What Is CCPA?
As a marketer or digital marketer, doing business with customers in the state of California, the California Consumer Privacy Act of 2018 (CCPA) will change consumer data privacy laws and the way you collect, protect, and use the personal information of Californian residents.
CCPA went into effect on January 1st, 2020, and mandates protections for consumers from having their personal data sold as well as outlines protections organizations need to prevent data breaches.
California’s new privacy law has similarities with the European Union’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) but focuses on different areas of privacy regulations.
The main question many businesses have, revolves around whether or not they are subject to CCPA regulatory privacy law mandates. The business requirements for CCPA are as follows:
- Business with annual gross revenues over 25 million OR
- Businesses who annually buy, sell or share data for commercial purposes of 50,000 or more California devices, consumers, or households
- Businesses that earn 50% of their annual revenue selling California consumers personal information
Having outlined the law, the reality is that any organization storing, processing, selling, or sharing personal information of a California resident is subject to CCPA.
What are the penalties for violating CCPA?
At first glance, the statutory damages related to violating CCPA compliance requirements do not appear to be severe. The California Attorney General has significant latitude in the fines but expects a civil case within 30 days of being notified that your organization has violated CCPA.
The exact fee structure is anywhere from $2500 – $7500 per occurrence. Imagine one record costing a maximum of $7500 but 1,000 records costing $7,500,000.
What rights do consumers have?
Under CCPA, consumers have the following rights:
- Opt-out rights and access requests rights for the information that organizations are collecting, selling, sharing, and using
- The right make a consumer request to opt-out so organizations are unable to use your specific pieces of personal information
- The right to be forgotten
- The right to privacy, protecting the consumer rights and from discrimination for leveraging CCPA actions
- Disclosure of personal information traded and sold
The privacy act also outlines punishments for organizations that are breached or fail to follow the mandate. CCPA has a global reach in that any company processing information of a Californian resident is liable.
The Marketers CCPA Checklist
When it comes to marketers and awareness of CCPA, knowing the above information is an important baseline. Now, the question is, what really matters to you and your agency? There are five key concepts that you need to master in order to stay on the right side of compliance:
- Designate a tiger team – You need a team of industry professionals with experience protecting data and that understand regulations. The team doesn’t necessarily need to be information security professionals, but they will have the right skillset. The team should be made up of individual that can set policy and direction for the organization.
- Review your existing database for California residents – Make sure your database has California residents in it. While solid data governance processes should be a standard if you aren’t doing business with anyone in California you can spend your time doing something else, like performing a valuable database health check. Put in place a process to check for this information on an ongoing basis, compliance, after all, is not a one-and-done initiative.
- Overhaul your data collection, retention, and deletion practices – When it comes to collecting, retaining, and deleting various categories of personal information,
- Utilize compliance software – Automation and orchestration are essential to managing the demand from end-users to verify what you are doing with their information and empowering them to delete themselves from your database.
- Take special care with buying and selling information – Be careful when buying or selling information. When buying or selling, make sure the data follows CCPA as you are liable for it. Purchasing information is especially risk-prone due to not always knowing how it was collected or why. It’s your customer’s right to say, “do not sell my personal information.”
- Analyze how many records you possess meeting the CCPA criteria – Calculate your potential risk exposure based on the numbers of records. Remember, CCPA penalties are based on the number of exposed records. Keep in mind your agency’s size and relative exposure to do a risk calculation based on the number of records in your possession and the potential fine.
- Be proactive instead of reactive – Don’t wait for an incident to happen to you. Make sure that customers and prospects have an easy time managing the information they have entrusted to you. Train your staff on CCPA, what is expected and why, and have an ongoing training plan to keep them up to date on changes to process or policy.
What Is Considered Personal Information Under CCPA?
Consumer’s personal information under CCPA:
- First, middle, and last name
- Street address, email address
- Social Security Number
- Credit card data
- Geolocation data
- IP Address and similar identifiers
- Driver’s license number
Sensitive Information under CCPA:
- Race, ethnicity
- Political, religious views
- Trade union membership
- Physical or mental status
- Sexual orientation
What additional data can be collected under CCPA?
- Browsing history (sourced from places like LinkedIn, homepage, and Google)
- Product preference
- Previous purchases
- Likes, interests, and other personal data
Marketing and digital marketing in the post CCPA era will take a few small adjustments to stay in compliance. There are various data privacy standards hitting the market and more states and countries will follow CCPA and GDPR. The key to CCPA is a sound data collection and handling strategy along with following data privacy regulations.
Marketers need to create better processes around maintaining records and having solid policies. Marketing automation and orchestration capabilities will set an agency apart from others and get them known for easy information handling and being compliance minded. Marketers that put data strategy first will be the ones that keep themselves from getting into situations where fines are even a possibility.