CCPA: Its Impact & Your Marketing Compliance
by Meghan Tooley

Understanding CCPA

The California Consumer Privacy Act (CCPA) is a new wave of legislation that will bolster privacy and consumer protection rights for Californian residents and will go into effect on January 1, 2020. It will require organizations to focus more heavily on how they’re collecting, sharing, and using user data. As one of the most comprehensive data privacy legislation ever passed in the U.S., CCPA will require companies from every industry to take a second look at how they’re conducting their data and information collection processes.

If you were to recall the prolific and expansive data breach scandals from Silicon Valley giants like the Facebook Cambridge Analytical hack and Equifax breach, your personal data was compromised. There’s a brewing concern for the lack of privacy in this digitized world and a growing need for transparency and accountability.

While the European Union’s General Data Protection Regulation (GDPR) seemed to be one of the largest legislation overhauls, CCPA is much broader than GDPR and is for Californian residents, among other things.

New rights of consumers under CCPA

All companies, from social media platforms to your grocery stores, are constantly collecting data on consumers to better refine their targeting strategies. Consumers need to understand what is being protected and how it’s being protected. The new rights of consumers under CCPA are:

  • To know what personal data is being collected about them and how it will be used
  • To opt-out of the sale of personal information to third parties
  • To request disclosure of their personal information collected about them, including any third parties with which it shares information with or sells information to
  • To have information deleted
  • To not be discriminated against for exercising new rights

What accounts for personal information under CCPA

‘Personal information’ may seem like a vague term under CCPA’s new rights of consumers, however it’s far from it. CCPA explicitly defines personal information categories under the following 12 categories.

  • Identifiers, such as: contact information, government IDs, social security number, IP addresses, etc.
  • Personal information records, such as: financial accounts, education, employment history, medical information, physical description, etc.
  • Protected classification information, such as: race, gender, religion, sexual orientation, etc.
  • Commercial information
  • Internet/electronic activity
  • Products purchased or considered for purchase
  • Geolocation
  • Audio/video /sensory data
  • Professional or employment information
  • Educational information
  • Biometrics
  • Inferences that are drawn to create a profile about the individual to reflect their preferences, such as: behavior, psychological trends, aptitudes, etc.

Who is responsible under CCPA?

If your company serves California residents or does any sort of business in California, and also satisfies any one of the following thresholds:

  • Has at least $25,000,000 in annual revenue, or
  • Has personal data on at least 50,000 people, or
  • Collects more than 50% of their revenue by selling personal data,

you must be compliant with CCPA.

It’s also key to remember that California has a population of 39.6 million people, making it the most populous US state. And while you may not be serving Californian residents, 9 other states have enacted legislation similar to the CCPA. Ultimately, CCPA (and additional data privacy legislatures) may affect your company more than you think.

How to comply with CCPA & what happens if you don’t

Ensure that your company has updated privacy notices and policies while ensuring that you have notified your consumers about the change. Compliance includes:

  • Explicitly disclose the categories of personal information that will be collected
  • Privacy policies must give consumers the right to opt-out of selling their information on the home page and footer
  • Privacy policies must have 2 ways to contact for erasure requests such as a web page & toll-free number
  • Must not request reauthorization to sell a consumer’s personal information for at least 12 months after individual opts-out
  • Comply with consumer requests within 45 days and provide information free of charge
  • Obtain parental or guardian consent for minors under 13 to collect information and affirmative consent for minors between 13 and 16

If your company fails to comply with the above requirements and fails to amend any violations within a 30-day window, sanctions will include:

  • Fine up to $7,500 per intentional violation and $2,500 for each unintentional violation
  • Can sue for damages between $100-750 per California resident and incident, or actual damages, whichever is greater
  • Fine up to $7,500 per intentional violation and $2,500 for each unintentional violation
  • Can sue for damages between $100-750 per California resident and incident, or actual damages, whichever is greater

 

Need help with CCPA compliance?

 

The Affirma Marketing Services Team has assisted with both GDPR and CCPA compliance for national and global clients. We can advise around compliance in your marketing technology stack and offer support to configure to develop processes and procedures that ensure compliance. In addition, we can also educate and train your internal users according to best practices.

 

For more information, download a copy of our guide to CCPA compliance.

 

How Can We Help?