On January 1, 2020, the California Consumer Privacy Act will take effect, granting California residents more authority over information collected about them. To accommodate for this, marketers at businesses impacted by the legislation will need to ensure they have an organized system for data collection and a way to distribute data to consumers when requested.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) is legislation intended to protect California Consumers’ rights to privacy by granting more rights regarding the collection, handling and sale of personal information. Under the laws outlined in the CCPA, companies will be expected to increase transparency regarding the information they collect and sell from consumers.
Disclaimer: As a note, New Breed is not a master on all facets of the legal wording employed within the California Consumer Privacy Act. The information found in this blog post is not the same as legal advice, and we would recommend those interested in the topic pursue the help of their own legal counsel in regards to compliance.
This article and the information within it do not constitute as legal advice and should not be considered in lieu of actual trained legal council. In summary, we are not responsible for your interpretation of this information and should not be held responsible for any independent actions taken after viewing this information.
Will This Impact My Business?
The first thing to consider when discussing the California Consumer Privacy Act is whether or not it will impact your business.
For the CCPA to apply, your company must first fulfill one of the following criteria as a for-profit entity doing business in California:
- Have an annual gross revenue in excess of $25,000,000
- Annually buy, receive, sell or share the personal information of more than 50,000 California consumers/households/devices for commercial purposes
- Derive at least 50% of its annual revenue by selling the personal information of California residents
If your business falls into any of these three categories, we highly suggest you learn more about how the California Consumer Privacy Act might change the way you do business starting January 1, 2020.
What Do I Need to Do If I’m Impacted?
To be able to fulfill consumer requests regarding how their information is used, companies will need to set up a data collection process that enables them to pull and delete data as requested by verified consumers.
Not only do companies need to be cognizant of the information they’re collecting, but they also need to be aware of how they’re storing it. In addition to being fined for not complying with consumers’ requests, businesses can also be penalized for failing to implement proper security measures around the personal information they’ve collected.
According to a fact sheet from the Office of the California Attorney General, businesses will need to:
- Notify consumers before collecting their data
- Respond to requests from consumers who wish to know what data is being collected, opt-out of data collection or get their data deleted
- Provide a “do not sell my info” link on their website or mobile app
- Verify the identity of consumers making requests
- Maintain records of requests and how they responded to demonstrate their compliance
What Else Do I Need to Know?
There is still some ambiguity about what businesses will need to do to comply with the Act. Additionally, California’s Attorney General is still developing the regulations for how the legislation will be enforced. They’re accepting public comments on the matter until December 6.
One of the biggest gray areas is about what constitutes as a “verifiable request.” Companies subject to the CCPA must respond to verifiable requests within 45 days with the requested info either by mail or electronically. They don’t have to respond to a consumer’s request more than twice in a 12-month period, and only have to respond to verified consumer requests.
However, the bill defines a verifiable consumer request as “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”
Until the Attorney General’s regulations go into effect, businesses won’t have a concrete definition of what requests for information they are obligated to comply with.
Where can you find out more about complying with the CCPA?
Useful topic Summaries:
- CCPA Fact Sheet (From the California Attorney General’s Website)
- A Summary of the California Consumer Privacy Act of 2018
- Five key requirements for the California Consumer Privacy Act
- The CCPA is Coming. Here’s What It Means for Your Business
- The California Consumer Privacy Act: Everything We Know with Six Months to Go