campaigns by allowing brands to layer opt-in preferences into segments that are used in campaigns (i.e. ensuring that any customers who’ve opted out of display ads but are fine with email are sorted accordingly). Plus, Consent Manager provides high-level reports on customer consent by channel and device to give marketers a concrete idea of where consent messaging works and where it isn’t.
To explore the Consent Manager and prepare your brand for the CCPA, schedule a call now!