With Ray Estevez, Chief Data Officer, True Influence
If you are a business that collects or uses personal data to connect with customers, by now you’ve undoubtedly heard about the “sweeping” changes coming when the California Consumer Privacy Act (CCPA Compliance) finally goes into full effect on Jan. 1, 2020.
You’ve probably also heard that most businesses are not ready to comply with the fine details of the new law, which lays out guidance for the handling of consumer data and sets legal penalties of up to $2,500 for each violation. Surveys released earlier this year reported that only about one-fourth of affected companies said they were ready for CCPA, even after more than one and a half years of review, revision, and general hand-wringing over the law’s ultimate specifics.
Data is our business here at True Influence, and so of course we’ve monitored the progress of the CCPA since it was passed as a rough framework in mid 2018, up to its requirements being finalized just this fall. Overall, I’d say that none of the law’s details are particularly revolutionary; our experience dealing with the EU’s General Data Protection Regulation (GDPR) and focus on best practices like the Privacy Shield framework give us a strong footing to meet the CCPA’s requirements. The changes we have made have been consistent with the practices we already have in place.
But, clearly, that’s not been the case for most businesses – even the large enterprises who are specifically subject to CCPA guidelines. And I’m not surprised by this news.
Businesses need to view their preparations for CCPA as more than just a tactical undertaking. CCPA may be the first state-level privacy regulation in the U.S., but it won’t be the last – no less than 12 states have similar laws in the works, and international jurisdictions beside the EU will almost certainly pass their own regulations, as well.
Data privacy and security concerns are not going to ease after you get ready for CCPA. If anything, juggling all these various regulations will become even more complex than it will be on Jan.1. It’s definitely going to make business more challenging, particularly in B2B.
For an organization to survive in a complex world of changing regulations and escalating risk of fines and civil liability, privacy and data security have to be part of the business culture.
You have to have a plan.
In this 2-part blog series, I will walk through the CCPA’s general requirements, and suggest actions your business should consider in meeting them. As you’ll see, these specific steps should most often serve as building blocks for a solid data compliance strategy moving forward.
General CCPA Compliance Requirements
First off, a few basics about the CCPA. While the law goes into effect Jan. 1, 2020, penalties will not be enforced until July 1 of next year, giving businesses time to adjust to the law’s specifics.
In the broadest terms, CCPA is an “opt-out” regulation – its primary focus is on giving consumers the power to tell businesses not to gather or retain data about them.
Its requirements can generally be summarized as follows:
- You must clearly express what data you collect about a consumer, and how you plan to use that data.
- You must allow consumers to opt out, or revoke their consent and request you erase their data.
- You must allow consumers to say that they do not want to have their data sold or shared. (This is a fundamental component of both CCPA and GDPR, and an area where I believe many companies are poorly prepared.)
- You must comply to requests by consumers who want to know what data you gather about them and how you use it.
- You must protect consumers’ personal data, both while at rest and in transit.
- You must act to ensure that your data partners are adhering to the same standards you are.
The good news for B2B marketers is the law clearly states that de-identified and aggregate consumer data is not subject to its regulations – it applies only to data that can be explicitly associated with an individual.
As I mentioned earlier, CCPA provides for penalties of up to $2,500 per violation, based on intent and severity, and allows for businesses to remedy any missteps before the fines are assessed. This may not seem like a major financial deterrent, but most analysts agree that California law establishes that fines can be accessed per consumer. $2,500 times 100,000 names shared without consent adds up in a hurry.
Analysts also suggest that having a finely detailed list of privacy requirements in law will encourage more consumers to file civil lawsuits, particularly if their requests for information and opt-out are not met.
Who is Subject to CCPA?
A business is subject to CCPA if it:
- Has revenue of more than $25 million annually.
- Operates as a for-profit venture.
- Collects, buys, sells, or shares personal information on more than 50,000 consumers.
- Makes 50 percent of its revenue from selling consumer information.
- Does business in California.
A business is considered to “collect” information if buys, rents, gathers or accesses personal information, either passively or actively. This includes monitoring with cookies for ad targeting, for example, and well as direct email opt-in.
A business “sells” information under CCPA if it sells, rents, or in anyway communicates (even orally) personal information for “monetary or other valuable consideration.”
The exact definition of what it means to do business in California is subject to some legal speculation, but in general, if you do business in the U.S., you do business in California. It’s the world’s fifth largest economy, after all.
Of course, I should add here that all CCPA’s stipulations are subject to ongoing legal interpretation – at this point, it’s a state law with no court rulings to shore it up. There are a ton of resources out there if you want to dig into minutiae on each clause of the Act (I recommend this whitepaper from OneTrust, but it is just one of many.)
But, long story short: If you run a mom-and-pop corner shop, you don’t need to worry about CCPA. But if you collect or sell consumer’s personal data at any scale, you need to adopt its general principles. You may slip under California’s revenue or contact volume thresholds for now, but the next legislature may change that, and you don’t know what Nevada or Vermont will do next.
You don’t want to be constantly sweating the fine print.
What is Personal Information under the CCPA?
Analysts agree that the CCPA’s definition of “personal information” is more broad than the standard idea of PII under which most data managers have operated, at least in the U.S. So this may be an area where you need to come into compliance.
The definition (to be found in Section 1798.140(o)(1)) clearly covers the conventional ideas of PII, including email addresses, Social Security numbers, passports, and biometrics. But it also covers non-opt-in data, such as aliases, IP addresses, public records such as property records and purchasing history, employment history, geo-location, and browsing data. It even vaguely goes on to cover how a consumer looks and smells (really), as well as any inferences that might be drawn about an individual based on these data.
Obviously, browsing history and geo-location are linchpins of ad targeting, and so can greatly impact how businesses reach consumers in digital channels. But, again, CCPA does not prohibit the collection or use of such data – it simply demands that you tell consumers what you are gathering and how you plan to use it, and that you give them a clear path to opting out of that relationship.
Who is a “Consumer” Under CCPA?
Under California’s new law, any “natural person” who is a resident of the state is protected. As I said earlier, in building out your long-term strategy, you should assume that many other states will soon pass similar laws that cover citizens under their jurisdiction, so this fine print is of temporary significance.The most important point here is that CCPA applies to people, not businesses. So any firmographic data you collect or use is likely exempt from these regulations.
Minors and the CCPA
A key point I do want to bring up is the special consideration applied to minors under the CCPA. Unlike the general opt-out guidances for adult consumers, the law establishes a “right to opt-in” for consumers 16 and under before a company can transfer their personal information. For consumers between 13 and 16, the consumer must personally provide the opt-in consent; for those under 13, the consent must be provided by an adult guardian.
The CCPA sets an actual knowledge requirement for businesses before it assesses a violation, but it does go further than existing federal laws in asserting that a business that willfully disregards a consumers age does, in fact, have knowledge.
Long story short: You need to consider age and age verification as a condition of your opt-in processes. In addition to the CCPA, recent headlines about how federal CCPA statutes are impacting YouTube’s data gathering and monetization on kid’s content makes it clear that PII and minors are going to be an elevated privacy issue moving forward.
Keep reading for Part 2 in this series on CCPA to learn specific ideas for being compliant with CCPA. If you have questions that won’t wait, just call us: 1-888-301-4758.