Privacy is causing ripples brands online. Early this year, the state of California saw the new consumer privacy act go into effect. It is expected to have more repercussions for global businesses than the General Data Protection Regulation (GDPR) that was passed last spring.
Formally known as the California Consumer Privacy Act (CCPA), this law takes a more expansive approach to personal information. It is also a lot stricter because failure to follow it not only results in hefty fines, but it also endangers your reputation and jeopardises consumer trust in your business.
The CCPA is more than just a state law. It is set to become an international standard for consumer-driven businesses for the foreseeable future. That’s why organizations need to understand its implications on the way they do business.
So we bring you this quick guide that details everything you need to know about California’s new privacy and data protection law and how your business can navigate these changes.
Threshold Application Of CCPA
Given how quickly the privacy law was passed, experts suspect several inconsistencies in drafting the policy. This can lead to ambiguity and confusion about its application and potential reach.
However, several new amendments were subsequently made to fix these issues, and many reviews are still pending.
But what you need to know is that the CCPA applies to for-profit organisations that meet the threshold requirements for its application; these include:
- Annual gross revenue of $25 million
- Annually purchase, sell, obtain, or share the personal information of 50,000 (or more) customers, families, or devices for commercial purposes
- Source at least 50% (or more) of your annual revenue from the sale of your consumers’ personal information.
- Parent companies and related subsidiaries that share the same branding also need to comply even if they don’t exceed the thresholds
Who Is Affected And What Is Protected?
The CCPA grants consumers the ability to access all information that a business holds about them. Under the CCPA, the term “consumer” is broadly defined to include any California resident.
However, a recent amendment (better known as AB 25) is under progress. This will redefine “consumer” to omit employee personal information in the context that an individual’s personal information is collected and used only by the employer.
A consumer’s data can then be broadly defined to include information that identifies, describes, relates, or could reasonably link to a specific consumer – either directly or indirectly.
In this context, personal information includes, but is not limited to:
- Personally identifiable information such as a name, alias, postal address, e-mail address, account name, driver’s license number, Social Security number, passport number, IP address, online identifier, or any other personal identifier unique to the consumer
- Educational information
- Biometric information
- Characteristically similar to protected classifications under California or federal law
- Commercial information such as purchasing or consumption data, including records of property, products and/or services owned by the consumer
- Online or other digital network activity information, including (but not limited to) the consumer’s search and browsing history as well as information about the consumer’s interaction with websites, applications, and/or advertisements on the internet
- Visual, audio, electronic, thermal, or similar information
- Geo-location data
- Employment or professional-related information
- Inferences are drawn from any information that is collected to create a consumer profile that reflects their characteristics, preferences, or psychological predispositions.
With this in mind, this list intentionally leaves out any information that is lawfully made publicly available by federal, state, or local government records.
How Can Your Business Avoid Compliance Risks?
Review Your Data Privacy Practices
The first step to compliance is to have a comprehensive understanding of your current data practices.
For starters, the CCPA gives consumers greater control over their information. As a result, your business needs to comply with any requests to access consumer files and data collected from your audience base.
As you prepare to do this, take stock of your data: determine what personal, sensitive, or confidential information your business collects from consumers – and how it’s being used. Make it a point to define the purpose behind the collection and have clear-cut answers to where (and how) you plan to keep it safe.
According to new amendments, consumers are entitled to the following info:
- categories of personal information that a business collects
- external (and internal) sources that a company uses collects personal information
- the purpose – either business or commercial – of obtaining and/or selling the consumer’s personal information
- categories of third-party sources with which a business shares the consumer’s personal information
- the deletion of a consumer’s personal information that a company collects, with regards to special exceptions
The requested info should be delivered in a portable format within 45 days – free of any charge.
Review Your Privacy Policies
The CCPA also mandates that the new disclosure requirements must be included in an organisation’s privacy policy.
For example, a business must disclose the type of personal information it collects at or before the time of collection, as well as the purpose for which it is taken. You must also explicitly state whether the data you collect is being sold or disclosed, including the categories of sources it is sold or disclosed to.
As defined by the statute, a consumer has the right to opt-out of the sale of their personal information. This means that you need to include a clear, visible link titled “Do Not Sell My Personal Information” on your store homepage, which allows consumers to easily opt-out of the sale of their personal information.
Once they’ve revoked permission, wait at least 12 months before asking them again to opt back in.
Review Third-Party Sources
Businesses should have a detailed list of vendors and third-party sources that receive personal information from you. Once you identify them, consider making additions where appropriate to your contract, including terms that define the use and disclosure of personal information.
Clarify whether you’re selling personal information to vendors. Aim to increase transparency in the process as much as you can about the data security practices of your vendors. Even if you don’t operate in the USA, and your vendors do, you will still be liable to compliance.
Identify And Implement Changes In Your System
To effectively implement the afore-mentioned processes, businesses will have to update corresponding systems and ensure compliance.
Make sure the IT team understands the nature of alterations that need to be made. Management should also get started on writing new procedures that can guide the IT team on how and where to make changes in your systems.
Conduct Employee Training On New Systems
The updates must also be understood and implemented across other departments.
So, begin training your workforce on how to correspond with consumers accordingly. Make sure they know the following salient points:
- The physical location of both the company and its staff does not determine CCPA coverage
- The law only applies to consumers who are residents of California
- When, how, and where to process and direct consumers’ requests to access their personal information
- Whether your business plans to apply this act across your entire store or only to Californian consumers
Strengthen Your Data Security
Under the CCPA, consumers can seek damages for breach of personal information resulting from poor policy implementation or unintentional violation of security practices.
Not surprisingly, this gives consumers the power to tarnish your reputation.
This makes it all the more important to review and update your information security and proactively monitor how your defenses can mitigate the risk of breaches – to the greatest possible extent.
In Conclusion
Unsurprisingly, B2C companies are far ahead of the industry average in maintaining and safeguarding their consumers’ privacy.
Business leaders across the globe would be wise to anticipate that data privacy regulatory laws – including the CCPA – a continuously evolve over the coming years. Compliance is not only essential for your business, but it is vital to securing and retaining your consumers’ trust.
Given that change will be an ongoing process in this area, we find it best to build a flexible privacy program that is capable of adapting to constant reform.
As your ecommerce growth partners, we believe that open communication and transparency are pivotal to helping consumers build trust in your business.
Partnering with us means getting the expertise and experience that matters. Right now,…we’ll be seeing more changes, more frequently. Keep up with us to be sure you don’t lose. For example, in the next 12 to 18 months, there’s a huge change taking place, you heard it first here!
Pixel tracking and cookies will be moving away from browsers. Facebook’s ™ Pixel will be going. Yes, disappearing and in its place we’ll use the Conversion API altogether changing the way we’ve tracked the data from our site visitors.
We like to stay ahead of the game. Our strategies are backed by real-world experiences essential for thriving in a cut-throat, fast-changing business environment – and we can show you the ropes.
If the maintenance and upkeep of consumer data is a struggle for you, contact us today to learn how we can optimise your performance in this area!