Third & GroveThird & Grove
Dec 9, 2019 - Jen Slemp

What You Need To Know About the California Consumer Privacy Act (CCPA)

private sign

The California Consumer Privacy Act (CCPA) takes effect on January 1st, 2020 and revolves around privacy standards as it pertains to big corporations that collect and sell consumers’ personal data. The law was inspired by the General Data Privacy Regulation (GDPR) which went into effect in May 2018. 

CCPA mandates that businesses be transparent in how personal information is being stored and used, allow consumers to be able to opt-out of the data collection process (including data-sharing and data selling), and allow consumers to access and/or erase personal information that the business may have collected about them previously.
 
While we provide an overview of CCPA’s regulations and compliance standards in this article, we advise you to seek legal counsel immediately if you are at risk.

Who is at risk? 

The CCPA applies to any business that:

  • Collects the personal information of its customers
  • Conducts business in California
  • Has a gross revenue in excess of $25 million, possesses the personal information of at least 50,000 consumers, OR generates more than 50% of annual revenue from selling consumers’ personal information 

Nonprofits should be exempt unless they:

  • Control or are controlled by a for-profit entity
  • Enter a joint-venture with a for-profit subject to the act
  • OR contract with an entity through an agreement that requires CCPA compliance

Why does it matter?

In addition to the potential negative impact on your brand if you do not comply to these new regulations, there are financial implications as well. The penalties associated with a breach of personal information ranges from $100 to $750 per violation. Penalties for failure to comply with the other tenants of CCPA can reach up to $7,500 per specific violation and are enforced at the discretion of the Attorney General. 

What’s changing?

Under CCPA, consumer rights are protected by requiring business to provide them with: 

  • The Right to Know: Information on what information is being collected and how it is being collected. Additionally, this includes Information on if the information is being sold or shared-with, and with whom this information is being sold to or disclosed with.
  • The Right to Opt-Out: The ability for consumers to opt-out of their data being collected, sold and/or disclosed. This also includes the ability of a consumer to request previously collected data to be erased. 
  • The Right to Access: The ability to access their personal information. This information request must be accessible, and the request must be fulfilled within 45 days, and given to the user in a readily usable format. There must be two designated methods to request information, including at a minimum a toll-free telephone number and a website address. 
  • The Right to Non-Discrimination: Fair treatment, in terms of pricing and service, to consumers who opt-out of the data collection process. The consumer may receive financial incentives for data collection, but this must be transparent and requires an opt-in approach  non-discrimination refers to denying, charging different prices, and providing a different level of service regarding customers who opt-out. 

How does it compare to GDPR?

While there are similarities, GDPR & CCPA are two separate legal frameworks with different scopes, definitions, and requirements. The most critical difference is that CCPA adds restrictions to protect the sale of personal information and discrimination of consumers who opt-out. 

Companies who have taken action to meet GDPR compliance will likely qualify as a business that must meet CCPA compliance as well. Because there are parts of CCPA that are not mandated by GDPR, these companies will need to make modifications to their privacy policy to include non-discrimination language and also make modifications to data access requests to include if and whom consumer data is being sold. 

What constitutes as ‘personal information’?

CCPA defines personal information (PI) as: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal Information can include (but is not limited to):

  • First Name, Middle Name, and Last Name
  • Mailing and Billing Address
  • Unique Personal ID
  • IP Address
  • Email Address
  • Geolocation
  • Username or Account Name
  • Employment Information
  • SSN
  • Driver’s License or State ID Numbers 
  • Passport Information
  • Purchase History
  • Biometric Data
  • Digital Activity, Browsing History, or Search History

What do you need to do?

We recommend consulting your legal team to:

  1. Confirm CCPA applies to you
    • Do you conduct business in California?
    • Do you collect personal information on your customers?
    • Do you have a gross revenue that exceeds $25 million OR possesses personal information of at least 50,000 consumers OR generates more than 50% of your annual revenue from selling personal information? 
  2. Audit your site & current process
    • What information do you collect and store on users? 
    • Is data stored securely and safely?
    • Is there an easy opt-out for users who don’t want their information to be collected, sold and/or disclosed?
    • Are users who opt out treated differently (pricing, service level, etc.)?
    • Can users view and update their personal information at any time?
    • Do you have a clear privacy policy that outlines what information is being collected, how it’s being collected, and if/who it is being shared with?
    • What third parties have access to your data?
  3. Review documents relevant to privacy
    • Breach Response Plan
    • Privacy Policy
    • Verified Response Plan 
    • Third-Party Processor Agreements 
  4. Update your website & secure your integration points
    • Add or update pop-up banner for users to Opt Out of data collection
    • Add or update the Privacy Policy page, and link to it from the Opt Out banner
    • Adjust logic for pricing/service offerings if it is currently discriminatory based on if the user opts-in or out
    • Create or update a page outlining how users can request access to their personal information 
    • Block data transfer to third-parties if/when the user opts out
  5. Adjust analytics & CRM platforms
    • Are you only collecting data after users opt in?
    • Are you storing personally identifiable information?
    • Have you reviewed data storing settings on each platform?
    • Have you reviewed and accepted all data processing amendments in your analytics platforms (ie. view Account Settings in Google Analytics)?

While many sources say enforcement will begin on July 1, 2020, there is also reason to believe that fines can be applied retroactively for violations dating back to January 1, 2020. If you suspect CCPA applies to you, contact your legal team right away and work out a plan for meeting compliance in 2020.

To accelerate your path to CCPA compliance, contact us today.

Helpful Resources