On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.
With the devastating series of data breach incidents in the past couple of years, many questions and concerns have come to light about the way consumer data is being handled. 2018 was another year of devastating data breaches with the sheer amount of high-profile incidents at companies such as Linkedin, Facebook, British Airways and 500px. Attacks like these make data breaches are all too commonplace now and not just in the United States but around the world.
The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. The CCPA came into effect on 1st January 2020, thus it’s important to be aware of the policies and processes necessary for compliance and to analyze the current and future impact it will have in comparison to GDPR.
Consumer rights under the CCPA are as follows.
A business must disclose the personal information collected, sold, or disclosed for a business purpose about a consumer.
A business that collects personal information needs to disclose, in response to a verifiable consumer request, the following.
- Categories of personal information the business has collected about the consumer
- Categories of sources from which the personal information is collected
- Business or commercial purpose for collecting or selling personal information
- Categories of third parties with which the business shares personal information
- Specific pieces of personal information the business has collected about the consumer
A business that sells a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following in response to a verifiable consumer request.
- Categories of personal information the business has collected about the consumer
- Categories of personal information the business has sold about the consumer and categories of third parties to which the personal information was sold by category or categories of personal information for each third party to which the personal information was sold (if the business has not sold consumers' personal information, it shall disclose that fact)
- Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)
A business that collects a consumer's personal information must, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business must disclose and deliver the personal information the business collected about the consumer in response to a verifiable consumer request.
A business must delete the personal information the business collected about a consumer and direct service providers to delete the consumer's personal information in response to a verifiable consumer request, subject to certain exceptions.
A business must not discriminate against a consumer who exercises any of the consumer's rights under the CCPA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.
Opt-Out and Website Requirements
A business that sells consumers' personal information to third parties needs to provide notice to consumers thereof and that consumers have the right to opt-out of the sale of their personal information. A business must provide a "Do Not Sell My Personal Information" link on its Internet homepage that links to an Internet webpage that enables a consumer to opt-out of the sale of the consumer's personal information.
A business must not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information.
- Consumers' rights under the CCPA, including the consumer right to opt-out of the sale of the consumer's personal information and a separate link to the "Do Not Sell My Personal Information" Internet Web page
- The methods for submitting consumer requests
- A list of the categories of personal information that the business has collected about consumers sold about consumers and disclosed about consumers for a business purpose in the preceding 12 months
Who does the CCPA apply to
The CCPA applies to the business, meaning a legal entity organized or operated for the profit or financial benefit of its owners, which is one of the following.
- Has annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers' personal information
- Collects consumers' personal information
- Determines the purposes and means of the processing of consumers' personal information
- Does business in California
- A consumer means a California resident
Enforcement, Civil Action, and Penalties
Any person, business, or service provider that violates the CCPA shall be subject to an injunction and be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.
In addition, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their non-encrypted or non-redacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
The CCPA shall not restrict a business's ability to do the following.
- Comply with federal, state, or local laws
- Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information
- Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California
- The CCPA is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the US or California Constitution
The CCPA shall not apply to the following
- Medical information governed by the California Confidentiality of Medical Information Act or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act or a provider of health care governed by the California Confidentiality of Medical Information Act or a covered entity governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R., parts 160 and 164, established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in this bullet point (the definitions of "medical information" and "provider of health care" in section 56.05 of the California Confidentiality of Medical Information Act shall apply, and the definitions of "business associate," "covered entity," and "protected health information" in 45 C.F.R. 160.103 shall apply)
- Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act and implementing regulations or the California Financial Information Privacy Act
Finally, the rights afforded to consumers and the obligations imposed on any business under the CCPA shall not apply to the extent that they infringe on the none commercial activities of a person or entity described in a specified provision of the California Constitution addressing activities related to newspapers and periodicals.
So how does CCPA impact Marketers?
Like CASL (Canadian Anti-Spam Law) and GDPR (General Data Protection Regulation), CCPA will affect companies outside of the jurisdiction of the law. That’s because it’s often easier to comply with the higher standard than try to address some of your audience differently.
California has nearly 40 million people living in the state, which is about 12% of the U.S. population and more people than the entire population of Canada. California’s economy is also estimated, at $2.7 trillion. If California were a country, it would be the fifth-largest economy in the world, dwarfing the UK.
So California is a marketplace that Marketers inside and outside the U.S. just can’t ignore. They will have no choice but to comply with the consumer privacy act. That said, compliance should be relatively easy for brands that are already in compliance with GDPR.
It’s worth pointing out for the record: This information is just our take, we are not lawyers, so please seek legal advice as part of your ongoing CCPA plans.
With those disclaimers out of the way, we’d like to point out our best practices for data collection that are informed by the consumer privacy act:
- Reconsider whether you want to use third-party data. If you would be uncomfortable explaining to a customer/lead that you bought their details, you might want to rethink doing it.
- Re-evaluate the data fields on your forms and profiles. The CCPA is a clear shift to transparency, so make sure you are clear in what you want and why you want it.
- Only collect data that you have a clear immediate use for. Data is now the currency of the modern world but it can become a liability if not collected/recorded/deleted in the right way. You might want to think about reaching out to your customer base every 12 months reminding them of what you have, why you have it and if they are still comfortable with you having this.
- Create a mechanism that can delete a consumer’s information, when requested. Consumers can easily request the right to be forgotten so make sure it is easy for you to find, present and delete their data. Consider a Single Point of User Data (SPUD)
- Don’t sell information about your customers or users. It's not a great practice to do this, however, if you do, make sure customers know that you intend to do so. Simple things like a clear CTA/tick box to let customers opt-in or out.
Want to learn more? Check out - Billions Lost Every Year Due to Website Accessibility Failings.
Subscribe and stay up to date with the latest industry insights, receive great tips and how-to's, through our monthly newsletter.