2020 is finally here! A new decade has arrived and with it, the first comprehensive data privacy legislation in the U.S. We can hear your noisemakers and cheers already, marketers.
Welcome to the era of the California Consumer Privacy Act (CCPA). In 2018, California legislators passed this set of laws designed to implement regulations on the collection, storage and sale of personal information of California residents. It goes into effect on January 1, 2020.
Unsure if your business is covered under CCPA? Worried about remaining within the law? Confused on your legal obligations? You aren’t alone. CCPA is a complicated piece of legislation that many companies are working to understand. Are you feeling the happy New Year yet?
To help you out, here’s a guide on what you need to know to ensure you remain CCPA compliant.
What is CCPA?
Keep in mind there are still zero comprehensive federal regulations for privacy in the U.S.
Until now, data collection has been self-regulated by companies. With increased consumer concerns and a changing technological landscape, it’s unsurprising California lawmakers decided to tighten things up.
The law introduces several new consumer rights:
Right to access information
Consumers will have the right to access the data you have collected about them. They will be able to request to know all the ins and outs - including what information you collected, why it was collected and who you shared it with or sold it to. This should be delivered to the consumer in an easy-to-read, understandable format. Under CCPA, consumers can request this information up to two times within a one-year period.
Right to be forgotten
Also known as the right to be deleted, this means consumers can request to have the information you have collected about them removed from your records. Essentially, if they want you to forget about them, you must comply.
Right to opt-out
Consumers can request that companies stop tracking their data and opt-out of having their personal information sold to third parties.
CCPA is the first law of its kind in the U.S. and it means business. The law introduces a financial risk for companies that do not comply, slapping them with $750 fine due to each consumer per incident and a $7,500 fee payable to the California Attorney General per violation.
Collectively, these laws enact privacy regulations in one fell swoop. They aim to provide better transparency in data collection and give consumers more legal control over their personal information.
Who Does CCPA Cover?
As it is written, businesses covered under CCPA must meet at least one of the following criteria:
- Businesses with annual gross revenues exceeding $25 million.
- Businesses who annually use the data of 50,000 or more Californians. By “use,” we mean buy, collect, sell or share in any way. If you interact with 50,000 or more Californians’ data each year, you must comply with CCPA.
- Businesses that derive 50% or more of their annual revenue from selling California consumers’ personal information.
While the nuances of these guidelines are up for debate, it’s best to err on the side of caution. For example, the law is unclear whether businesses must do $25 million in total revenue or $25 million in revenue just in California. It’s best to assume CCPA means $25 million total while the lawmakers and courts sort out the finer points.
Personal Information Under CCPA
The CCPA expands the definition of personal information significantly. Defining the term as information that could reasonably be linked with or associated to a specific consumer, directly or indirectly.
Legally speaking, the CCPA covers all “probabilistic Personally Identifiable Information” (say that ten times fast). If you can probably tie the data back to an individual, it’s considered personal information.
Under the CCPA, personal information specifically includes:
- Real Name
- Postal Address
- Unique Personal Identifier
- Online Identifier
- Internet Protocol Address
- Email Address
- Account Name
- Social Security Number
- Driver's License Number
- Physical Description
- Phone Number
- Passport Number
- State ID Number
- Insurance Policy Number
- Education And Employment History
- Bank Account Number
- Credit And Debit Card Numbers
- Financial Information
- Medical Information
- Health Insurance Information
If a consumer exercises their right to be forgotten, you must erase any of their data you have that falls into any of the above categories. And don’t forget - you must be able to provide proof you successfully erased their personal information.
There are exceptions to this. When erasing consumer data, you are legally permitted to hold on to information with “lawful uses,” like what you need to complete a transaction, uphold legal obligations or use for security purposes.
You can also hold on to data related to research you’re conducting, but it cannot be uniquely identified or tied to the consumer in any detectable way.
GDPR Compliance vs. CCPA Compliance
This cannot be understated: GDPR compliance does not mean CCPA compliance.
The main difference between the two laws is that the European Union’s General Data Protection Regulation (GDPR) is an opt-in law requiring consent for data collection. CCPA is an opt-out law, giving you the option to remove yourself from data collection.
There are several other key differences between each set of laws. Unlike GDPR, CCPA:
- Is mainly concerned with businesses that sell or share personal information (but also includes some businesses who simply collect data).
- Does not require a legal justification for collecting personal information.
- Does not require businesses to appoint a data protection officer.
- Does not restrict transferring personal information outside the U.S.
- Limits inquiries to data collected within the past year.
- Places fewer obligations on service providers.
- Specifically includes household information in its definition of personal information.
- Provides an absolute right to opt-out of the use of their data.
- Addresses only the sale of children’s information (not the processing) for kids under 13.
You may be a step ahead of others if you ramped up your data privacy to comply with GDPR in 2018, but that doesn’t make you compliant with CCPA.
GA/Google Products and CCPA Compliance
Google Analytics collects consumer data on a regular basis, providing you with anonymous data on your website users and allowing for better ad targeting. All this data processing has led to some concern that Google products will be ineffective as more consumers opt-out of data collection under CCPA.
As it stands, Google products are still usable under the new law. As a business, you can better ensure compliance by doing three things:
- Implement an internal process allowing for easy deletion of consumer Google Analytics information should they choose to opt-out.
- Enable restricted data processing. Google specifically developed this setting in the interest of CCPA compliance. When enabled, Google will not be able to add users to remarketing lists or similar audience remarketing lists.
Keep in mind, this is one area where CCPA can get technical and you may have to explain to consumers how their Google data is used. Consider developing resources to facilitate your explanation so you can better break things down to customers.
Viva la Data Privacy Revolución!
Data privacy isn’t a trend that will come and go. More than 12 other states besides California have proposed or enacted a privacy law, all with varying scopes, regulations and punishments. So far, Rhode Island has the lowest annual gross revenue criterion requiring companies to comply at only $5 million.
These laws are a step in the right direction for consumer rights, but bad for companies who could be forced to comply with differing laws across each state. Many trade bodies are fighting for one federal regulation, but it’s far from becoming a reality.
We’re entering a new era of privacy in the U.S. that requires businesses, government and consumers alike to navigate uncharted waters. CCPA is the first of its kind, but there are guaranteed to be similar laws in the coming year.
Ready, Set, Go!
Ready or not, CCPA and the data privacy revolution have arrived. The new laws may seem overwhelming, but remember, don’t get frustrated.
CCPA is the most comprehensive privacy law ever enacted in the U.S. but many enforcement details, qualification criteria and legal obligations are fuzzy. When in doubt, err on the side of caution and keep up with the news. As the California Attorney General answers clarifying questions and lawmakers add amendments to the act, you’ll need to be ready to make quick changes to comply.
Above all, recognize that privacy isn’t a trend that’s going away anytime soon. Pay close attention to new personal information laws and consumer attitudes toward data collection to stay on the cusp of the movement.