California approved a privacy law last month that will have sweeping changes on how companies handle consumer data. The California Consumer Privacy Act of 2018 (CCPA) includes the most stringent data protections in the US, giving consumers the right to know what information is being collected about them and what companies do with it.
While the law does not go into effect until Jan. 1, 2020, companies should begin preparing now. In many ways, the measure mirrors the EU’s General Data Protection Regulation (GDPR) which caused anxiety for many global companies and marketers as they reassessed how they handled consumer data.
By better understanding how these changes will affect their company, marketers can ease the transition into a stricter privacy landscape.
Here’s what you need to know about the California Consumer Privacy Act of 2018.
What companies does the CCPA apply to?
The California Consumer Privacy Act applies to any company that collects personal information about consumers, and falls into at least one of the following categories:
- Has annual gross revenues exceeding $25 million
- Buys, sells, or receives or shares the personal information of 50,000 or more consumers, households or devices
- Derives 50% or more of its annual revenue from selling consumers’ personal information
What new rights do consumers have?
Business must now comply with the following rights:
Right to Know or Right to Be Informed: Companies must now provide consumers with the specific pieces of personal information the business collects, the different types of sources the information is collected from, the purpose for collecting it and what types of companies it shares that personal information with. Business must also disclose this information generally, such as in privacy policies, and upon request from a consumer.
Right to Access: Businesses must provide consumers with their personal information upon request in an accessible format.
Right to Request Deletion: With some exception, consumers may request their personal information be deleted.
Right to Opt Out: Consumers may direct companies to stop selling their personal information.
Right to Opt In: Children under the age of 16 may not have their personal information sold, unless parents opt in their children between the ages of 13-16.
What else does the CCPA do?
In addition, the CCPA:
- Requires businesses to have at least two means for consumers to submit requests for information (such as a toll-free number and a website).
- Requires businesses add a link on their website homepage titled “Do Not Sell My Personal Information,” making it easy to consumers to opt out.
- Holds businesses liable for data breaches if the breach occurred because a business failed to implement security measures. Damages between $100-750 per consumer are permitted.
How is the CCPA different than GDPR?
Consent is not required: The CCPA does not require opt-in consent, except for in the case of minors.
“Robust Notice and Choice” is required: Rather than explicitly asking for consent, businesses must include a link on their homepage so consumers can easily opt out.
Specific requirements for handling consumer rights: The CCPA requires that businesses put in place specific mechanisms and mediums for consumers to contact companies and exercise their privacy rights. This might include a toll-free number or website.
Fewer record keeping requirements: The GDPR sets in place specific record keeping requirements and data processing requirements. The CCPA does not.
Data is a vital tool for marketers to better understand consumer needs and provide them with the most relevant, helpful content. Marketers with healthy, strong data practices avoid spamming customers and provide them with the most relevant, helpful content.
It remains to be seen how these regulations will be interpreted. But with these sweeping changes in the not-so-distant horizon, companies should immediately begin considering how they will adapt.