What is CCPA?
As a marketer or digital marketer, doing business with customers in California, the California Consumer Privacy Act (CCPA) will change the way you collect, protect, and use personal information of Californian residents. CCPA went into effect on January 1st, 2020, and mandates protections for consumers from having their personal data sold as well as outlines protections organizations need to prevent data breaches. CCPA has similarities with the General Data Protection Regulation that went into effect in 2018 but focuses on different areas of privacy regulations.
The main question many businesses have to revolve around are they subject to CCPA compliance privacy law mandates. The business requirements for CCPA are as follows:
- Business with gross annual revenues over 25 million OR
- Businesses who annually buy, sell or share data for commercial purposes of 50,000 or more California devices, consumers, or households
- Businesses that earn 50% of their annual revenue selling California consumers personal information
Having outlined the law, the reality is that any organization storing, processing, selling, or sharing personal information of a California resident is subject to CCPA.
What are the penalties for violating CCPA?
At first glance, the fines related to violating CCPA do not appear to be severe. The Attorney General has significant latitude in the fines but expects a civil case within 30 days of being notified that your organization has violated CCPA. The exact fee structure is anywhere from $2500 – $7500 per occurrence. Imagine one record costing a maximum of $7500 but 1,000 records costing $7,500,000.
What rights do consumers have?
Under CCPA, consumers have the following rights:
- Insights into what kinds of information that organizations are collecting, selling, sharing, and using
- The right to opt-out so organizations are unable to use your personal information
- The right to be forgotten
- The right to privacy, protecting the consumer from discrimination for leveraging CCPA actions
- Disclosure of personal information traded and sold
The privacy act also outlines punishments for organizations that are breached or fail to follow the mandate. CCPA has a global reach in that any company processing information of a Californian resident is liable.
The Marketers CCPA Checklist
When it comes to marketers and awareness of CCPA, knowing the above information is an important baseline. Now, the question is, what really matters to you and your agency? There are five key concepts that you need to master in order to stay on the right side of compliance:
- Designate a tiger team – You need a team of industry professionals with experience protecting data and that understand regulations. The team doesn’t necessarily need to be information security professionals, but they will have the right skillset. The team should be made up of individual that can set policy and direction for the organization.
- Review your existing database for California residents – Make sure your database has California residents in it. While solid data governance processes should be a standard if you aren’t doing business with anyone in California you can spend your time doing something else, like performing a valuable database health check. Put in place a process to check for this information on an ongoing basis, compliance, after all, is not a one and done initiative.
- Overhaul your data collection, retention, and deletion practices – When it comes to collecting, retaining, and deleting consumer data many firms will have to go back to the drawing board. Automation and orchestration are essential to managing the demand from end-users to verify what you are doing with their information and empowering them to delete themselves from your database.
- Take special care with buying and selling information – Be careful when buying or selling information. When buying or selling, make sure the data follows CCPA as you are liable for it. Purchasing information is especially risk-prone due to not always knowing how it was collected or why.
- Analyze how many records you possess meeting the CCPA criteria – Calculate your potential risk exposure based on numbers of records. Remember, CCPA penalties are based on the number of exposed records. Keep in mind your agency’s size and relative exposure to do a risk calculation based on the number of records in your possession and the potential fine.
- Be proactive instead of reactive – Don’t wait for an incident to happen to you. Make sure that customers and prospects have an easy time managing the information they have entrusted to you. Train your staff on CCPA, what is expected and why, and have an ongoing training plan to keep them up to date on changes to process or policy.
What is considered personal information under CCPA?
Personal information under CCPA:
- First, middle, and last name
- Street address, email address
Sensitive Information under CCPA:
- Race, ethnicity
- Political, religion views
- Trade union membership
- Physical or mental status
- Sexual orientation
What additional data can be collected under CCPA?
- Browser history (sourced from places like LinkedIn and Google)
- Product preference
- Previous purchases
- Likes, interests, and other personal data
Marketing and digital marketing in the post CCPA era will take a few small adjustments to stay in compliance. There are various data privacy standards hitting the market and more states and countries will follow CCPA and GDPR. The key to CCPA is a sound data collection and handling strategy along with following data privacy regulations.
Marketers need to create better processes around maintaining records and having solid policies. Marketing automation and orchestration capabilities will set an agency apart from others and get them known for easy information handling and being compliance minded. Marketers that put data strategy first will be the ones that keep themselves from getting into situations where fines are even a possibility.