Curious about the California Consumer Protection Act (CCPA) that went into effect on January 1, 2020? We were too, so we went through and compiled some of the biggest take-aways and need-to-knows about the CCPA for you. 

The first question you have is probably, “Do I need to care about the CCPA?”

If your business or digital marketing efforts extend to California residents and meets any of the following criteria, then you should probably read on:

• Does your business have an annual gross revenue in excess of $25 million;
• Do you buy or sell the personal information of 50,000 or more consumers or households; or
• Does your business earn more than half of its annual revenue from selling consumers’ personal information?

If you answered yes to any of those, then the next thing you need to know is …

Wait, what is CCPA?!

CCPA is the California Consumer Privacy Act, effective January 1, 2020, works to give consumers more choices and transparency around the collection, sale, and distribution of their data. It also gives consumers legal standing to hold companies liable for some data breaches resulting in stolen consumer data.

What should you do to make sure your business is compliant?

In order to be considered compliant with CCPA, you need to make sure your users have the following rights when conducting online business with you:

• Right to Access – Give your users access to their personal information that you collect about them in the past 12 months. 
• Right to be Notified – Notifying your users BEFORE or WHEN  information is collected regarding the type of information you collect on them and purpose of using that information. 
• Right to Request a Copy – Able to give your users a readable and portable copy of the personal information you’ve collected on them.
• Right to be Forgotten – Deleting user data at the request of your users.
• Right to Opt Out of the sale or distribution of their data – This requires you to give your users notice of sale and the ability to opt out of their personal data being sold to a third party without their permission to do so. This should be done with a clear and present “Do Not Sell My Personal Information” link on your homepage.
  Note: There are several exemptions and differences from the GDPR requirements here. If you’re going to dig deep into any part of CCPA this is the one. I recommend this blog which details this requirement better. This one may seem easy up front and if you find yourself saying, “we don’t sell or give my customers to third parties”, you might take a closer look at how you use third-party integrations like identity verification services or ad-tech information. To be honest, this is probably the most strict and confusing part of CCPA. If you’re nervous about your specific circumstances, schedule a call with your Culture Foundry account manager to talk more about if this rule applies to you.

What happens if you do nothing?

Immediately? Probably nothing since many different companies are looking to challenge this law, namely Facebook. Surprised? But honestly, you don’t want to be like Facebook because we believe you care more deeply for privacy rights for your users. 

It’s also important to note that if your business is caught up in a data breach, Californian residents under CCPA have legal standing to litigate for statutory damages if certain data was found to have been a part of the breach. You can read more detailed information on the data breach provision of CCPA here. This is all the more reason to make sure your website is securely hosted and well maintained. You can contact our DevOps department to ensure that this is the case with your current service level.

If you do get caught up in legal issues related to CCPA, the fine is pretty steep at $750 per person, per violation. If you have 10,000 users that’s $7.5 million dollars — OUCH!

Wait.. I did something similar to CCPA in 2018 for GDPR, am I covered? 

The answer is yes and no. While both laws aim to protect individual user’s data and give transparency to how their data is being used, they do differ in some key ways.

Let’s quickly explore how GDPR and CCPA differences break down:

• Who:
  • GDPR: Any business collecting or processing data of EU citizens or residents
  • CCPA: Any companies conducting business with California citizens that meet one or more of the above stated requirements
• Rights:
  • GDPR: Explicit user Opt-In’s to collection of data
  • CCPA: Opt-Out based with rights to be informed and able to object the sale of their personal data.
• When:
  • GDPR: Explicit Opt-In consent BEFORE collecting ANY data on users.
  • CCPA: Explicit Consent to sell data of users under 16 years of age, or notifying users over the age of 16 before the sale of data at any time, and allowing them to opt-out of that sale. 

Note that both GDPR and CCPA require you to properly manage your users’ data, and users have the right to receive any personal data of their that you have within 45 business days.

Why is CCPA a big deal even if your core business isn’t in California?

The implications of this law will inevitably stretch beyond the California border. It’s very likely that another state will also decide to take up a similar data protection law. This will force the federal government’s hand in implementing a nationwide regulation to avoid having too many conflicting and confusing rules for online businesses that cross state lines due to the borderless nature of the internet. 

It makes sense that future rules similar to the CCPA are coming. So if you’re not taking action now to make sure that you are protecting your customer’s data regardless of where they live, then you might find yourself way behind the curve and open to lawsuits. 

If all of this legalese has made you a little nervous, I’d recommend talking to your Account Manager to see what you can do to start better serving your users and protecting your business.

*Note; we aren’t lawyers over here, so none of this is intended to be used as legal advice or in place of proper legal advice.