Brand Marketers Guide to CCPA Compliance
In part two of our blog series, we continue our conversation about The California Consumer Privacy Act of 2018 (CCPA), as we explore who will be affected by CCPA and highlight the required changes for your digital properties and data collection processes. For those new to the topic (or series), we recommend listening to our podcast on the basics of CCPA, and then catching up on what the regulation means for privacy and security in part one of the blog series.
To get things started, below you’ll find a visual, step-by-step guide to CCPA compliance. Be sure to keep scrolling beyond the infographic for our in-depth analysis...
Step 1: Assess Responsibility – Who, What, When & Where?
Companies that are not based in California, but are doing business in the state of California, are beholden to the rules of the CCPA if they meet one of the following criteria:
-
The Company has an annual gross revenue of over $25,000,000
-
The Company either buys, sells or shares personal information of 50,000 consumers in a year
-
The Company generates 50% or more of its annual revenue from selling consumer’s personal information
The language in the CCPA is broad enough to cover California residents that provide personal information on websites for companies not based in California. The CCPA’s definition of non-affected companies is pretty narrow: “…if every aspect of commercial conduct takes place wholly outside of California, applies only if the business collects personal information of consumers while they are outside of California, no sale of consumer’s personal information occurs in California, and no personal information collected while the consumer was in California is sold.” All other activity will fall under “doing business” in California.
As for what defines a Californian, the CCPA clarifies that it’s “every individual who is in the State for other than a temporary or transitory purpose and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” Even if your consumers reside predominantly in a state that does not have a specific consumer data privacy law (all states except for California, Nevada, and Vermont), adhering to consumer data privacy is a wise decision, given that it is a matter of when not if these laws will be implemented in other states.
It's important to remember that, though the law becomes effective on January 1, 2020, businesses have until July 1, 2020 before the Attorney General can begin levying fines for non-compliance. At this time, employee information, in addition to consumer information, that is collected by companies would fall under the CCPA compliance regulations. This means that the security and privacy of employees’ data will be subject to the same rules as customers/prospects on a website. Employee or vendor data is one of the most overlooked aspects of preparedness as businesses prepare to meet the CCPA regulations.
Step 2: Audit Your Data Flows
The CCPA is not just about the systems you own, but also the 3rd parties with whom you share or sell data. Mapping out where the data originates, where it’s stored, how it’s stored, and who is storing it, is a crucial step in preparing your company to meet CCPA compliance. At any time, consumers can request a copy of the data collected and a list of the 3rd parties the data with which it was shared or sold, or they can request the deletion of their personal information across all systems and platforms even if they had previously given consent for sharing or selling that data.
Step 3: Implement an Opt-Out and Updating your Privacy Policy
Businesses must provide a conspicuous opt-out link that reads “Do Not Sell My Personal Information” on their website or other owned digital properties. Companies must track which visitors have opted-out and comply with the consumer’s desire not to have their information sold or shared. As stated above, consumers can choose to revoke consent at any time, and companies must comply with the request. At the time of consent or when collecting consumer’s data, companies must track the categories of information collected and the purposes for collecting the data, in case it is requested at a later date,
Companies must update their Privacy Policy and ensure that the link is readily available on their brand's website. The Privacy Policy must be explicit in stating how a consumer’s personal information is shared or sold, and this policy must be reviewed and updated annually.
Step 4: Add a Consumer Data Request Form
Businesses must provide at least two methods for consumers to request a copy of the information collected. Some options are a toll-free telephone number, a website form, or an address for a mailed request.
Crucially, companies must have a process in place to verify the identity of the person requesting data to ensure that the request is, in fact, the consumer. Businesses must deliver a copy of the information collected within 45 days to the consumer, along with the categories of information shared and the categories of the companies with whom the data was shared or sold. Consumers can make this data request up to two times in 12 months.
Step 5: Bolster Site and Data Security
Even though the CCPA’s statement that businesses must provide “reasonable security” is vague, there are a variety of best practices for data security that your IT team can implement to protect consumer data. As a reminder, we cover CCPA security and privacy guidelines in part one of this series.
CCPA is not GDPR
The most notable difference between CCPA and Europe’s GDPR is that GDPR breaks up accountability into data controllers and data processors. It also does not exclude any categories of data for privacy, while CCPA provides many exceptions for medical information, data collected as part of a clinical trial, sale of data to/from consumer reporting agencies, personal data under the Gramm-Leach-Bliley Act, personal data under the Drives Privacy Protection Act and publicly available information from federal, state or local government records.
Both CCPA and GDPR define pseudonymized consumer data and have controls to prevent reidentifying aggregated data. The CCPA does not regulate consumer data that is pseudonymized or aggregated, though GDPR regulates this data as personal data because of the potential for reidentification. In summary, GDPR does not consider anonymous data to be personal data.
Additionanlly, both regulations are short on defining what security measures constitute “appropriate” or “reasonable” data security. Both GDPR and CCPA provide monetary penalties for failure to secure consumers’ data from intruders or inadvertent disclosure.
When it comes to handling children accessing a site, GDPR does not offer exceptions for data controllers that are not aware of providing services to a child, while CCPA provides an exception to businesses that did not have actual knowledge of a child's age. Both laws require parental consent for younger children – GDPR sets that age at 16 and CCPA at 14.
The GDPR does not explicitly allow a European consumer to opt-out of the selling of their data, but the controls to opt-out of processing should disallow any sale of data. The CCPA explicitly regulates the ability for businesses to sell consumer data if they have not consented. It also provides for written disclosure of information in a portable (digital) format. The GDPR, however, allows deeper access, including details about the processing of their data, as well as the rights to have a consumer’s data transferred to another data processor. The CCPA has no such clause.
Both laws provide regulations for deleting of consumer data from a business’ systems and shared 3rd parties platforms. The CCPA does provide more instances where a company can refuse a request for deletion. Both laws provide very similar timelines to answer data request from consumers, and both laws require identify verification of the requestor before releasing or deleting of the data.,
As to be expected, both laws provide penalties which may result in significant financial liability. Both the GDPR and the CCPA allow for consumers to seek a right of action against a company who violates the law. The CCPA, however, allows a company a 30-day grace period to address the violations.
Auditing Your Site for CCPA Compliance
If these updates are daunting and you’re not sure where to start, remember that auditing your site for CCPA Compliance is the first step.
And if auditing is beyond the scope of your company’s abilities – we’re here to help. Red Door provides both auditing and consulting services for CCPA and GDPR. In doing so, we examine your data collection and sharing workflows, as well as your website, and provide a detailed plan to become compliant with either law. Drop us a line to see how we can work together to help protect everyone’s data privacy.