The California Consumer Privacy Act (CCPA) went into effect on January 1. It is the first major U.S. data protection law which many compare to the European General Data Protection Regulation (GDPR), enforced in May 2018.
Let's take a look at what marketers need to know and to do to be CCPA ready.
What is CCPA?
The California Consumer Privacy Act is a California consumer protection policy, which gives state residents the right to know what personal data companies collect on them and how it’s planned to be used; request not to sell the information to third parties; request to delete all the information.
The full impact of the new act is not entirely clear yet, because regulations that enforce the law are still being finalized. However, companies in California and beyond are already trying to meet the requirements to continue their business in one of the most populous U.S. states.
How CCPA Defines Personal Information
According to CCPA, personal data is any piece of information that identifies (relates to, describes, directly or indirectly characterizes) a particular consumer:
- real names or nicknames;
- postal addresses;
- account/profile names;
- social security act, driving license, and passport ID;
- purchase of goods or services, browsing history;
- biometric data (height, weight, fingerprints);
- geolocation;
- employment information (company, job title);
- information about education that is not publicly available.
For example, cookies may be considered personal data and therefore are also regulated by the law. You will need to list what information you collect about the user and how you plan to use it. The cookie policy can be included in the general privacy policy and by far doesn’t require a separate page or banner.
CCPA vs. CalOPPA and Other Privacy Laws
CCPA won’t replace the California Online Privacy Protection Act (CalOPPA) or other data protection laws that will continue functioning. To run business in California, you’ll have to comply with all the existing laws.
The difference between CalOPPA and CCPA lies in the types of collected data and collection methods:
CalOPPA | CCPA |
The privacy policy should state: | |
|
|
The law applies to any company in the world if it: | |
|
- annual gross income at least $25 million; - collected personal information about at least 50,000 Californians, California households and/or devices per year; - 50% of annual income from the sale of personal information about Californians.
|
Getting prior consent | |
Doesn’t require prior consent. |
Requires prior consent only from the under-aged before selling their personal data. For users under 13, the consent of their parents or guardians is required |
Active option "Do Not Sell My Personal Information" | |
Optional. | Obligatory. A click on the button means you are not allowed to sell the corresponding data. |
Penalties for Non-Compliance
- $100 to $750 per incident per consumer or more if the actual damage caused by data leak exceeds $750;
- up to $2,500 for an unintended violation and up to $7,500 for and intentional violation of the Act.
You create. We deliver.
Get StartedPrior Consent Before Data Collection
Unlike many other privacy laws, CCPA doesn’t require you to get prior consent before collecting and processing user data, except for the under-aged.
For users aged 13-16, you must obtain permission directly from them before selling their personal information. For users under 13, you must obtain permission from their parents or guardians.
You can ask for permission every time an under-aged Californian visits your website, or just before selling the data. Selling data without consent violates the user's rights and entails a fine.
Note. Selling data doesn’t necessarily presuppose a money transaction or payment. This term covers any action with a database, including transferring or disclosing user's personal data.
Make sure you retain every consent you have received from the under-aged and their parents. It would be smart to retain any consent received.
Does Your Privacy Policy Comply with CCPA?
A privacy policy is a document that explains to users how their data is to be processed and used. It can also provide the information on privacy rights.
Make sure your privacy policy meets the following CCPA compliance checklist:
- What data you collect and how you process it.
- Why you collect and process information.
- How you plan to use the data.
- What users can request access or request to change or delete their personal data.
- Methods to verify the identity of the person who submits a request.
- Information about the sale of user data to third parties, and how to opt out.
According to Digital Trends 2020 by Accenture, 69% of users would stop interacting with the company that is too aggressive while collecting personal data.
GDRP vs. CCPA: What to Follow
You might have already been following some CCPA requirements if you had complied with the GDPR rules. However, there are things you'll have to work on:
- Make changes to your privacy policy.
- Complete the list of personal data. According to CCPA, any information that defines, describes, is associated with or is directly or indirectly related to a particular person can be interpreted as personal.
- Add the active option Do not sell my personal data to the homepage.
- Think over methods that allow to request access to data, modify and delete data, and verify the person submitting such a request.
- Collect prior consent of the under-aged before selling their personal data.
Note that GDPR limits the collection of data on religion, ethnicity, sexual preferences, genetic and biometric data, etc., while CCPA has no such restrictions.
How to Get CCPA Ready
1. Consider the location of your subscribers.
If you don't know your subscribers reside in California, you still need to follow the law. Specify their location so as not to get into trouble.
For example, in the subscription/registration form, ask subscribers to indicate their country of residence, or determine it using geolocation. For users from EU countries, Canada or other places where data laws require confirmation, add a checkbox that affirms familiarization with the rules.
2. Be ready to delete data upon request.
The law allows Californians to require you to delete all the personal information partially or in full. This clause is also a key element of GDPR.
3. Notify your customers of changes in Privacy Policy.
Send active users and subscribers an email notifying on that you have updated your Privacy Policy
Alternatively, instead of a separate email, add a corresponding section to the footer of your regular campaigns.
4. Consider other regulations.
Make sure you comply with the regulations from all countries where you have subscribers.
CASL - Canada’s anti-spam legislation (2014);
PDPB Indian - Personal Data Protection BIll (2018);
GDPR EU - General Data Protection Regulation, European Union (2018).
Also, provide well visible information about privacy policy updates straight on the website.
5. Prepare your website for CCPA.
- Update your Privacy Policy. Specify what information you collect, how you use and process it. Explain how users can request access to their personal data, request to change or delete it.
- If you use pop-ups to notify on data collection, make sure they contain up-to-date information.
- Set up verification for people who request access to their personal data or ask for its removal.
- Add active option Don't Sell My Personal Information on the main page so that the user can easily find and click it.
- Make sure you obtain prior consent from the under-aged before selling their personal data. For children under 13, you must obtain prior consent from their parents.
It is better to prepare in advance, because soon other states can pass similar laws. Massachusetts, Maryland, Washington, D.C., and other U.S. states are already discussing the adoption of their own privacy and data protection laws. We promise to keep you up to date with all the updates.
More information on CCPA: Learn about the California Consumer Privacy Act (CCPA) and how to become compliant.