California Consumer Protection Act of 2018

The California Consumer Protection Act of 2018 (CCPA) officially goes into effect on January 1, 2020.  It is the latest major mandate in what has become an ongoing passage of laws that will protect consumer data.  These laws are needed in order to protect consumers as they browse and make purchases online.  And because consumers are conducting more and more business over the Internet, similar laws are expected to be passed by other states, and potentially at the Federal level, over time.

What is the CCPA?

Before I answer that question, let’s rewind a bit.  In 2018, the General Data Protection Regulation (GDPR) of the European Union (EU) went into effect.  It protects citizens of the EU by establishing parameters for the collection, processing, storage and sharing of personally identifying consumer data by corporations.  Although the GDPR is a European law, it is important to any company that potentially collects personally identifiable information from EU citizens. For example, an American company may attract customers who are citizens of the EU, and therefore, must comply with the regulations.  So, if the question is whether the GDPR applies to American companies, the answer is yes.  By the same token, a business located outside of California must comply with the CCPA.

The CCPA is similar to the GDPR, with the major difference being that it protects the residents of California. According to the International Risk Management Institute, the law applies to a business for which at least one of the following is true:

  • Generates annual gross revenues over $25 million.
  • Is a primary, for-profit business that consists of buying, selling or otherwise receiving the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  • Determines the purposes and means of the processing of consumers’ personal information.
  • Does business in California.

The term “personal information” means any information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.

The term “collect” refers to buying, renting, gathering, obtaining, receiving, or accessing any personal information related to a consumer by any means – including from the consumer (actively or passively), or by observing the consumer’s behavior.  When it comes to marketing, such observation takes place via campaign tracking tags.

What rights do consumers have under the CCPA?

Disclosure

According to the State of California, businesses must disclose to consumers, upon request, the following specific information about personally identifying data collected about them.  Failure to comply with consumer requests puts the business at risk of legal action.

Specific information businesses must provide to consumers under the CCPA:

1. Categories of personal information it has collected about that consumer.
2. Categories of sources from which the personal information is collected.
3. The business or commercial purpose for collecting or selling personal information.
4. Categories of third parties with whom the business shares personal information.
5. The specific pieces of personal information it has collected about that consumer.

Access

Any business that receives a verifiable consumer request to access personal information collected about them must immediately take steps to disclose and deliver it to the consumer free of charge.  The information can be delivered by mail or electronically. If it is provided electronically, it must be in a portable format that the consumer can easily transmit if they choose to do so. Businesses are not required to provide this information to consumers more than once in a 12-month period. 

Deletion

Upon request by a consumer, businesses must delete any personal information collected.  They must also require third-party service providers to delete the consumer’s personal information in response to a verifiable consumer request, subject to certain exceptions.

Anti-discrimination

Businesses may not discriminate against consumers who exercise their rights under CCPA by denying access to their personal data. For example, they may not:

  • Deny goods or services to the consumer.
  • Charge different prices or rates for goods or services or impose penalties – for example through the use of conditional discounts or benefits.
  • Provide a different level or quality of goods or services.
  • Suggest that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

Businesses can charge different prices or provide a different quality of goods or services, provided that the difference is reasonably tied to the value the consumer would have received if they had granted the business access to their personal data.

How can my business stay compliant with CCPA?

Businesses must take practical steps to protect consumer data. Doing so will minimize the risk for civil lawsuits brought by individual consumers. Fines of $2,500 to $7,500 for breaching the CCPA could become a real financial burden for your business, as penalties are calculated based on the number of affected consumers, and the overall total number of instances.

From a marketing perspective, a large amount of consumer data is collected using campaign tracking tags. Data is also collected through website plugins that may be collecting personal data on forms, or in eCommerce transactions. It important to know what tracking tags and plugins are active on your website, and how your tracking systems are configured to collect and store consumer data.

Last but not least, it is critical that the various departments in your company communicate efficiently. Representatives including executive leadership, marketing, IT and others need to understand the importance of compliance, and work together to ensure the proper measures are taken. If you use a marketing agency, be sure to consult with them for advice on how you can prepare and maintain compliance in the future.

Website requirements for opting-out:

Businesses that sell personal consumer information to third parties must inform consumers visiting their website of this practice and provide a means for them to opt out. The company’s website must provide a “Do Not Sell My Personal Information” link on the homepage, which links to a page where the consumer can opt out.

If a business has actual knowledge that a consumer is under 16 years of age, it cannot sell their personal information.  However, if a parent or guardian has provided affirmative authorization beforehand, the business can sell personally identifying information of consumers between 13 and 16 years of age.

Privacy Policy Requirements:

A business must include a California specific description of consumer privacy rights in its published online and offline privacy policies. Amendments to the CCPA are expected after January 2020.  Therefore, these points must be updated at least once every 12 months.

  • Consumers’ rights under the CCPA, including the right to opt out of the sale of personal information.
  • A separate link to the “Do Not Sell My Personal Information” Internet web page.
  • Instructions for submitting consumer requests.
  • A list of the categories of personal information that the business has collected about consumers, sold about consumers, and disclosed about consumers for a business purpose in the preceding 12 months.

Practical Tips to Determine if Your Business is CCPA Ready

We recommend obtaining legal counsel to know the specifics regarding your company’s level of compliance with CCPA. The Three P’s listed below are a great starting point in assessing how prepared you are for the enactment of this law on January 1, 2020.

People

  1. Who is responsible for data management at your company?
  2. Do you know what data your company owns about its consumers?

Processes

  1. Where is your consumer data stored?
  2. Who in your company has access to this data?
  3. Do you have a process for complying with the requirements of the CCPA and GDPR?

Platforms

    1. Your marketing agency or consultant can advise you on whether or not your website is CCPA ready.  Here is a list of things you will want to discuss:

      • How will the technical requirements for handling consumer data, such as tag management systems and cookie tools, be implemented on your website?
      • How will your website communicate to visitors how their personal data is managed?
      • How will your website provide consumers with a mechanism for opting-out or submitting a request for their personal data?

Important legal points to remember:

The information shared here should not be interpreted as legal advice or counsel, and we do not represent it as such.  We do not make any warranties or statements regarding the legal acceptability of the information presented.  Actions performed as a result of the information provided are your/your company’s own choosing.  We do recommend obtaining legal advice from legal counsel whenever taking action related to the law.

About Dynamics Online

Dynamics Online is a full service internet marketing agency that provides web design, search engine marketing, social media strategy and more. We can evaluate your existing website for improvement opportunities, or design a content strategy that will help your business achieve its digital marketing goals. For information, call us at (216) 292-4410.