New year, new laws. Beginning on January 1st, the CCPA went into effect. This is the first law in the U.S. to enact rules around consumer data and surely won’t be the last. What exactly is this law, and how will it affect your business?
What Exactly is the CCPA?
The California Consumer Privacy Act (CCPA) is a law that was passed by the California State government in 2018. Created with the intention to protect consumers, it requires businesses to be transparent about their use of consumer data and imposes penalties on companies that do not properly protect consumer data. This law went into effect on January 1, 2020 – with enforcement starting mid-2020.
What are Consumers Rights Under the CCPA?
The CCPA allows consumers the “right to know” and the “right to say no”. This means that they have the right to see what data has been collected on them and who that information was shared with. They can also request to have their personal data deleted from company records, and opt-out of future data selling to 3rd parties. Other rights include:
- The right to fair treatment.
- Businesses cannot discriminate against consumers who opt-out of the sale of their personal data.
- Consumers over the age of 16 must opt-out of the sale of their personal data
- Consumers between the ages of 13 and 16 must opt-in for their information to be sold.
- Consumers under 13 must have a legal guardian opt-in for their information to be sold.
- Any time a business collects a new piece of personal information or uses personal information for a new purpose, they must notify the consumer and give the consumer a chance to opt-out.
Does the CCPA Affect Me?
Even if your business is not based in California, this law could impact you if you do any business with California residents. Specifically, this law applies to you if you do business in the state of California and meet any of the following criteria:
- You generate more than $25 million in revenue annually
- You collect information on 50,000 or more people, households, or devices
- You make more than half of your revenue from selling consumer data
It is important to ensure your compliance with this law, as it creates new opportunities for consumers to seek class-action damages and state-imposed damages via lawsuit.
The CCPA Affects My Business, Now What?
The level that the CCPA will impact your marketing really depends on how you use customer data. Does your company do any of the following:
- Create numerous look-alike audiences in platforms like Facebook and LinkedIn?
- Rely on an email list for a large portion of your marketing?
- Buy or sell personal data?
If your answer to any of these is yes, then there is a large potential impact on your business. A California customer can decide that they want you to delete their personal data at any point and then you will lose that data and its usefulness. If you do not rely on these things, then your marketing won’t see the effects of the CCPA and continue to run as usual.
Data Management Tips for CCPA
If you have a way to safely store customer data, then that is likely the best option for your business. By keeping your own customer data you do not have to worry about disclosing a trail of people who have the data if a customer requests to know that information. You also eliminate the risk of having to change your practices if a new, stricter law is passed. However, if you do not feel that you can safely store customer data, then it is likely best to have someone else collect and store data for you. If you do try to store customer data and that data is stolen, then you could be looking at a lawsuit.
Next Steps as a Business
In order to comply with the CCPA, you will need to ensure that you have a few items on your business website:
- A privacy policy that includes information about what exactly is being collected and why.
- A way for a consumer to request the personal data the company has collected and information on how to have that data deleted and how to opt-out of information being collected in the future.
- If your business sells or discloses personal information to any party beyond contracted service providers, you will need to provide a way for your consumers to opt-out.
- If your business gives any sort of financial incentive for personal information collected, you will need to explain what the incentives are in terms of services and price and how they can opt-in or out at any point.
- If your business has carry-out rights requests, then you will need to explain how the process is handled internally and what the process entails for the consumer.
- If your business works with vendors or any other company that qualifies as a “service provider” you will need to clearly outline this.
You can read more information about each of these items here to ensure that you are fully complying. You can also seek the opinion of the California Attorney General on how your business can comply with the law. Regulatory Compliance will not only help your business avoid fines but can also help boost consumer trust in your business!
*Please note, we are not lawyers – research the law to the full extent to ensure full compliance for individual business needs and seek legal counsel with any questions that may arise.