New Year, New Regulations: The California Consumer Protection Act (CCPA)
New Year’s Day will come with more than just empty champagne bottles. On January 1st, 2020 the California Consumer Protection Act (CCPA) will go into effect. They are already discussing CCPA 2.0 revisions too, so this new law will continue to become more robust. Brands still have time to prepare though, because enforcement on the initial law won’t start until July 1. The CCPA is meant to give consumers more visibility into how brands collect, use and sell their personal data.
Table of content
-
01
CCPA and GDPR -
02
The CCPA Deconstructed - Who does the CCPA regulate?
- What rights does it give consumers?
-
03
Business Responsibilities Under the CCPA - Provide notice
- Privacy policy
- Handling of requests
- Training and request records
- Strategic data collection
-
04
Cost Estimates for the CCPA -
05
How Brands Can Best Approach New Regulations
CCPA and GDPR
You may remember the General Data Protection Regulation (GDPR) that took effect in May 2018. The CCPA is similar to the GDPR in that they both give consumers more transparency into and control over the use of their personal info. However, they’re not identical. If your business is GDPR-compliant, that doesn’t necessarily mean you’re already in compliance with the CCPA.The CCPA Deconstructed
Who does the CCPA regulate?
The CCPA will pertain to any for-profit business who meets at least one of the following conditions, and has customers or subscribers in the state of California:- Earns $25M+ in annual revenue
- Receives 50,000+ device, household, or individuals' info annually
- Earns 50% or more of its annual revenue from the sale of personal data
What rights does it give consumers?
At its core, the CCPA gives consumers more rights around access to, deletion and sharing of their personal data companies have on them. People can request this information via phone, email or letter. Under the CCPA, consumers have a right to know what you know about them, how it was obtained, how your business uses it and visibility into anyone else with access to it. They also have the right to say no to the use or sale of their information without facing any negative repercussions. Meaning, a business may not charge more or provide less due to a customer’s privacy preferences. In terms of deletion, consumers also have the right to be forgotten. Simply put, they can request the deletion of all the data a business has on them..Business Responsibilities Under the CCPA
If you’d like the read the 24-page document from the California Office of the Attorney General, you can find that here. Otherwise, here’s what you need to know in simpler terms:Provide notice
The first item on the list is that businesses must notify consumers of the collection of their personal data before any is collected. This notice must be attention-grabbing, straightforward, optimized for different size screens and translated into whichever other languages the company promotes in, and made accessible. Or, if the notice isn’t accessible, it has to give information on how a consumer with a disability can otherwise access it. The notice also has to tell consumers how their data will be used and provide a “do not sell my info” option. A business that does not directly gather the personal data it sells is still accountable to customer permission. They can notify consumers directly and give them the option to opt-out. Or, they can contact the source who did gather the data and confirm the data was gathered in accordance with the CCPA. Only businesses that will never sell personal information are exempt from providing these notices to customers.Privacy policy
Under the CCPA, a full disclosure of a business’s digital and non-digital practices with consumer data is required, in addition to noting the customer’s rights, which include:- A consumer’s right to know what personal data a business has on them, how they got it, how it’s used and sold.
- Disclosure on what consumer data the business has collected during the previous 12 months and whether or not they’ve disclosed or sold that information to other parties.
- A consumer’s right to have their data deleted at their own request.
- Additional rights including opting out of the sale of their info and non-discrimination for privacy preferences.
Handling of requests
Businesses must provide at least two methods for a consumer to request data and deletion. One of these should be a toll-free number. If the company operates primarily online, one method should also be through the main website. If a customer submits a request incorrectly, it’s the organization’s responsibility to tell the customer what to change for it to process. Starting the day a customer request comes in, companies will have 10 days to confirm they received it, and 45 days to oblige. And obviously, the company only fulfills the request once they verify the customer’s identity for security. One quick note: When disclosing a customer's personal data, a business is only disclosing what categories of data they have, not specifics. For instance, they can tell someone they have a customer’s date of birth or social security number. But they can’t reveal the actual date of birth or social security digits, since those details pose a greater security risk.Training and request records
It goes without saying that anyone on your team who handles sensitive consumer data must be trained and made aware of CCPA requirements. Furthermore, any requests your business receives and responds to should be kept on hand for a full two years.Strategic data collection
Not to worry, the CCPA does allow businesses to take a marketing-forward approach to these new rules. Businesses can offer consumers an incentive, like a discount code upon subscribing, except for permission to sell their data. It can’t be the reverse though—they can’t negatively impact people who want to keep their data private.Cost Estimates for the CCPA
Whenever a regulation is estimated to have a $50M+ economic impact, state agencies conduct a Standardized Regulatory Impact Assessment (SRIA). In this case, the SRIA predicts that the CCPA will cost roughly anywhere from $467 million to $16,454 million for businesses to comply between 2020 and 2030.How Brands Can Best Approach New Regulations
There are two ways to approach a new regulation such as this one (or GDPR). Take a look at this infographic from Marketo. It shows what happened when businesses across the globe took either a marketing-first or legal-first approach to becoming GDPR-compliant.“Marketing-first businesses who are putting the customer front and centre are doing better than those who are merely aiming to be legally compliant.” - MarketoNew regulations don’t have to equate to substandard customer experiences. There are ways to become compliant while maintaining your branding and overall sign-up experience for new customers. Implementing compliance is simply an opportunity to grow trust with your customers through transparency. The CCPA is only the first one of these types of laws in the US. Colorado is already creating their version of the CCPA as well. Even though there are (or will be) multiple regulatory authorities around personal identifying information (PII), I recommend brands be compliant with the strictest regulations, just so you cover all of them. If the CCPA applies to your business, set up new subscriber/new customer sign-up forms appropriately. Explain how data will be used, sold, etc., and include the “don’t sell my info” button as an option. Start an official log for any customer requests that come in so you can keep accurate records. This new regulation is an opportunity for marketers. Consider a strategy to incentivize people to share their data. Think about how you’ll take a marketing-first approach and use this as a chance to improve your business objectives.