Happy New Year: The CCPA is Officially Here
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. CCPA is reported to be among the most restrictive data protection privacy laws passed anywhere in the U.S. The CCPA is a state level law intended to enhance and protect consumer privacy rights for California residents, who represent 12% of the US population (~40M).
What’s the difference between CCPA and GDPR?
While there are some similarities between the California Consumer Privacy Act and General Data Protection Regulation (GDPR), they differ in certain areas:
- COMPLIANCE: GDPR applies to all companies, the CCPA only applies to any business that satisfies at least one of the following conditions:
- Has annual gross revenue more than $25 million
- Buys/Sells personal information of 50,00 or more consumers
- Earns at least 50% of their income through selling consumer data
- OPT-OUT: The CCPA is opt-out and companies must include an opt-out link on their website(s). Moreover, individual consumers need to make the effort to opt-out if they don’t want their data collected or stored by a business. As a result, CCPA may not have the same negative impact on marketing databases as the GDPR changes.
- SANCTIONS: Violation of the CCPA can include a sanction of up to $7,500 for each intentional violation and $2,500 for each unintentional violation; GDPR has a ceiling of 4% of a business’s global annual revenue
What does this mean for consumers?
CCPA protects consumers from having their personal data used and sold. The CCPA’s protections guarantee California consumers several fundamental rights:
- KNOWLEDGE: Know what kinds of personal information is being collected about them and whether or not their personal data is being used, sold and disclosed and to whom
- OPT-OUT: Consumers have the right to opt-out so that a company cannot sell any of their data
- DELETION: Consumers can request to have their data deleted
- ACCESS: Receive equal service with no penalties for privacy, protecting the consumer from discrimination for acting on CCPA rights
What are social media platforms doing to comply with CCPA?
Social media platforms, including Facebook/Instagram, Twitter, and LinkedIn have updated their privacy policies to reflect the new requirements by the CCPA.
Platforms like Facebook also provide users with the ability to request all their personal data that’s been shared with the platform and the ability to select what kind of data gets shared about them on the platform. The alternate options that users can take is to delete their account altogether.
What does this mean for businesses?
- Must honor consumer requests to opt-out of data collection and/or erase personal data collected, under certain conditions
- Make data available upon request, free of charge to the consumer via mail or email
- Must provide information on data selling, including who they sell to, how, and why
- Must continue providing products and services to all consumers, even those that have chosen to opt-out
What are the sanctions for companies that don’t comply with the CCPA?
Businesses that do not comply with CCPA can be fined between $100-$$750 per consumer for violations. A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
How can your business be CCPA ready?
- Update privacy policies that include CCPA standards and are easy to find on your website and other digital properties
- Highlight the kinds of data you collect, how the data will be used and if any data is shared with a third party
- Notify your customers that you’ve updated your practices to align with CCPA (possibly via email blast)
- Develop opt-out policies that allow your customers to opt-out from data collection
- Make sure your data collection marketing campaigns (CRM, SEM. etc.) are up to CCPA standards
- Ensure you can delete consumer information
- Audit vendors and contractors to ensure they are CCPA compliant
CCPA provides enhanced consumer rights to California residents and it is the first comprehensive consumer privacy law passed in the United States. It is inevitable that other states will adopt similar consumer privacy laws. Adapting to CCPA will be slow for most companies but there is still time to get compliant—CCPA has a six- month grace period following the 1/1/2020 activation date. Take the next few months to assess your CCPA readiness and ensure that all impacted areas of your business are covered.