Another new year approaches and, with it, another major data privacy regulation takes effect. This time, it’s the California Consumer Privacy Act (CCPA), which becomes law on January 1, 2020.
Don’t be fooled into thinking that only California companies need pay attention. Even if you’ve already established more stringent data collection and privacy measures as a result of GDPR and other recent regulations (CAN-SPAM, CASL), CCPA is something that every B2B marketer needs to understand and prepare for.
There are plenty of articles on the Web describing the new law in more detail than I intend to here. (This article from IRMI is a good one.) In brief, however, the CCPA requires businesses to inform consumers resident in California, at the point of data collection, as to the categories of personal information being collected and the purposes for which that information is to be used, and also grants those same consumers the right to request that a business:
* disclose any personal information collected, sold or shared for a business purpose
* delete the personal information that a business has collected about a consumer
* provide the option to opt out of the sale of a consumer’s personal information
Any company that does business in California, markets to California residents, or has annual gross revenues in excess of $25 million, is subject to CCPA. (There are other applicable criteria too many to list here.) Critically, however, if a consumer requests his or her personal information from such a company, that business must be able to provide data going back a full 12 months.
In practice, this means that a California consumer must be aware 1) that data is being collected, 2) how the data will be used, and 3) must have the opportunity to opt out from the business sharing or selling that data. It also means that these same consumers have the right to be “forgotten” (similar to the regulations under GDPR.)
If you meet the criteria as a business subject to CCPA, how should you prepare? First, if your company is already CASL- and GDPR-compliant, you’re most of the way there. Otherwise, here are some key steps:
* Review what data your company is collecting (not just contact information but also purchase history, cookies, click history, geo data, etc.)
* Determine if unnecessary consumer data is being stored, and if so, delete it
* CRITICAL: Develop a process for responding to requests for access to and/or deletion of personal information (note: under CCPA, businesses must respond to such requests within 45 days and delete up to 12 months of data)
* Review contracts with third party data providers, data processors and other partners for compliance
* Review internal processes and documentation re: data breach procedures
* Develop a process for notifying your database of changes to data collection
At our agency, we’re telling B2B clients to regard regulations like CCPA as the rule, not the exception. Even if you’re not technically subject to the law today, these types of data privacy and collection processes are quickly becoming standard best practice. Besides, you likely will be subject to this or another law eventually, most likely in the form of a federal regulation modeled on the likes of CCPA.
Important disclaimer: none of the information above is to be construed as legal advice, nor are the recommended steps guaranteed to ensure CCPA compliance. Marketers should consult with legal counsel on the risk/liability from, or compliance with, any data privacy regulation.
A big thank you to Anne Angele, Spear’s resident compliance guru, for her help with this article.