The California Consumer Privacy Act will go into effect on January 1, 2020, and it has implications for businesses similar to the far-reaching impacts of the General Data Protection Regulation (GDPR) in the European Union. This act will impact organizations in California and beyond, and many other states have bills in progress to enact similar laws.
Since CCPA initially passed in June 2018, many amendments have been proposed, thus the final requirements are still unclear until it goes into full effect. While the law is scheduled to go into effect on January 1, 2020, the final regulations may not be published immediately due to pending amendments. Enforcement of the regulations will not occur until six months after the final regulations are published.
Organizations subject to CCPA should be preparing for potential impact now.
What companies are subject to the regulations of CCPA?
Any business that meets one or more of the following three criteria will be subject to CCPA:
- Annual gross revenues exceed $25 million
- Annually buys, receives, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California residents, households or devices
- Derives 50% or more of its annual revenues from selling California residents’ personal information
What is considered personal information under CCPA?
The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes not only email and mailing addresses but also email behavior, web browsing behavior, purchase history and more.
What rights are given to the consumer under CCPA?
Four primary rights are afforded consumers under CCPA:
- Right to notice of what information you’re collecting, how long you hold it, etc.
- Right to access their data that you have collected
- Right to be forgotten (this means all data must be deleted upon request except specific data outlined in the law that may be required to complete an order or be in legal compliance)
- Right to opt out of the sale of their personal information
Key considerations for email marketing
Unlike Canada Anti-Spam Law (CASL) and GDPR, CCPA does not include specifics regarding consent for opting in to email marketing messages. Thus, the direct impact on existing email marketing efforts is minimal. However, there are several considerations to keep in mind regarding data and email marketing.
- Evaluate and document any usage of third-party data, as CCPA gives consumers the ability to request the source of data.
- Re-evaluate data fields on forms and profile pages. Don’t ask for more information than you need and use.
- Only collect data that you have a clear and timely use for.
- Have processes in place to delete consumer data when requested.
Overall recommendations for companies subject to CCPA
CCPA reaches far beyond email marketing to look at overall privacy and data collected by companies. Thus, it impacts technology, customer service, marketing and many other areas of any company. These action steps can help your organization prepare for compliance:
- Ensure that you document all of the data points that are collected at various points of contact (websites, customer service, catalog orders, stores, etc.). Note how and where it is collected (and by whom, if a third party is involved).
- Train employees on the data requirements under CCPA.
- Review policies and procedures regarding data and any requests related to data.
- Delete what you don’t need. The more data you house, the more liability you carry.
- Create a plan for how you will provide a customer access to their data that you have collected.
- Discuss CCPA compliance with all vendors who are handling data to ensure compliance.
Disclaimer: We are not lawyers and this is not legal advice. Please consult your legal team or a privacy attorney for any specific questions regarding CCPA.