GDPR was last year’s news. This year is all about preparing for the numerous state laws that are being enacted throughout the US, including, of course, the California Consumer Privacy Act (CCPA), whose deadline for enforcement is quickly approaching. If you don’t know what CCPA Compliance is, or think the law is irrelevant to your business, you may well find yourself in violation when enforcement begins on Jan. 1, 2020. There’s a lot of confusion around CCPA Compliance among brands and marketers, but it’s essential to understand the implications of this legislation and what it means for the future of marketing. This major new law is poised to disrupt the way that companies interact with their customers—whether a given brand is based in California or deals with California residents. To help you prepare, let’s walk through four key things to know about CCPA Compliance.
The California Consumer Privacy Act (CCPA) is a new consumer protection and data privacy act. It enhances the privacy rights for residents of the state of California in the United States. CCPA has become effective on January 1, 2020 and enforcement is expected July 1, 2020. CCPA Compliance bears much similarity to the GDPR. It grants rights to Californian residents such as:
- Consumers have the right to be informed of the categories of personal data a business collects about them and to gain access to the personal data a business collects about them, twice a year, free of charge.
- Consumers have the right to sue for a data breach that results in the theft or unapproved disclosure of certain unencrypted or non-redacted personal data (if the company violated its duty to maintain reasonable security practices to protect the personal data).
Thus, organizations must disclose information about the collection, sale, and disclosure of personal information.
CCPA Compliance Applicability
The CCPA Compliance will apply to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and meet at least one of the following thresholds:
- Annual gross revenues larger than $25 million
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
- Make 50 percent or greater annual revenue from selling California residents’ personal information
Non-profits, smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA Compliance won’t have to comply.
The CCPA does not cover every business. The law defines a “business” as a legal entity that collects consumers’ personal information, determines the purposes and means of processing consumers’ personal information, conducts business in the State of California, and satisfies one or more enumerated thresholds:
- Earns annual gross revenues in excess of $25,000,000;
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year; or
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Although the CCPA Compliance does not explicitly refer to “controllers” and “processors,” which are the terms used by Europe’s General Data Protection Regulation (GDPR) to distinguish between the decision-making power for personal data processed by different types of entities, the act does define the term “service providers.” The CCPA defines “service provider” as a legal entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written CCPA contract.”
The CCPA Compliance defines “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…, however identified, including by any unique identifier.” According to the referenced state regulations, a California resident is any individual who is (1) “in the state of California for other than a temporary or transitory purpose,” or (2) “domiciled in the state” of California and “outside of the state for a temporary or transitory purpose.”
The CCPA Compliance defines “Personal Information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Importantly, because the CC PA Compliancedefines household data as PI, that data may be protected under the CCPA Compliance even if it does not relate to a single individual.
The CCPA Compliance defines collection as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Collection includes both active and passive receipt of information from the consumer and observations made about the consumer. This expansive definition of “collect” or “collection” encompasses information a business collects as well as information provided to the business by other parties, including directly from the consumer.
Sale and Disclosure
A “sale” under the CCPA Compliance includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
Different levels of consent are needed for different situations under the CCPA Compliance. For example, consumers may opt out of consenting to the sale of their personal information by a business. Additionally, third parties that receive PI through a purchase must provide consumers with notice and an opportunity to opt out of further sales before selling that information.
- What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consent, and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose, and were the data subjects informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding data any longer than is necessary and we are keeping it up to date?
- Are we keeping personal data safe and secure using a level of security appropriate to the risk? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as sensitive personal data, children’s data, biometric or genetic data, etc.—and if so, are we meeting the standards to collect, process and store it?
- Have we implemented a policy of “data protection by design and default” to ensure we’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals?
- Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do these procedures comply with the rules under the CCPA?
- Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the CCPA in case of a data breach in a timely manner?
- Are our staff trained in all areas of CCPA data privacy to ensure they handle data in a compliant manner?
- Do we review and audit the data we hold on a regular basis?
CCPA Compliance Roadmap
Preparation for CCPA
- Keep Records of Processing Activities (ROPA) as a best practice to help document and categorize data by age, origin, lineage and usage by third parties.
- Understand the CCPA value of data to your business by reviewing your business strategy. Discover, map and inventory data and relevant processing activities related to California residents.
- Explore and implement processes to address consumer requests, including requests to delete, access and opt out of the sale of their data under CCPA guidelines.
- Determine the most cost-effective approach for your privacy program by offering the same privacy options to all customers. Share straightforward procedures with consumers, whether standard or personalized to Californians, like providing consumers the ability to opt out of the sale of their data, which is still under legislative review.
- Use risk assessment in your organization so teams know the essential actions they need to take to be ready for the CCPA
The California Consumer Privacy Act (CCPA) establishes and enhances consumer privacy rights for California residents and imposes rules on business processes that handle their personal information. CCPA was scheduled to go into effect on January 1, 2020, and the California Attorney General was expected to issue regulations clarifying certain provisions of the CCPA before then.
- Gives You Ownership – Protect your right to tell us not to share or sell your personal information.
- Gives You Control – Gain control over the personal information that is collected about you.
- Gives You Security – Responsibility for safeguarding your personal information.
It’s important to check if you meet the following requirements. The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information (“controllers”) and also satisfies ANY one of the following thresholds:
- Exceeds $25 million gross revenue annually,
- Handles the personal information of 50,000 or more California consumers, households, or devices annually, or
- Derives more than 50% of annual revenue from selling consumers’ personal information.
There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.
ZINFI’s UCM acts as a data processor and utilizes only partner records. ZINFI primarily processes and houses only business contact details such as name, business email, business phone numbers, etc. ZINFI’s system does not have access to, nor does it sell any data concerning its customers’ partners, those partners’ customers or end customers.
The U.S. federal government has passed laws targeted at select areas of data privacy such as Children’s Online Privacy Protection Act (COPPA) and the CAN-SPAM Act, and every state has adopted its own version of a data breach notification law. However, the CCPA is the first and most extensive regulation of its kind in the United States to codify privacy protections for the residents of a particular state.
The CCPA protects privacy by affording Californians the right to access, delete and opt out of the sale of their data. The CCPA protects “consumers,” which are broadly defined as California residents. The term “consumers” extends to both California residents currently in the state and those traveling outside of the state. The term encompasses customers of goods and services, employees and participants in business-to-business transactions.
You might be wondering what type of data is protected. Right now, the data covered can be broadly described as all data collected on consumers. You can think of it as data that directly or indirectly identifies, describes or can reasonably be linked to a particular consumer or household. For example, commercial Internet activity information and any inferences drawn about a consumer apply. There’s currently a non-exhaustive list of specific categories of personal information defined in section 1798.140 of the law.
- The CCPA grants consumers rights to know what personal information a business sells, discloses or collects about them as well as categories of third parties who purchased or received their data. Consumers have the right to obtain a copy of personal information collected about them by making “verified consumer requests.” Customers then have the right to transmit the information from one entity to another.
- Consumers can request that a business delete any of the personal information that the business has collected from them. The CCPA creates certain exceptions to this deletion right, like when personal information is necessary to perform a contract or complete a transaction.
- Consumers are given the right to opt out of the sale of their personal information, and the CCPA prohibits businesses from discriminating against consumers that exercise their opt-out rights. Companies cannot ask consumers to sign contracts that limit their data privacy rights under the CCPA. This includes contract provisions limiting or waiving the right to a specific remedy or means of enforcement for an alleged violation.
Internal expectations for your business
- Make required disclosures: Businesses must notify consumers of their rights under the CCPA, including their right to deletion, right to know, and data portability rights, as well as how to exercise these rights. These required disclosures can either be made via privacy policies, in CCPA-specific notices, or at the time the personal data is collected. Companies’ privacy policies must lay out how the collected data will be used. The CCPA imposes obligations for companies that sell a consumer’s personal information and/or the data of children. However, this document will not cover those exceptions because ZINFI customers are not allowed to use our products to sell data or collect children’s data.
- Respond to consumer rights requests: Businesses must implement processes to respond to verified consumer requests and opt-out requests. For example, responses to customer requests must cover the 12-month period preceding the request, so companies must have a way to date the data they collect.
- Maintain access and portability: Businesses must make at least two methods for submitting requests available to consumers including, at a minimum, a toll-free telephone number and a website address if the business maintains one. Businesses must respond to consumers’ requests for information within 45 days of receiving a request, which may be delivered by mail or electronically in a portable format. However, for online-only businesses, one proposed amendment to the CCPA allows them to make, at a minimum, only an email address available for submitting requests for information.
- Deletion: If requested, businesses must delete a consumer’s personal information from its records unless maintaining the information is necessary to complete a transaction, for security or fraud-prevention purposes or for another purpose listed in the Act.
The Act is enforced by the California Attorney General, and currently provides businesses 30 days to comply if accused of noncompliance. However, a proposed bill removes this time period and allows for enforcement immediately. Civil penalties of up to $2,500 per violation or $7,500 for intentional violations may be imposed. The CCPA extends a private right of action to consumers, giving businesses exposure not only to government fines but also to lawsuits from customers.
Since there is a significant amount of overlap between the CCPA and the GDPR:
- ZINFI’s seven-factor CCPA commitment – Data Protection Office, Data Security, Consent Management & Policies, Data Accuracy, Secure Data Processing Architecture, Data Breach Procedures and Security Training.
- ZINFI has extensive resources on GDPR that explain our product and system features, and the functionality used by us and by our customers to support compliance with GDPR.
- A good portion of the existing product and system features, processes and policies that are currently used for GDPR compliance are used in similar ways for compliance with CCPA. For example, we handle access and deletion requests (these are currently requirements under both bodies of law) by using our existing functionality.
- Consent management:
- ZINFI has established not only simple consent-obtaining procedures, but also processes that demonstrate that the data subject has consented to processing of his/her data. Records are stored for ready access.
- Consent requests are presented to consumers in an intelligible and easily accessible form, using clear and plain language. Our “Do Not Sell My Personal Information” policy is presented transparently.
- Requests for consent clearly reflect the use of the service for which data is collected. The following are clearly defined and mailed to CA clients, prior to processing:
- Why we collect the specific information
- What we do with it
- How long we keep it
- How we destroy/retain it
- How individuals can access the information we hold about them
- Right to be forgotten information: the data subject’s right to withdraw consent at any time; the process for withdrawing consent should be just as easy as that for giving consent
Applies to a for-profit “business” that:
Applies to a “controller” or “processor”:
|Consumerscope||California residents||EU Data subject – a naturalliving person in the EU|
|Penalty per violation||USD 7,500 per violation for intentional violations||Up to 4 percent global turnover or EU 20 million, whichever is higher|
|Time to respond to a consumer data request||45 days||30 days|
Consumer Privacy Act Privacy Notice
This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Statement of ZINFI and its subsidiaries and applies solely to visitors, users, and others who reside in the State of California.View Document
Consumer Privacy Act Readiness Guidelines
ZINFI offers a comprehensive, scalable unified governance and integration platform and solutions. These solutions deliver data for insights and compliance initiatives to businesses, governments and individuals.View Document
Consumer Privacy Act Data Privacy Checklist
Meeting privacy obligations and protecting personal data requires the discovery and classification of different types of data across the business. So, keeping a checklist handy is the best bet.View Document
Consumer Privacy Act Compliance Guide
A simplified step-by-step presentation of how ZINFI offers a comprehensive, scalable unified governance and integration platform and solutions and preserve the integrity of the California Consumer Privacy Act.View Document
Unified Channel Management (UCM)
How ZINFI Can Help Protect Your ChannelLearn More