California Consumer Privacy Act — What You Need to Know

Hollywood sign above a house in california

Topics: Marketing Strategy

Remember the GDPR of May 2018? If not, take a quick look at our recent blog that details what has transpired over the last year. The EU took a bold step to protect personal information, and California has followed suit with the California Consumer Privacy Act (CCPA). The legislation was signed into law on June 28, 2018, and it will take effect on January 1, 2020 (though it will not be enforced until six months after the effective date). The time to adjust your strategy is now.

What does the CCPA protect?

There are several provisions under this law. Here are some of the more prominent to keep in mind:

  • Consumers are entitled to know all of their personal data that is being collected.
  • Consumers must have access to their personal data.
  • Consumers are entitled to deny the sale or collection of their personal data.
  • A company cannot discriminate against a consumer when they exercise their privacy rights.
  • Consumers are entitled to know whether or not their personal data is being sold, and who is buying their personal data.

What is “personal information” under the CCPA?

The bill defines “personal information” as:

“information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

It further elaborates on the definition, which encompasses “a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers,” in addition to records of personal property, purchasing tendencies, past purchases, browsing activity, and any related Internet activity.

How will this affect me?

You will be affected if you are a for-profit company that collects any consumer information from California residents. You must also meet at least one of the following conditions:

  • Your company’s gross revenue exceeds $25,000,000.
  • Your company buys or gathers the personal information of a minimum of 50,000 consumers.
  • 50% of your company’s revenue comes from selling personal information.

What do I need to do now?

Even if your business doesn’t fall under CCPA oversight, you need to be prepared for anything — especially if you have a growth-oriented and diversifying mindset. Consumers and governments are shifting in favor of consumer privacy, so it’s important to consider that in your planning. It’s likely that you made changes for GDPR, so this is a great opportunity to revisit them and implement any necessary changes in anticipation of CCPA.

Consumers must be allowed to opt out, and you cannot treat them differently or adjust any costs if they choose to do so. You are required to be completely transparent about your data use. Consider updating your privacy policy and displaying it somewhere that is easy to find. Consumers will also be permitted to contact you and request information about their personal data from the previous 12 months. You must provide this information or you could be held liable, and the individual has the right to litigate. In order to comply, you will also need to keep at least 12 months of retroactive data readily available for a request, so you should seriously consider restructuring your data storage and processing if you don’t yet have that capability.

Consumers can also submit a valid request to have their data deleted from your systems, but there are some exceptions that are contingent on why you have the data. A few examples: You are exempt from these requests if the consumer is currently under contract with you and their personal information is an important part of how you conduct business with them. You may also keep the data if you are conducting some type of research that requires the personal information in order to be analyzed and completed. You do not need to delete data if it is used to detect illegal activities, exercise free speech or another legal right, or if it is needed to comply with legal requirements.

We recommend that you read the full text of the bill here, as there are more technicalities to understand outside of these general guidelines. We have also composed a slide deck that details the information you may need. At Axis41, we’re happy to invest in your success, help you strategize, and fill in any knowledge gaps you may have. Contact us today to speak with our team of CCPA specialists who are readily available to offer any assistance you may need.