Starting in January, California will have a law in place that will greatly affect how companies handle consumer data. The California Consumer Privacy Act of 2018 (CCPA) includes the most stringent data protections in the US, giving consumers the right to know what information is being collected about them and what companies do with it.
So what do you need to know to best prepare for CCPA?
With this in mind, companies should already have preparations well under way. In many ways, the measure mirrors the EU’s General Data Protection Regulation (GDPR) which caused anxiety for many global companies and marketers as they reassessed how they handled consumer data.
By better understanding how these changes will affect their company, marketers can ease the transition into a stricter privacy landscape.
Who does CCPA affect?
The California Consumer Privacy Act applies to any company that collects personal information about consumers, and falls into at least one of the following categories:
• Has annual gross revenues exceeding $25 million
• Buys, sells, or receives or shares the personal information of 50,000 or more consumers, households or devices
• Derives 50% or more of its annual revenue from selling consumers’ personal information
What consumer rights are changing?
To keep it simple, companies must now comply with the following consumer rights:
Right to Know or Right to Be Informed: Companies must now provide consumers with the specific pieces of personal information the business collects, the different types of sources the information is collected from, the purpose for collecting it and what types of companies it shares that personal information with. Business must also disclose this information generally, such as in privacy policies, and upon request from a consumer.
Right to Access: Businesses must provide consumers with their personal information upon request in an accessible format.
Right to Request Deletion: With some exception, consumers may request their personal information be deleted.
Right to Opt Out: Consumers may direct companies to stop selling their personal information.
Right to Opt In: Children under the age of 16 may not have their personal information sold, unless parents opt in their children between the ages of 13-16.
What else is new with CCPA?
In addition, the CCPA:
• Requires businesses to have at least two methods by which consumers can submit requests for information (such as a toll-free number and a website).
• Requires businesses add a link on their website homepage titled “Do Not Sell My Personal Information,” making it easy to consumers to opt out.
• Holds businesses liable for data breaches if the breach occurred because a business failed to implement security measures. Damages between $100-750 per consumer are permitted.
What’s the difference between CCPA and GDPR?
Consent is not required: The CCPA does not require opt-in consent, except for minors.
“Robust Notice and Choice” is required: Rather than explicitly asking for consent, businesses must simply include a link on the homepage so consumers can easily opt out.
Specific requirements for handling consumer rights: The CCPA requires that businesses put in place specific mechanisms by which consumers can contact companies to exercise their privacy rights. Again, this might include a toll-free number or website.
Fewer record-keeping requirements: The GDPR sets in place specific record-keeping requirements and data-processing requirements. The CCPA does not.
Verified email data is a vital tool for marketers to better understand consumer needs and provide them with the most relevant, helpful content. Marketers with healthy, strong data practices avoid spamming customers and provide them with the most relevant, helpful content.
It remains to be seen how these regulations will be interpreted. But with these sweeping changes in the not-so-distant horizon, companies should immediately begin considering how they will adapt.