In four months, The California Consumer Privacy Act (CCPA), takes effect on January 1, 2020. It is deemed the most comprehensive general data bill of its kind to pass in the United States and it’s keeping marketers on their toes.
If your business collects personal data on California residents, there are some adjustments you may need to make in how this is done. Unlike GDPR, CCPA does have minimum requirements for a company to be required to comply.
Companies in scope must meet one of these requirements:
- Generates an annual gross revenue in excess of $25 million;
- Derives at least 50% of its annual revenue from selling California consumers’ personal information; OR
- Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices.
If your company does not meet one of these minimum requirements, don’t consider yourself out of the woods completely. If your company is looking to grow, you might reach this amount quickly. Further many customers and investors expect companies to be compliant. Potential loss of customers and investment dollars could be at stake.
Next, the company must decide will it comply with CCPA for only your customers in California or all customers?
Marketers need to understand the definition of personal information. It’s different than the typical definition of personally identifiable information used in a data breach scenario or what’s often considered in a digital campaign. Those often called “anonymous identifiers” are no longer anonymous.
Under CCPA, Personal Information is expanded and broadly defined. Personal information includes but not limited to, geolocation data and inferences extracted from data, unique personal identifiers, browsing and search history, biometric data, professional or employment related information, psychometric data, audio, visual data, and IP addresses.
CCPA has specific requirements for data that is sold. First, it’s important to understand the definition of sale is not just the typical “sold data for a dollar.” Sale” is defined by CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.
CCPA requires businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Do you know where your data is? Do you know what kinds of information you’re collecting? Is it on a form? Is it on the website? Is it a questionnaire? Do you record the conversation? Is there a video? Who handles the data? Do you have service providers? Are you on AWS? Are you on some other type of database?
CCPA grants consumers a right to know the categories and specific pieces of personal information that a business has within the past year collected, sold to a third party, or disclosed to another person for a business process. These requests must be honored within 45 days with possible extensions.
Companies must be able to know what personal data they collect, does it qualify for the definition of “sold”, how it is used, and also be able to honor an individual rights request. To do this successfully, companies must create and maintain a data inventory that will outline the flow of personal data in the company.
This data inventory is the foundation of complying with CCPA as it will help shape the privacy notice, individual rights process and policy, and ensure that data is properly protected, among a variety of other requirements.
Knowing what data the company has will help eliminate any duplicate processes and identify areas of opportunity – leveraging better tools or existing data sets such as opportunities for personalization.
CCPA pushes companies to focus on the data they have and create transparency with customers. This foundation of trust will yield stronger customer relationships over time.
How can your businesses prepare?
- Identify key marketing stakeholders familiar with data collection, use, and sharing
- Document data processing activities for the data collected, used, disclosed and or sold
- Review if you need to make any process or technological changes to comply with the law
- Determine how individual rights request will be honored and test this process
- Discuss how any third-party agreements will need to be updated.
To hear more from Jodi in person, be sure to join us for Connect to Convert at the Westin Boston Waterfront, September 25-27, where Jodi will be speaking on Data Privacy and also Consumer Privacy Laws. Register Here!