JUST when we thought that the madness of GDPR was behind us, a brand new personal information, privacy and compliance law has taken center stage in California that has brands and companies scratching their head. That’s right! The California Consumer Privacy Act 2018 (CCPA) is a new privacy law designed specifically to protect Californian residents that has similar – but not the same – requirements as the GDPR. California marketers and partners, it’s time to get educated marketers on what you need to know!
First, what types of business are affected by CCPA? You should know that CCPA is not as broad or far-reaching as GDPR, which applies to any company or organization that collects personal data from any person living in the EU. CCPA only applies to companies that meet the following criteria:
- Gross revenues of $25MM or more
- Buy, receive, sell or share the personal information of 50,000 consumers (or more) and/or
- Attain 50% or more of their revenues annually via selling customers’ personal information
While your organization may not meet the criteria above, it still makes good business sense to stay current on the new rules. So, what exactly does the law say and how what steps do you need to take to ensure your business complies?
Consumer rights under the new law:
- Consumers have a right to know what personal data a business collects about them, and can request that information at any time.
- Consumers have a right to know how a business intends to use their personal data, and can request that information at any time.
- Consumers need to be notified in advance of their information being shared/sold with other parties, and consumers can opt-out.
- Consumers have the right to request that their personal data be deleted, and businesses must comply.
Ok, so how do companies comply? Here’s a quick summary:
- Establish an inbound process by which consumers can request to know what data is being collected, as well as to opt-out if they don’t want their personal information to be used. (Note that requests can be back-dated to as much as twelve months back, so businesses need to be prepared).
- Be prepared to communicate proactively with consumers when their personal data will be collected – before you start collecting. Have mechanisms in place for consumers to opt-out if they choose.
- Provide two or more methods for consumers to request clarity on data and to opt-out (e.g., a toll-free number and an email/website address).
- Re-evaluate 3rd party vendors and partners. If you suspect that your partners are unlawfully collecting/selling (your) users’ data, have your legal team to review these partnership contracts for the fine print. Discontinue working with shady third parties.
- Provide an internal process/mechanism to seamlessly/easily delete a user’s info easily, if requested.
In short, the time is now to ensure that your company is in compliance with CCPA, before the law takes effect January 1, 2020. Follow the steps outlined above, and you will be well on your way to ensuring compliance.
Your friends at Skona