California has just signed The California Consumer Privacy Act of 2018 (CCPA) into effect. This new consumer privacy law comes post Europe’s General Data Protection Regulation (GDPR) and, for some, is seen as a smaller version – without the option to opt-out of data collection all-together that the GDPR has.
Let’s see how this new bill is going to affect your business, and how you can prepare for success in the future regulatory landscape.
If nothing else, you need to know 5 things about CCPA.
Under the new law, residents of California have the right to:
– Know what personal information is being collected about them.
– Access that personal information.
– Know whether their personal information is disclosed, and if so, with whom.
– Know whether their personal information is sold. If so, they have the right to opt out of the sale.
– Equal service and price regardless of whether or not they exercise their privacy rights.
The CCPA In Detail
Who Does it Apply to?
CCPA will apply to any business that operates in California (whether it is a California business or not).
Let’s Define “Personal Information.”
Before we start getting into the specifics of the law, we need to define personal information (as defined by CCPA.) Personal information, in the case of the bill, is a broad term. It includes obvious things such as names, addresses, SSNs, and email addresses. However, the term extends further. It includes geolocation, IP addresses, shopping or browsing history, psychological profiles, behaviors, attitudes, consumption behaviors, and consumer preferences.
Or put into more eloquent terms – literally everything.
The Right to Opt Out
Consumers now have the right to “opt-out” of a business selling their information. By the definition of this bill – which is very broad -, almost everything B2B transfer of information will be considered a sale of information.
This means that third-party businesses will not be able to sell customer information post-acquisition unless the customer has received a notice and is given a right to “opt-out” first.
The Right to Access
Consumers can request access to their personal information that a business has stored. In other words, a consumer may ask what information a business has collected on them, and that business will be required to detail what specific type of information was collected.
The Right to Delete
Consumers can request to have their information deleted, and businesses must comply.
There are a few (a bunch of) exceptions to this including transactions, security incidents, errors, free speech, compliance with various other acts (like CalEPCA,) research, internal uses, and legal compliance.
Opt-in for Children
Businesses will be required to collect opt-in for children under the age of 16. For children that are under 13, the opt-in must be collected from a parent or guardian.
Note: Because of COPPA, businesses will need to ask consumers if they are under 16 – otherwise, they could get fined. So, basically, you will need to ask people if they are under 16 so that you can ask them if you can collect data on them.
Do Not Sell My Personal Information
What About the Stick?
Currently, penalties in the law can include up to $7,500 per incident. Meaning that a data breach involving 10,000 customers could end up costing a business as much as $75 million.
There are a few issues that need to be ironed out before the law makes its way into 2020. The legislation is expected to be cleaned and prepped by the time 2020 rolls around. Mostly, cleanup is just a few legislative errors (and a lot of clarification,) but there is one major issue that sticks out to us.
Section 1789.125 (b) which permits businesses to offer different prices and incentives to customers who allow data collection.
This section directly contrasts Section 1798.125 (a) which denies charging or suggesting different prices rates or different quality levels to consumers based on opt-in.
Creating a “fuzzy” area surrounding businesses offering opt-in incentives is certainly not a good area to have conflict in. We are hoping this is cleared up by the time the bill is enforced.
If you’re prepared for GDPR you are ahead, but CCPA is slightly different, so you still have some work to do. If you haven’t done much with GDPR, you can get started with our Marketer’s Guide To GDPR Compliance to help you navigate your way through the changing consumer privacy laws.