Marketers get ready, because the CCPA (California Consumer Privacy Act) is coming, and it may just change everything. If you collect consumer data in or from the state of California, you need to make sure that you are prepared to adapt.
GDPR (General Data Protection Regulations) are sweeping data protection reforms which have been the aim of the European Union since 2012.
Almost four years later, these regulations, which are meant to protect and manage data in the digital age, have sweeping implications for not only citizens and businesses in the EU, but around the world. As a result of this, California has just passed its own version of GDPR, the CCPA. Are you ready for it?
Since roughly one in 8 Americans live in California, it is incredibly likely that the CCPA will affect your organization. If you are wondering what exactly the CCPA means and what you can do to prepare: take a look at this easy guide to the CCPA.
Why is the CCPA Such A Big Deal?
Starting in January 2020, California consumers will own all of the data collected about them. While in theory, it is possible for this to apply only to Californians, such a large portion of Americans live in California that applying one set of legal rules for them and another for all other US consumers would possibly be very inconvenient in practice.
Most companies will likely find it easier and cheaper to apply one set of rules to all Americans.
And these rules better be applied. Companies which do not comply with the CCPA run serious legal and financial risks. Consequences include civil litigation and fines issued by the state attorney general that could potentially add up to millions in penalties.
Does It Apply To You?
The CCPA does not apply to every business, but it is estimated that half a million US companies will be affected by it.
While healthcare providers are excluded and there are some exceptions, data providers, tech companies, marketing businesses, and a large number of other businesses that collect customers’ personal data will be affected.
They will have to make serious changes by January 2020 if they meet any one of the following criteria:
- Revenue of at least $25 million a year
- Buy data about 50,000 households, devices, or individuals
- 50% or more of their yearly revenue comes from consumer personal data
Under the CCPA consumers own the data collected about them. The installation of these consumer rights means that, if a customer demands it, businesses must be ready to:
- Share the information collected about them
- Tell them to whom you have sold or shared their information
- Stop selling their personal information
- Delete their personal information
- Provide equal service and price whether they make use of their rights or not
This law also holds brands responsible for data breaches. Consumers can sue companies up to $750 for each violation. In cases of intentional violations of consumer rights and privacy, companies can be sued for up to $7,500.
Preparing for the CCPA
There is one key difference between the CCPA and general GDPR. The California regulation does not force companies to opt-in customers in order to collect their data. This is actually good news for marketers.
It means that they do not have to spend time and resources on the complicated customer opt-in process.
Organizations that already comply with GDPR are better prepared for the CCPA than those who don’t. However, complying with GDPR does not mean that they are 100% prepared for the extremely specific requirements of the CCPA.
Here are some important steps you can take to ensure you are prepared for January 2020.
1. Talk To Your Legal Counsel Today
Changes such as these can be difficult, and they are even more difficult when you are scrambling to respond to them last minute. Legal counsel can help you answer important questions and help you prepare so you have over a year to make any necessary changes.
They can look at the ins and outs of the CCPA and help you determine if it even applies to you in the first place. If CCPA applies to your organization, get to work making sure it is compliant immediately.
2. Perform Necessary Audits
Perform an audit on your data collection practices. Know where all your data is stored. Under the CCPA, you will have to be ready to answer a number of questions from consumers. You need to be able to provide information on what data you have collected and what you are doing with it at a moment’s notice.
For legal reasons, know where and how your data is stored. Also, perform an information security audit. Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of data.
3. Know CCPA Inside And Out
Study the CCPA to make sure you understand what rights your customers have. These entail a number of brand new obligations for you, even if your organization already complies with GDPR. You must know exactly what you have to do stay compliant.
4. Review and Update Accordingly
Look over your data management policies and processes. You have to make sure that they are secure and compliant with customer rights. If not, change them to comply with the CCPA.
Organizations that meet the criteria will have to change to meet CCPA requirements. They will have a host of new responsibilities. Once you make these changes, you will have to update your privacy policies.
5. All About the Customer
Think about if and when opt-in policies make sense for your organization. Also, plan how to communicate with customers about CCPA.
How would doing so affect your customer’s relationship with your business and could you benefit? The market is competitive, and being open and honest with your customers might do wonders for your brand image.
Research indicates that customers are more likely to choose brands they trust more. In Reader’s Digest’s fourth annual Trusted Brand Survey, which involves responses from more than 5,500 Americans across the US, it was found that over 80% of survey respondents stick to brands they trust the most.
In fact, over 70% of respondents would even be willing to pay more to support a brand that they trust.
6. Do You Need a Chief Data Protection Officer?
The CCPA puts extreme emphasis on protection of consumer data. While many companies have experienced data breaches in the past, there was no real accountability for it.
Now, data breaches and violations of consumer rights can cost organizations millions if they stack up. Many might benefit from hiring someone to specifically manage data protection.
Do you feel ready to take on the CCPA?