In June 2018, the California legislature passed the California Consumer Privacy Act (aka CaCPA or CCPA). The CCPA’s rapid passage — it is a legislative replacement for a ballot initiative that went from draft to law in less than a week — was created to address growing consumer concerns about data protection and provide California consumers with important controls over their personal information.
While parts of the law still require clarification from the California Attorney General, it poses a challenge to businesses that want to be sure everything they are doing now to prepare for CCPA encompasses all of the law’s requirements. However, it also creates opportunities for companies to step up and distinguish themselves through strong data ethics and governance programs. As such, CCPA compliance will help companies bolster their commitments to consumer choice and demonstrate transparency and trust.
What Is the CCPA?
The CCPA is the most comprehensive privacy law in the United States to date and is designed to give Californians more control over their personal information.
Major new data protections the CCPA introduces include:
- Right to access information – Consumers in California will be able to know the “what, who, and why” surrounding their personal information. Specifically, they can request the following, which must be provided in a portable format:
- Which categories of personal information were collected, shared, or sold
- Categories of sources from which this personal information was collected, with whom it was shared, and to whom it was sold to
- The specific pieces of personal information it has collected about that consumer
- Why the personal information was collected
- Right to deletion – Consumers in California will be able to request that a company delete the personal information it has collected about them.
- Right to opt out – Consumers in California will be able to direct a company to not sell their personal information to third parties. It’s also important to note that the definition of “sell” in the bill is broader than simply monetary exchange.
Although it was passed in June 2018, the CCPA will go into effect on January 1, 2020. As a result, companies can expect the California Attorney General to clarify the requirements of the CCPA and expect the California legislature to amend the law. The CCPA has already been amended to include, for example, a grace period for businesses in which the Attorney General cannot bring an enforcement action until six months after final regulations have been published, or July 1, 2020, whichever is sooner. Please note that this grace period does not apply to the private right of action consumers can bring under the CCPA. There are also a number of other amendments still pending in the California legislature.
Who does the CCPA apply to?
The CCPA applies to for-profit businesses operating in California that collect personal information of California consumers for which any of the following are true:
- Annual gross revenues over $25M
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices
- Derives at least 50% of annual revenue from selling California consumers’ personal information
How to Achieve CCPA Compliance
To comply with the CCPA, companies should start with the following six steps:
- Analysis and Assessment – map existing processes against CCPA requirements, scope the impact of changes, and identify stakeholders
- Awareness – drive alignment in the businesses around the resources needed to address required changes
- Design Future State – create a detailed blueprint for compliance
- Development – transform the blueprint into actionable workstreams
- Implementation – remediate gaps and implement new processes, policies, and tools
- Governance – ensure compliance is monitored and enforced by reviewing all data sources and performing privacy impact assessments, as well as amending contracts as needed
Of course, it takes organizational commitment and a clear methodology to build a data ethics program that goes above and beyond regulation. Doing so is the best way to future-proof your organization for the complexity that will result from present and future applications of data usage.
Want more content about CCPA and other issues affecting marketers? Subscribe to RampedUp.us below!
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.