CCPA: What Is It And How To Comply

Share this:
CCPA-Blog-Header-EverString

On January 1, 2020, California lawmakers will officially publish regulations for the California Consumer Privacy Act (CCPA), representing sweeping consumer privacy legislation that experts predict will become the template for other states across the country. Marketing and sales teams must take note of these new privacy laws in order to ensure compliance or risk facing sanctions by the State Attorney General.

Below is information to help Marketing teams prepare for California’s new consumer privacy laws, including important dates, key information, and details about what businesses should be considering in order to protect consumer privacy.

*DISCLAIMER: The purpose of this article is to provide additional information and resources of a general nature about the CCPA. EverString does not intend for it to serve as legal or business advice or recommendations about handling consumer privacy within your unique business, and you should not construe it as such.

Defining CCPA

Based on legislation introduced back in the Summer of 2018, California’s new privacy law gives consumers the right to request a business disclose details about the personal information it collects about the consumer.

Specifically, California Assembly Bill No. 3752 outlines the following consumer privacy rights:

  1. The right of Californians to know what personal information is being collected about them.
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
  3. The right of Californians to say no to the sale of personal information.
  4. The right of Californians to access their personal information.
  5. The right of Californians to equal service and price, even if they exercise their privacy rights.
CCPA-Resource-Thumbnail-EverString-trans

Learn More About California’s Consumer Privacy Laws. Download CCPA: What Is It & How To Comply

Important Dates

  • Jan 1, 2020 = Bill becomes law
  • Jan 31, 2020 = Data Brokers deadline to register
  • July 1, 2020 = Enforcement begins

NOTE: Between January 1 and July 1, 2020, the State of CA can bring enforcement actions involving noncompliance, upon which the business will have 30 days to react.

Understanding Personal vs. Public Information

Personal information includes a host of topics, including:

  • Identifiers such as real name, alias, address, social security number, driver’s license number, passport number or other similar identifiers
  • Protected classifications, such as race, gender, age, or disability.
  • Commercial information, like personal property records, purchase histories, and other consumer histories or tendencies
  • Biometric, geolocation, audio, or visual information
  • Internet activity, including browsing, search history, and online interactions
  • Professional or employment-related information
  • Education information

Personal information does NOT include publicly available information, which is data lawfully published by federal, state or local government. Publicly available information is not considered personal information.

The following are examples of publicly available information, which is not subject to CCPA regulations:

  • Government real estate records & security interest filings
  • Widely distributed media sources, such as a telephone book, television or radio, online or print publications
  • Mortgage information included on public records

Verifying Privacy Requests

Once the request is made, your business must honor the consumer’s decision for at least 12 months.

In particular, starting Jan 1, 2020, any business that falls under the purview of CCPA will need to have a “Do Not Sell My Personal Information” link or button appear somewhere “conspicuous” on the website homepage as well as “any internet web page where personal information is collected”. The link will need to take visitors to a webpage where they can opt-out of having their personal information sold or shared.

Similar to the “Do Not Sell My Personal Information” link, as of January 1, 2020 all impacted businesses will need to provide a toll-free phone number for California residents to exercise the same rights under CCPA.

The following image shows EverString’s Privacy Contact Center webpage, including options for consumers to exercise their privacy rights:

Everstring-CCPA-Landing-Page

Here’s an image of EverString’s Do Not Sell My Personal Information link located in the footer of the website, as well as the toll-free phone number available on the privacy page:

CCPA-EverString-Webpage-Links

Remedies & Sanctions

According to the California Civil Code, a business that does not adhere to the new regulations will be at risk for the following sanctions and remedies:

  • Companies can be authorized to exercise opt-out rights on behalf of California residents
  • Companies that experience a data theft or other security breach can be ordered to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater
  • Companies can also face any other judgment a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it
  • In addition, companies can face a fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation

Impact Checklist

To help your team discuss the implications for your business, here are some questions you can ask yourself:

  • Does our business meet the requirements for CCPA?
  • What does our business need to be compliant?
  • How can our customers opt-out directly from the website?
  • What other information should be on our website?
  • Should we add language to our contracts (existing and new ones)?
  • Is there anything we need to do in terms of data/security breaches?
  • Anything that we need in terms of certifications?

Comparing CCPA & GDPR

The CCPA has many overlapping characteristics to the European Union’s (EU) General Data Protection Regulation (GDPR). PwC U.S. recently published a “Readiness roadmap for the California Consumer Privacy Act (CCPA)”, which includes a helpful comparison chart, showing the differences and similarities across GDPR and CCPA.

As you can see, currently CCPA is more narrow than GDPR. However, that is likely to change over time so savvy marketing teams will stay close to the topic as things progress.

PwC-GDPR-CCPA-Comparison-ChartDownload Your CCPA Guide Here

CCPA-Resource-Thumbnail-EverString-trans

Download The CCPA Resource For More Information About What It Is And How To Comply

For more information about the new California Consumer Privacy Act (CCPA), including important dates, key information, and details about what businesses should be considering in order to protect consumer privacy, download CCPA: What Is It & How To Comply >>

References & Resources

*DISCLAIMER: The purpose of this article is to provide additional information and resources of a general nature about the CCPA. EverString does not intend for it to serve as legal or business advice or recommendations about handling consumer privacy within your unique business, and you should not construe it as such.

Share this: