The California Consumer Privacy Act (CCPA) may have become law on January 1st, but it isn't until July 1st that it will be enforced. Like most laws, it is long and complicated, and sure to scare some marketers on the first read. Let's leave that to the lawyers, however, and focus on what this law means and how you can best prepare for it.
What is CCPA?
CCPA was passed by the California state government in 2018 and became active on January 1st of this year. At a top-level, the law is designed to protect consumer personal information and control certain levels of transparency around how the data, particularly to residents of California, is being used. In a certain way, CCPA is very similar in its intent to GDPR, a law put into place in the European Union in 2018.
Is Your Business Required to Comply?
To remove all doubt, you should know that if you market to California residents, you should put some care into reading the law, understanding the potential impacts, and preparing your operations to accommodate the requirements.
Luckily, there is a standard applied to businesses to determine who is and isn't required to comply. If your brand does more than $25 million in annual revenue with California residents, collects data on 50,000 or more people, households or devices within the confines of the state or earns more than 50% of your revenue via the sale of data, then you must adhere to the guidelines.
The law is designed to protect internet users, and it does that by focusing on a few key areas:
- Consumers have a right to know what personal information is being collected, whether by your business or service providers. They also must understand why it's being collected, and have the right to request all contents of their personal information that you may have stored.
- Consumers have a right to request that you destroy all personal information. There are exceptions to the rule that consumers should be aware of, but they mostly apply to those who are already customers of the business and not marketing-generated leads.
- Consumers have the right to opt-out of the sale or trade of their data.
Furthermore, it's detailed that users can request this data and must not suffer alternative or detrimental treatment. For a full list of consumer protections, we recommend looking at this guide, which spells it out nicely.
What This Means for Website Owners and Marketers
If the above requirements describe your company, then it's time you learn what you need to be doing to comply. You can begin by understanding the particulars of the law, and then understanding your technical stack and how it collects and uses data. This should apply not only to yourself but to your entire marketing team, as well.
Specifically, you should also focus on these particular areas:
- Know who and what systems are gathering, storing, and using user data. This means in-house and vendors.
- Know who will create the notices required for publishing on your website and prepare to deploy this warning feature to your website immediately.
- Put a system in place for responding to potential user requests. This would mean not only removing personal data from your systems but vendors as well.
- Look into more specific rules outlined in the law, such as how to value personal information, as that must be published and made public.
- In complying with laws, you need to do it in a way that works within your company structure and workflows adhere to all internal policies and allows you to continue your mission for marketing your business.
While there are too many particular items you need to address to put into a single blog post, this website does a pretty good job of listing them out as a checklist. We recommend you take a look and complete the survey.
What If You Haven't Prepared?
Well, it is the 11th hour, but better late than never. First, look over the above criteria and see if you apply. If you do, then fire your lawyer, because they should've warned you by now! Then, focus on these critical areas of concern in the short term:
- Map Consumer Data: What data do you collect? How do you do it? Where is it stored? Whom is it shared with? All of this information you need to have handy and ready to go in case you are looked at in the future by authorities.
- Amend Privacy Disclosures: You must disclose at or before data collection what information you are collecting, where you obtain it, whom you share it with, and why.
- Allow Opt-Out: Create a link that allows users to privatize their visit, which takes them to a landing page to opt-out of having their information gathered or stored.
- Plan for User Requests: Come up with internal workflows and processes to handle users who opt-out. The law provides for specific timeframes by which you must respond accordingly.
- Train Your Team: You will need to train all employees on what the law means, why you are within the criterion to take it seriously, and how you will handle any inquiries you may receive about the handling of personal data.
Finally, for those who are in charge of the technical aspect of managing a website, here are some common requests you may see from your marketing team or legal counsel. And for marketers, where is what you need to ask for:
- A link in the footer with the terminology "Do not sell my information." The law literally calls for this to be sent to a link which allows opt-out. It must be "clear and conspicuous" to the user.
- A designated method for submitting requests.
- Additional requirements for Minors' personal information.
By now, if you look, you'll see that most major corporations have instituted these measures. While they are relatively simple to enable yourself, you can also look into third-party tools that manage this process. One such service we recommend and work with is OneTrust, who coincidentally display their product in use on their site quite well.
The online world has been ripe for oversight for many years now. California, being the most significant state economy in the union, was right to address this, especially knowing that almost every company in the country would be forced to follow suit, and that almost every corporation does business there. I expect more states to follow, if not the federal government as well, soon. In the meantime, we recommend all clients consider enabling these features, not because they meet the necessary criteria but because users will now come to expect this functionality, and as such, it makes sense to have it in place for optics plus because it's the right thing to do.