Amid headlines about data breaches, hacks and security threats, Americans are more pessimistic than ever about how their data is used—and feeling more resigned to a world with diminished privacy protections. According to a recent Pew study, 62% of Americans believe it’s “not possible” to go about daily life without having their personal data collected by companies.
As strategists, we rely on data to develop and refine our ideas, and we encourage our clients to do the same. We believe that smart data practices can result in better marketing, better service, better experiences and better communication between brands and consumers. But none of this works unless you’ve earned your customers’ trust, and if customers don’t trust you with their data, ultimately, they don’t trust you.
On January 1, 2020, the California Consumer Privacy Act (CCPA) will take effect. Created in response to concerns about how consumer data is gathered and used, CCPA is the first legislation of its kind in the U.S. Even though it’s a state law that covers California residents only, CCPA will impact businesses far beyond the Golden State—and experts say it’s just a matter of time before more states pass similar legislation, or band together to push for federal consumer privacy laws.
Yes, new regulations present compliance challenges. We suggest looking at CCPA from a different perspective: It’s an opportunity to audit and improve your data policies and the ways in which you communicate these policies to your customers.
So gather your legal, IT and marketing teams, and let’s walk through CCPA 101.
California’s new law applies to any for-profit entity that collects, shares or sells California consumers’ personal data and meets any one of the following criteria:
According to the law, personal information is any piece of information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (see subdivision 1798.140(o)(1)).
That means stuff like names, email addresses, IP addresses, physical addresses, phone numbers, geolocation data, biometrics, purchase history, account names, usernames, Social Security numbers, license numbers, search or browsing history and more, including “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” (see link above for the full list).
CCPA compliance can be broken down into three broad sections: notification, opt-outs and response to requests.
Clear language and accessible information doesn’t just help you comply with CCPA: It also creates a seamless experience for consumers as they navigate your site looking for information. (If you ask us, everything on your website should be clear, straightforward and easily accessible.)
If you are in the business of selling personal information, you must provide “a clear and conspicuous link” on your homepage, titled “Do Not Sell My Personal Information.” Clicking this link must take consumers to a page where they can opt out of having their information sold—and you can’t force them to create an account to do so. Again, this is a basic tenet of user experience: Label things clearly, and reduce friction so people can accomplish what they’re trying to do.
Response to Consumer Requests: I Want My Info
If California consumers request information about their personal data from you (like what you’ve collected, and when, and how, and who you’ve shared it with), here are the rules:
Response to Consumer Requests: Delete My Info
California consumers also have the right to request that you delete their personal information. If you receive such a request, not only do you have to delete that data, you must also direct any service providers you use to delete it from their records, too. But there are exceptions! You don’t have to comply with deletion requests if:
Transparency with consumers means you need internal transparency, too. Make sure you’re able to answer these questions:
No, and not just because they apply to different territories.
When the European Union implemented its General Data Protection Regulation (GDPR) in May 2018, businesses and organizations had to make operational, technical and legal changes to ensure compliance. While GDPR and CCPA have the same intention—to increase transparency about data collection, and to strengthen consumers’ rights—their rules are different. So it’s not quite accurate to call CCPA “California’s GDPR,” but the good news is, if your business has already taken steps to achieve GDPR compliance, you’ve got a head start in preparing for CCPA.
The nonprofit Future of Privacy Forum and DataGuidance published this in-depth comparison of GDPR vs. CCPA (pdf warning).
You should take the time to read the full text of CCPA, also known as AB-375. Consult an attorney for any specific questions about how this law might apply to your business.
The Future of Privacy Forum provides resources, whitepapers, news and analysis about privacy legislation and emerging technology. The Electronic Frontier Foundation’s Privacy section covers privacy from a citizen’s perspective, focusing on everything from legislative developments to RFID to online tracking. TechCrunch has written extensively about CCPA and its impact on businesses.