The California Consumer Privacy Act goes into effect Jan. 1, 2020, and much of it is based on Europe's General Data Protection Regulation, which became law in May 2018. While GDPR affects many U.S. organizations, the California act brings the issue of customer data privacy closer to home for many American companies.
Whether it applies to your organization or not, it is important for businesses to think more deliberately about privacy. GDPR and CCPA represent an increasing global concern surrounding customer privacy and a shift in thinking about consumer rights and who owns what data.
"California has always been a very forward-thinking state when it comes to privacy," Kevin Jones, product manager at OneTrust, a company that helps organizations prepare for CCPA, said in a session at Oracle's Modern Customer Experience 2019 conference in Las Vegas.
Jones said California was the first state to adopt a law requiring organizations to have breach notifications as well as privacy policies. "What California starts, typically other states will later adopt."
Here are five questions marketers should ask to prepare for CCPA:
1. Does this apply to my organization?
CCPA applies to all for-profit organizations that make $25 million in annual revenue, process at least 50,000 records with personal information or derive at least 50% of annual revenue from selling or obtaining personal information. Moreover, the business does not need to be headquartered in California for CCPA to apply.
"CCPA applies to any business that collects, discloses, services or sells any type of personal information on consumers that reside in California," Jones said.
2. What data does CCPA protect?
CCPA does not directly target cookies, but it does protect information commonly stored in cookies, such as name, email, address and interests. It also includes browsing history and whether the interaction is through a website or mobile app.
CCPA considers any assumptions that a business has made about a customer's preferences in order to generate a profile on that user -- such as characteristics, intelligence or even psychological trends based on their behavior online, past purchases or other interactions with the brand -- to be personal data.
"This very much broadens the definition of personal data from what we are used to with GDPR," Jones said.
3. What are customers' rights?
Customer rights surrounding their data under CCPA fall into four categories: disclosure, deletion, opt-out and nondiscrimination.
Businesses have an obligation to disclose the information they collect on an individual, whether that information is being sold both at the time of collection or a customer requests the information directly.
Kevin Jones Product manager, OneTrust
"Once an organization confirms that [the customer is] who they say they are, they need to provide the actual pieces of data collected or sold," Jones said. This includes not only the data the organization collects initially, but any behavioral data that they later extrapolate on.
Businesses must delete personal data upon request, similar to the stipulations of GDPR. Organizations can make exceptions when government regulations require historical data tracking or when the information benefits the general public. Customers also have the right to opt out of selling their personal information.
The nondiscrimination clause means businesses must offer the same products and services to everyone and cannot penalize customers for opting out of selling their personal information.
"This is very interesting because CCPA has a clause that says [businesses] can incentivize users to provide their consent," said Jones, who wondered how this would play into customer loyalty programs and whether this would create an economy around consent to sell data.
4. What are the consequences for noncompliance?
The California attorney general is in charge of investigating CCPA violations. The attorney general will send a notice to a business suspected of being in violation, and the business has 30 days to prove that they are in compliance. If a business fails to solve the issues, it can incur fines of up to $2,500 per accidental violation or $7,500 per intentional violation of CCPA.
The attorney general's office investigates data breaches of information that is not encrypted or redacted. Similarly, organizations have 30 days prove that they have solved the problem or they can incur penalties of up to $750 per incident, per customer.
5. What can my organization do to prepare for CCPA?
The first thing to be aware of is that while CCPA goes into effect Jan. 1, 2020, there will be a 12-month look-back period, so if a customer files a request Jan. 1, organizations must provide a year's worth of data. Therefore, it is important to know where to locate all of the data relevant to CCPA in your systems.
"Mapping the flow of personal data across your organization is going to be key to processing these requests," Jones said. "Finding the data, knowing which of those data points are being sold, is very important. Otherwise you are going to be chasing the data down in that 30-day time period."
Enabling location-specific cookies will let organizations target CCPA-related content specifically to users based in California. For example, a website can present a message on what data it collects from users only to California residents, rather than every visitor to the site. Knowing who is visiting a site will enable your business to dynamically tailor the content to best service that individual, Jones said.
Businesses should also plan which team members will respond to CCPA requests and design email templates for responding. This will streamline the process that needs to happen in those first 30 days after a request.
"A good way of solving this upfront is making sure that you are incorporating privacy by design," Jones said. "If you're minimizing the intake of personal data upfront, you also minimize your exposure when a breach occurs."
Jones also recommended making sure that you have the right templates and rules in place so you can be compliant with the regulations If a breach does occur.