What You Need to Know About CCPA in Early 2020
By: Derek Barka | 12/30/19
There was a lot of confusion and uncertainty surrounding EU-GDPR when it went into effect in 2016. With the California Consumer Privacy Act (CCPA) becoming law on January 1, 2020, we at SilverTech want to help clarify what CCPA means and what action your company may want to take. We’ve heard from several clients with concerns and have laid out some simple plans on how to comply with the new regulations.
First, what is CCPA?
The CCPA guarantees California residents control over their personal information and data collected by any company when they access your website. Californians may request what information you have about them, what type of data your company has collected, what you’re doing with their data, and whether you are sharing it with other parties.
The CCPA applies to any for-profit business that does business in California (including selling to California residents) that also meets one or more of the following criteria:
- Has annual gross revenues greater than $25 million.
- Buys, receives, or sells personal information of more than 50,000 consumers/households.
- Earns more than half its annual revenue from selling consumers’ personal information.
For most organizations, having California customers and/or prospects combined with $25 Million in annual revenue is going to be the deciding factor in requiring compliance with the CCPA. Even if your organization does not meet the threshold, it's still prudent to begin complying as more and more states look to adopt similar data governance laws.
At its core, CCPA does a few things:
- Requires a business to provide a Privacy Policy that discloses how the organization is complying with the CCPA
- including the type of information they have on consumers, how they are using the data, and if they sell consumer data to other parties.
- Gives the consumer the right to request a copy of their personal information.
- Gives the consumer the right to have their information deleted.
- Gives the consumer the right to not have their information sold to third-parties.
There’s a lot here, but to make sure you’re in compliance, we recommend following a few important steps.
Steps you may want to take to comply with CCPA.
Step 1: Update Privacy Policy.
First and foremost, with the rules imposed by the CCPA it is a best practice for every organization to have an updated Privacy Policy that details their data collection practices and how they comply with the CCPA. Your Privacy Policy must contain the following items:
- A listing of the new rights afforded to California residents.
- A list of all the categories of personal information that the organization has collected in the previous 12 months. Section 1798.130 of the law defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The section goes on to define categories as:
- Identifiers such as real names, alias, address, unique online identifiers, IP Addresses, email, account names, SSNs, driver's license numbers, passport numbers, or similar.
- Information including phone numbers, credit cards, employment history, education, insurance information, financial or medical information.
- Characteristics of protected classifications including race, color, nationality, sex, age, or disabilities.
- Commercial information including records of personal property, purchase history, or any consuming histories and tendencies.
- Biometric information.
- Internet and social media activity such as browsing history, search history, and electronic interactions.
- Geo-location data.
- Audio/Video data.
- Professional and Employment information.
-Education information.
- Inferences drawn from any of the above categories such as consumer profiles, audience inclusion, market segments, aptitudes, or personas.
- A listing of the sources of information for each of the categories defined above.
- The CCPA requires organizations to disclose where the personal information was collected. This could be consumer supplied information from form fills, direct purchases, purchased lists, purchased third-party data, or tracking users via cookies.
- The commercial purpose for each category of information.
In addition to listing the categories and sources of personal information, the business must also disclose the business purpose of each category of information. This could be for marketing purposes, predicting product tendencies, advertising, etc.
- A list of categories of personal information sold.
If your organization sells personal information, you must list all the categories of information that have been sold in the last 12 months. - Opt-out form.
If you are selling consumer information, you provide a form for consumers to Opt-out of the sale of their information. The link must be titled “Do Not Sell My Private Information” and the link must also be accessible from your homepage. - A list of categories of personal information disclosed for business reasons.
If your organization discloses personal information for reasons associated with running your business, you must list all the categories of information that have been disclosed in the last 12 months. These reasons may include leveraging third parties for servicing accounts, debugging problems, providing customer service, fulfilling orders, etc. - Information on requesting a copy of information or deleting information.
Your privacy policy must also outline how a California resident can request a copy of their information or request their information be deleted. You must provide at least two means of providing the request and must include a toll-free number and a webpage (if you have a website) for making the request. You should also outline the steps your organization will take to confirm the person’s identity once the request is received.
Step 2: Create a data map.
After updating your Privacy Policy, we recommend creating a detailed data map of all personal information your organization maintains. This would outline what systems contain personal information as well as what information is stored there. This would include your website, cookies, your CMS, CRM, and Marketing Automation platforms, if you have them. Internal data warehouses, ERP systems analytics packages could also contain personal information as defined by CCPA. When inventorying the data, be sure to also identify the category of information as well as the source. This will make adhering to requests later much more efficient.
Step 3: Identify how data will be retrieved and deleted.
Once you have identified where your organization has stored consumer information, outline a process and roles required for retrieving that data when requested as well as deleting it if needed. It’s also important to identify how your organization will verify the identity of individuals before disclosing personal information. CCPA requires that your organization acknowledge receipt of the request within 10 days and adhere to the request within 45 days.
Step 4: Provide submissions means.
Finally, create a phone number and online form to allow consumers to submit requests for copies of their data or deletion.
It’s important to note that these regulations also need to be implemented in a manner that is accessible to anyone with a disability and should also be available in all the languages that your business normally supports. If your website is in English and Spanish, your Privacy Policy must also be.
The California Consumer Protection Act goes beyond GDPR in the rights it affords consumers and puts a number of requirements on organizations that do business with California residents. Understanding the law and performing the steps identified above will help your business comply with the notification requirements and prepare for any request that is submitted. However, we also recommend consulting your own legal advice for requirements specific to your organization.
We’re here to help you maintain data privacy and compliance.
Although we always recommend that you first seek legal advice and guidance on matters impacting potential litigation or penalties, as a full-service digital marketing and technology company, SilverTech may be able to help. You can work with us to conduct an inventory or audit of your data collection systems and practices, post updated content or features to your website and make modifications to ensure your website is accessible to comply with American Disabilities Act (ADA) or Web Content Accessibility Guidelines (WCAG).
Additional resources:
SB-1121 California Consumer Privacy Act of 2018.
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121
California Civil Code 1798.80 Customer Records
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.80.&lawCode=CIV