Internet data privacy laws have taken the world by storm. These laws have been the hottest topic of discussion for the past few years among the business and marketing fraternity. It started with the GDPR (General Data Protection Regulation) law of the European Union, which stirred businesses who were operating in the European Union. On similar lines, the US government introduced the CCPA (California Consumers Protection Act 2018) law. Both regulations aim to provide data privacy to end consumers by letting them know which information a business can collect from them. Hence it was a welcome move.
For businesses, though, it required them to prepare themselves to be even more compliant and cautious than earlier, when it came to handling user data. So, there was some upheaval among the business leaders, predominantly the marketers. However, while the dust has settled on both the laws, every now and then, we hear a business struggling or running into an issue with authorities regarding data usage. So, we decided to make a comprehensive checklist covering key details of CCPA for firms in the US to help marketers better understand the law and prepare their business accordingly. So, let us get started.
Table of Contents
What is CCPA (California Consumers Protection Act)?
CCPA (California Consumers Protection Act) 2018 is the first and most inclusive data privacy law for the residents of California. With this law, California became the first state to have a robust data collection and handling law for its residents. The data security framework of CCPA is expected to be a blueprint for other states planning to introduce such laws, with Nebraska, New York, and Washington already considering or implementing similar laws.
The California Consumer Privacy Act covers four key areas:
- The right to know what their information is being used for
- The right to opt-out of the sale of personal information
- The right to get any information collected by businesses deleted
- The right to non-discrimination for exercising their CCPA rights
So, if as a business you have engaged with any resident of the State of California, the law
requires you to provide the complete details of the information you have on the user and, should the user request, delete that information.
The law is intended to give the residents of California complete control over how their data is used and stored. In simple terms, Californians now have the fate of their personal information.
Does CCPA Apply Only to California Based Businesses?
Just as GDPR applies to any business with customers in Europe, CCPA applies to any business with customers in the state.
The California Consumers Protection Act deals with any business that operates online or operates in California and handles or stores the data of Californians, even if the company is not physically based in California. For a business to be CCPA compliant, it must meet any of the below three criteria:
- Annual Revenue≥ $25 million
- Must have data of 50,000+ customers.
- At least half of the yearly Revenue must come from selling consumer data.
Any business meeting the aforementioned criteria must fulfill the CCPA requirements if its customers reside in California. Not adhering to the CCPA guidelines can invite hefty fine and disciplinary action against the business.
How To Make Your Business CCPA Compliant?
With every business striving to abide by the CCPA law for their business, there is plenty of information available online that can help you know everything you need to know about CCPA. However, if you need a consolidated list of everything you need to know to make your business CCPA compliant, continue reading.
Step 1: Determine whether CCPA is applicable to your business
We have mentioned three key factors above to help you identify whether it applies to your business; however, in addition to the above three points, here are two more parameters that will qualify your company for CCPA compliance.
Your business is:
- “For-profit”
- Based in California or serves/targets residents of California
Step 2: Become CCPA Compliant
To be CCPA compliant, you first need to understand the personal information of your customers that needs protecting. To simplify it, any information pertaining to an individual that:
- Identifies them
- Relates to them
- Describes them
- Is associated with a household
You can get all the details related to the above information in the California Civil Code Section 1798.140 (o) (1-2)
Step 3: Create/Amend Privacy Policy for Your Business
Most modern businesses already have a stringent Privacy Policy in place. If you do not have one in the area, you must build one with the help of your legal advisor. However, if you have one in place, here is how you can make it CCPA compliant.
- Keep the language simple and crisp for the average user to understand it easily
- Clearly state the kind of personal information you collect, how you use it, and how you share (if you do) it
- Explicitly state the rights of your consumers on their personal information
- Include a “Do Not Sell My Personal Information” (DNSMPI) option in the policy, allowing the users to opt-out of the “sale” of their data
- Mention your contact details
- Maintain a version history for the policy clearly stating when it was last updated (Privacy Policy must be updated every 12 months)
- Make your Privacy Policy public and easy to access through your website
Step 4: Know the Rights of Your Customers
To fully understand CCPA, it’s essential to understand your customers’ rights over their data. Here is everything you need to know about consumer rights under CCPA.
- Right to Access :CCPA allows consumers to access all the personal information they have on them rightfully.
- Right to Portability: A consumer can request their personal information at any point, and as a business, you should be able to provide all the information in a ready-to-use portable format. It will enable them to port their information smoothly to another entity.
- Right to Deletion: As a business, you are mandated to delete the complete personal information you have collected on any user upon receiving the deletion request.
- Right to Notice: A business must update the user on its purpose and data collection practices before collecting any personal information from them.
- Right to Opt-Out: The customer can at any time opt-out from allowing the business to “sell” their information to any third parties.
- Right to Non-Discrimination: As a business, you are expected to be impartial to your customer regarding offers, prices, and any service you might have to offer.
To enable all the aforementioned services for your consumers, you must:
- Have multiple active communication channels (an e-mail address and a toll-free number) for your consumers to submit their requests.
- Have a diligent system to validate, verify, and address consumer requests without delay.
- Have a legal team with complete knowledge of consumer rights for the benefit of your customers and your business alike
Step 5: Get Consent from Your Customers
Under California Consumers Protection Act, businesses are expected to take the opt-in consent before “selling” information of their consumers aged between 13 and 16 years. And, if you must “sell” the personal data for a justifiable business reason, you need to take parental consent.
Step 6: Have an Opt-Out Mechanism in Place
As a business, you must have an easy-to-access “Do Not Sell My Personal Information” link on your website, allowing your consumers to opt-out of the “selling” of their data.
Your legal team should be able to draft explicit and crisp “opt-in” and “opt-out” policies for a better understanding of your consumers.
Step 7: State Your Use of Cookies to Your Customers
The CCPA (California Consumers Protection Act) does not explicitly require businesses to acquire opt-in consent from customers regarding their use of cookies. However, it is advised to update your customers regarding your processing of cookies. You must mention the type of cookies you are using and how.
Step 8: Safeguard Your Customer Data
As a business, you must safeguard your customer data at all costs. You must have the necessary checks and balances to provide maximum security to your customer data. You must have proper encryption to secure the customer data.
Key Takeaways
The California Consumers Protection Act (CCPA) is the most comprehensive data protection law in the US. It discusses the rights of Californian customers regarding how their data is collected, processed, stored, and at times sold online. While the law exempts SMBs, it still has provisions that severely affect businesses.
So, as a business owner, CCPA requires you to make significant amendments to your data policies, privacy policies, and the way you process your users’ personal information.
It is advised to prepare your business to be compliant with the CCPA. Should you need help getting started, we will be happy to connect you to our data experts to get things rolling for you. Just write in to: [email protected], and we will contact you started.
