Welcome to summer! Remember when summer meant vacations with the family, sunny days lounging by the pool or even just sleeping in? Yeah, we remember that too. However, in today’s fast-moving world of digital marketing, summer also means planning time. Each year it seems like we are challenged to meet a new standard online that requires some advanced planning for next year. Whether it’s ADA accessibility planning for your website, GDPR privacy updates or some change Google has forced on us (remember scrambling to get your site responsive?), it seems like there’s always something. In today’s plain-talk article, we’ll take some of the complexity out of the next dragon you may need to slay – The California Consumer Privacy Act – and what it means for your website.
What is CCPA?
The California Consumer Privacy Act (CCPA) was passed on June 28, 2018 and goes “live” on January 1, 2020. Its purpose is to enhance the privacy rights and existing consumer protections afforded to California residents. Much like GDPR in the EU, CCPA was spawned by the wave of privacy fears stemming from 2016 election tampering, Facebook privacy breaches and a host of other digital scares that made people hyper-aware of the personal risks of doing, well, anything on the web.
While the CCPA is not quite as strict as GDPR, it does make a significant leap in privacy and consumer protection requirements for companies with digital customers in California. The main intentions of the CCPA are to give California residents the right to:
1. Know what data is being collected about them.
2. Know whether their personal data is sold or disclosed and to whom.
3. Say “no” to the sale of their personal data.
4. Have access to their personal data.
5. Get equal service and pricing, even if they exercise their privacy rights. (This means companies can’t provide discounts or lower levels of service to people who refuse to share data.)
Do I care about CCPA?
If you are a global company who has already taken steps to be compliant with the EU’s GDPR requirements, then no, you probably don’t care about CCPA. The GDPR requirements are stricter than CCPA, so if you’re already GDPR compliant, you likely exceed CCPA requirements.
If you are a California company who has not implemented GDPR, definitely. You should definitely care about CCPA. When CCPA goes live, penalties will be potentially steep. These can include class action liability of up to $750 per resident impacted by an intentional OR unintentional breach of CCPA and state fines of up to $7,500 per intentional breach ($2,500 per breach if you can prove it was unintentional). That can quickly add up to hundreds of thousands of dollars or more. And that doesn’t count the cost to your reputation if your breach is publicized (hint, it will be). We think that’s worth caring about. Shockingly, with CCPA kicking in on January 1, 2020, very few California companies have made the move to become CCPA compliant. While the state expects to offer a grace period for companies to adjust, CCPA is coming.
But you may say “I’m not a California or international company that does business in the EU. Why should I care about CCPA?” The truth is, maybe you shouldn’t. If you’re a dry cleaner in Omaha, good news, CCPA probably doesn’t affect you. BUT, if you are a company who is online and would sell goods or services to people in California, you should strongly consider biting the bullet and getting CCPA compliant. In reality, most experts believe that CCPA will become the framework for a Federal law in the US, so maybe you should care no matter what.
What do you need to do for CCPA?
On the surface CCPA requirements all seem pretty straight forward, but they do have the potential to impact how you do business online and how your website and data management is structured to meet these requirements. So, let’s break it down in plain talk. On your own or with your digital agency partner, we recommend the following steps:
1. Tell your team
If your business is required to follow CCPA, changes are coming. One mistake that’s easy to avoid is making sure you communicate the coming changes to any stakeholders in the company like:
• The poor IT people who are often left out during planning but will be essential for implementation
• Customer service and call centers who may need to be armed with FAQ responses about data privacy
• Marketing, who may need to be aware of changes in how data can be used. (For example, CCPA prohibits sending any kind of “opt-in” communication for 12 months to people who have “opted out”)
• Of course, don’t forget Legal
2. Take inventory
Before you can do anything about updating your web and data management to CCPA, you really need to know what you’re managing, so take an inventory. Find out:
• What personal information do you collect or possess?
• How do you get it?
• Where and how do you store it? Is it secure? Is it with a third party?
• Who do you share data with?
• Are you selling data?
• Are you making consumer offers as part of data sharing (access to services or goods, discounts, etc.)?
Document all of this information as a foundation for moving forward.
4. Create a data privacy link
5. Create a process to handle consumer requests
One of the groundbreaking things about CCPA is that it puts an unprecedented amount of power into the hands of consumers—mostly in their ability to request information about their data and make requests for how you are allowed to handle it. This means having a process in place by January 1 is essential. Your process should cover how consumers can:
• Request a copy of their personal information
• Request that their personal information be deleted
• Find out what categories of their personal information (if any) are being sold
• Opt out of the sale of personal information (for those 17 years old and older)
• Opt in for the sale of personal information (for those between the ages of 13 and 16)
• Obtain consent from a guardian to sell personal information from a consumer under 13 years old
Every one of these requests must, by law, be processed within 45 days of the request. Because of that time requirement, your handling process should probably include issuing a confirmation number. One of the things we saw with increased requirements for ADA compliance was a corresponding increase in lawsuits (nuisance and otherwise), so documentation, tracking and compliance with these requests is your best defense.
6. Get secure
Another noteworthy aspect of CCPA is the liability implied for personal data breaches. Data breaches for California residents could be costly, so it may be time to update where and how your data is stored and secured. This is another great reason to engage IT early as network and data security is likely their responsibility.
The time to get started is now!
The cost and time needed to flip the switch on these requirements will vary based on how much data you collect, who you share with, how it’s used and stuff like your IT architecture and the number of customer touch points you may have. Some businesses are extremely complex and will require more time and treasure to be ready for CCPA. To illustrate the point, a recent study from Dimensional Research says that 71% of companies surveyed expect to pay “six figures” to become CCPA compliant with 20% expecting to pay more than a million bucks.
For businesses at this tier, money is a concern but so is time. Even with the expected grace period of a few months, significant changes to processes, marketing plans, customer service management and IT are not likely to be implemented overnight. Furthermore, these changes are legally expected to be up and functioning on January 1, 2020. So, if you haven’t yet begun, it’s time to get busy.
Need help getting ready for CCPA?
Now that you’re armed with a step-by-step approach to CCPA compliance, you may decide you could use a hand or you still have some questions. Just drop us a note or give us a call at 502-499-4209, and our digital team will be happy to help you out.