The new decade began with a bang for online data privacy. On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect. The CCPA is a new data privacy law that changes the way consumer data is collected and processed by businesses — inside and outside of California. Which businesses are affected? How is compliance achieved? What does it mean for data management processes? These questions and more will be answered in this quick guide to the CCPA.
What Is the CCPA?
The CCPA is a new law designed to protect consumers’ data privacy. It empowers individual consumers in California to find out what data is being collected about them, to request that companies delete their personal data, and to opt that their data not be sold to third parties.
The CCPA is something of a watershed moment for the United States because it is the most extensive data privacy law yet to be enacted. It marks the beginning of a new era in the way online consumer data is collected and managed. The CCPA gives California residents an unparalleled level of control over their online privacy and creates a template for states that may want to follow.
For business owners, complying with the CCPA is a huge challenge that requires cross-organizational teamwork and substantive changes to data management policies, processes, and communications. Businesses that operate in Europe, or have customers who are EU citizens, have already been through a similar process with the General Data Protection Regulation (GDPR), which was implemented in 2018. Although there are some similarities, the CCPA is its own beast, and business owners must learn about it, understand it, and properly implement it so they can ensure full compliance and avoid penalties and legal complications.
Who Is Affected?
The CCPA is a law protecting the data privacy of residents of California, the most populous state in the U.S., with close to 40 million people. This means that any business that serves customers living in California must comply with the CCPA, not just California-based businesses.
However, not all businesses will necessarily be affected. The CCPA only applies to for-profit entities that do business in California (which includes having any customers in California — even one sale there means the need for compliance) and collect consumer information. The entity must also meet one of three other criteria in order to be bound by the CCPA:
- The business must earn $25 million or more in revenue annually
- The business must own the personal data of over 50,000 consumers, households or devices
- More than half of the business’s annual revenue comes from selling consumer data in their possession.
Even if a company does not meet the criteria, making it exempt from the CCPA, it is worth investing the time and energy to get acquainted with the new law now. There will likely be further changes down the road as online data privacy laws become more comprehensive and commonplace.
More importantly, California is a huge market — one of the top 10 economies in the world by GDP — making it incredibly challenging to build a company without doing any business in California. And since implementing many of these required changes can be somewhat time-consuming, it may make sense to simply run them across the board rather than only targeting California customers.
More importantly, California is a huge market — one of the top 10 economies in the world by GDP — making it incredibly difficult to build a company without doing any business in California. And since implementing many of these required changes can be fairly time-consuming, it may make sense to simply run them across the board rather than only targeting California customers.
What Personal Data Does the CCPA Cover?
The consumer data covered by the CCPA includes personally identifiable information (PII), such as names, addresses, usernames, passwords, phone numbers, social security numbers, driver’s license information, sex, religion, race, IP address, geolocation, criminal records, education, employment information, purchase histories, sexual orientation, military status, and biometric data such as facial recognition imaging and fingerprints.
Keep in mind that the law also covers information that can be uniquely associated with a person — things like credit card numbers, physical characteristics, and descriptions, or any other financial, medical, or health insurance information. It does not cover any information which is considered Publicly Available Information.
What Does It Mean for Businesses?
The CCPA affords certain rights to consumers about the personal data that companies collect about them and how the companies use it:
- The right to know if data is being collected about them, and what data is being collected
- The right to request that the company disclose the categories of data they are collecting
- The right to refuse the sale of their personal data to third parties
- The right to request that the company delete their personal data
- The right to the same service and price, regardless of their privacy requests
Businesses working to comply with the CCPA must ensure that their privacy policies and terms are updated in accordance with these rights and that those changes are clearly communicated to customers. This means providing full disclosure at various points during the customer journey, on the website, and through other digital communication methods such as email and chatbots. Before making these changes, however, the company must alter its business processes, revise its data management policies, and implement new data collection protocols that will ensure CCPA compliance into the future.
For NextRoll, the process of implementing the CCPA began at an early stage, even while the law was still evolving. Getting ahead of the game was critical, particularly in the digital advertising industry where consumer data privacy is a central issue. According to Toby Gabriner, CEO of NextRoll:
We know our customers look to how we interpret and follow regulations such as the CCPA for guidance. While we obviously can’t serve as their privacy lawyer, our larger mission is to help level the playing field for our customers, so getting out ahead of this, in a transparent way, is yet another way to help them better prepare, compete, and grow.
This forward-looking approach helped ensure NextRoll’s successful compliance with the CCPA and enabled it to learn some lessons along the way.
5 Guidelines for CCPA Compliance
- Begin with data mapping: To build a roadmap to CCPA compliance, it is essential to know the current state of data. Start the process by mapping the types of data the company collects, processes, and handles against the backdrop of the CCPA definitions.
- Take a conservative approach: The consequences of non-compliance with the CCPA are not just monetary loss and the threat of litigation. It also puts brand perception at risk and can do a lot of damage to a company’s reputation. Take a more conservative approach to the ways the CCPA defines legal terms, such as “personal information”, data “transfer”, and the ways collected data is analyzed, presented, and shared. Remember, it’s better to be safe than sorry.
- Ongoing training: Compliance with the CCPA demands company-wide participation from many departments, including legal, engineering, sales, and marketing. Comprehensive training is crucial so that all employees involved in the process can understand the rights afforded to customers by the CCPA and how it impacts the company’s privacy-by-design approaches. What’s more, privacy training should remain an ongoing priority, ensuring staff is always aware of and following CCPA compliance processes.
- Keep an open dialogue: Complying with the CCPA is a continual commitment and process. This is why it is important for companies to maintain an open conversation and transparency in their day-to-day interactions, both externally with customers and internally with staff. According to NextRoll CEO Toby Gabriner, “We now have digital slides running all over the offices to remind our own staff about the regulations and what it means for their daily work.”
In 2018, when GDPR went into effect in Europe, it signaled a new era in online data privacy. The CCPA is the next chapter of the story, and a harbinger of what is to come — more privacy, more laws, and more compliance. Rest assured, it will not remain limited to California. Online consumer data privacy is the way of the future, and the CCPA is where it begins for many U.S. businesses. So start learning and implementing the right policies and protocols today.
Jason is the CMO at AdRoll. Previously, he was CRO and CMO of Traitify, CMO of AVG Technologies, and CMO of Location Labs. He lives in the San Francisco Bay area with his family (including a St. Berdoodle!).