Get In Touch

CCPA Requirements: Are You Prepared?

12.12.2019 | Andrea Pratt, Lucas Balk

Article Image

The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. Like the European Union’s General Data Protection Regulation (GDPR), which was implemented in 2018, it’s designed to protect consumers’ data and privacy. What are the CCPA requirements? Here’s how the organization Californians for Consumer Privacy (the founder of which introduced the CCPA legislation) describes the goals of CCPA:

  1. Give consumers the right to know what information large corporations are collecting about them.
  2. Give consumers the right to tell a business not to share or sell their personal information.
  3. Give consumers the right to protections against businesses that do not uphold the value of their privacy.

“In effect, the CCPA turns consumer data from a commodity into a privilege that can be revoked,” says declared data platform Jebbit.

DISCLAIMER—The information in this article is not comprehensive, and it cannot be construed as legal advice! We are not lawyers; we’re just trying to provide helpful information. Be sure to consult with your own legal team before taking any action.

 

Do You Need to Worry About the CCPA?

First off, let’s determine if the CCPA even needs to be on your radar!

The CCPA applies to for-profit businesses that do business with Californians (yes, even online), collect and control consumers’ personal information, and also meet one or more of the following:

  • Has annual gross revenue in excess of twenty-five million dollars ($25,000,000)
  • Handles the personal information, alone or in combination, of 50,000 or more California consumers, households, or devices annually
  • Derives 50% or more of its annual revenue from selling consumers’ personal information

Important note: Entities that control or are controlled by a business that meets the aforementioned criteria and that share common branding with the business also must comply with CCPA. For example, a non-profit controlled by a for-profit business that operates in California and makes over $25,000,000 a year must comply.

All of this being said, we think the behaviors that are outlined in and will be enforced by the CCPA are essentially the bare minimum for respecting and protecting consumer data. Even if you don’t do business with Californians or meet any of the other criteria, consider starting a shift within your organization to align with the CCPA. While this may seem like a lot of work, these behaviors will help you be more responsible with consumer data, increase consumers’ trust in your organization, and even improve your marketing.

 

What Does the CCPA Enforce?

CCPA has 18 sections. We picked out the major themes of the first eight sections, which go over the main guidelines, but we recommend that you read the full text of the CCPA as well.

Section 1: Right to Disclosure

  1. Consumers have the right to request disclosure of the categories and specific information a business has collected about them.
  2. At or before the point of data collection, businesses must inform consumers what data is being collected and why.
  3. Businesses must provide the information collected to the consumer upon receipt of a verifiable consumer request for that information.
  4. A business shall disclose and deliver, free of charge, electronically or by mail, the requested information.

Section 2: Right to Deletion

  1. A consumer has the right to request that a business delete any information it has collected about the consumer from the consumer.
  2. A business that collects personal information about consumers shall disclose the consumer’s rights to request deletion.
  3. A business that receives a verifiable consumer request from a consumer to delete the consumer’s information shall delete it.
  4. There are certain conditions under which a business or service provider shall not be required to comply with a consumer request.

Section 3: Right to Access

  1. A consumer has the right to request that a business that collects personal information disclose that information to the consumer. (The categories of information to which consumers have a right to request disclosure are outlined in this subdivision.)
  2. A business shall disclose the information specified in subdivision (a) upon receipt of a verifiable consumer request.
  3. The categories of personal information a business shall disclose are outlined here.

Section 4: Right to Disclosure of Information Sale

  1. A consumer has the right to request that a business that sells their personal information disclose:
  2. The categories of information collected
  3. The categories of information sold to third parties
  4. The categories of information disclosed for a business purpose
  5. Businesses shall disclose the information specified in subdivision (a) upon receipt of a verifiable consumer request.
  6. Businesses shall disclose the information specified in subdivision (a) upon receipt of a verifiable consumer request.
  7. A third party shall not sell personal information about a consumer unless the consumer has received explicit notice and is provided an opt-out opportunity.

Section 5: Right to Opt-Out of Information Sale

  1. A consumer has the right to direct a business that sells personal information to third parties not to sell their information. (The right to opt-out.)
  2. A business that sells personal information to third parties shall provide notice to consumers that their information may be sold and that they have a right to opt-out.
  3. A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer in under 16 years of age. (Unless, if the consumer is between 13 and 16 and has authorized it, or, if younger than 13, the consumer’s parent or guardian has authorized it.)
  4. A business that has been directed by a consumer not to sell the consumer’s information shall be prohibited from doing so, unless the consumer later provides authorization.

Section 6: Antidiscrimination

  1. A business shall not discriminate against a consumer because the consumer has exercised their rights under this law. (E.g., by denying goods or services, charging different prices, etc.)
  2. A business may offer financial incentives for the collection of personal information, the sale of personal information, or the deletion of personal information.

Section 7: Accessibility

  1. A business shall provide the requested information in a form that is reasonably accessible to consumers:
    1. Make available two or more methods for submitting requests. The minimum is a toll-free telephone number and a website address.
    2. Information must be disclosed and delivered free of charge within 45 days.
  2. Businesses are not required to provide the requested information more often than twice within twelve months.
  3. The categories of information that must be disclosed are described in Section 1798.140.

Section 8: Website Requirements

  1. A business that sells consumers’ personal information must provide, in a form that is reasonably accessible to consumers:
  2. A clear link on the business’s website titled “Do Not Sell My Personal Information” that enables a consumer to opt-out of sale. A business shall not require a consumer to create an account to do this.
  3. Include a description of the consumer’s rights and a separate link to the “Do Not Sell My Personal Information” in certain locations, like the privacy policy.
  4. A business does not have to comply on their general webpage if they have a separate and additional homepage dedicated to California consumers that includes the requirements.
  5. A consumer may authorize another person to opt-out on the consumer’s behalf.

 

Penalties for Violation of the CCPA

In Sections 11 and 12, penalties for violations are explained. Consumers can recover damages between $100 and $750 per incident, or actual damages, whichever is greater. Civil penalties of not more than $2,500 for each violation or $7,500 for each intentional violation also apply.

 

The Nitty-Gritty: What Do I Have to Do?

So we got through the major implications and requirements of the CCPA. Now, for businesses that will be affected, what do you have to do? Here’s a starting point.

  1. Appoint a Data Protection Officer

Appoint an existing staff member to oversee the protection of consumer data and compliance with the CCPA.

  1. Map the Data You Collect

Do an audit of how your organization handles data.

  • What personal data do you collect?
  • How do you collect it?
  • Where and how do you store it?
  • Do you share the data? If so, with whom?
  • Do you sell the data or provide it in exchange for a service?

Then, map your data collection.

  1. Make Necessary Disclosures

You must inform consumers as to the categories of personal information you’re collecting and how you’ll use it at or before the point of collection.

  1. Get Prepared to Fulfill Consumer Requests

California consumers will have the right to access, delete, and opt-out. What is your process for complying?

You’ll have to set up your two or more methods for consumers to submit requests, and you’ll have to determine how to verify and then fulfill requests.

  1. Selling Information? Make Sure You Comply

Business that sell consumer information to third parties have to make sure they comply with Section 8, which mandates a “Do Not Sell My Personal Information” web link, among other requirements.

You’ll also want to ensure that you review any contracts with third parties.

  1. Check In with Your Legal Team

Be sure that you’re in line with the law. Check everything with your legal team to ensure that you comply with every aspect of the CCPA!

 

It is widely believed that the CCPA will have a ripple effect in the United States. Soon, other states will begin to form and adopt legislation like it, and it may also pave the way for federal law. Why not be prepared? Start to align how you handle consumer information with the requirements of the CCPA.

 

DISCLAIMER—This is a reminder that the information in this article is not comprehensive, and it cannot be construed as legal advice! We are not lawyers; we’re just trying to provide helpful information. Be sure to consult with your own legal team before taking any action.

 

Further Reading:

 

 

 


Marketing 101: Why You Need a Marketing Plan (and How to Create One)

Andrea Pratt

Do you have a plan, or is your marketing just a shot in the dark? 50% of small businesses do not have a marketing plan. What these organizations don’t know is how significantly the presence—or lack—of a marketing plan can impact their bottom lines. Here’s why you need a marketing plan and how to create […]

Read More >

Why the Mystery Oreo is an Absolutely Genius Marketing Tactic

Andrea Pratt

I don’t buy Oreos®. No, I’m not one of those people who are above eating Oreos. You know the ones. They talk about the fat and calories in an Oreo with disgust. Then they choose kale chips or avocado pudding instead. (Or they have found a way to directly consume the feeling of sadness.) I’m […]

Read More >