What is the California Consumer Privacy Act and how will it affect your business? Part 3

In this series of blog posts, we’re taking a long and detailed look at the CCPA to explain what it really means for businesses. Part 1 talked about which businesses need to comply with it and the fines for not doing so. Part 2 then covered the rights it grants to Californian consumers, and what is considered as personal information that needs to be protected.

Now I want to turn the spotlight on the obligations expected from businesses.

What requirements does the CCPA impose on businesses?

If you do business with consumers in California and you’ve got revenues of over $25 million, or you have a database with more than 50,000 individuals on it, you’re required to change the relationship you have with those individuals.

You’re probably accustomed to sweeping up the data your business needs and using it as you wish. That was the case at Redgate prior to the introduction of the GDPR (we do business across the globe, so we’ve been on our own data protection journey for a while now). We have sales and marketing initiatives like most businesses where we target people with messages we think will be of interest to them. The more of the right kind of people we can target, the more successful those initiatives are. All of which means collecting the kind of information that is now regarded as personal by the CCPA.

This changes things. For business-to-consumer companies, it will be enforced from July 1 this year. Business-to-business companies get a bye until January 1, 2021. From those dates, you’ll need to change how you communicate with your customers in eight ways:

Update or create a privacy policy for your business, outlining how personal information is collected, used, disclosed and sold, and describing the rights consumers have over their own personal information.

Provide notice to consumers at or before the collection of data the categories of personal information that will be collected, and the purpose for which it will be used (and not use the data beyond that purpose).

Allow consumers to opt-out of their data being sold by providing a clear link in the above notice and on your website home page titled ‘Do Not Sell My Personal Information’, which connects to a web page that enables consumers to opt-out. Businesses that don’t sell personal information, and state in their privacy policy that they don’t, aren’t required to follow this.

Disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, so that an informed decision can be made. This should include an estimate of the value of the data, how the value has been calculated, and why the subsequent price or service difference is permitted under the CCPA.

Make requests for information or the deletion of information clear and easy, with two or more methods including at a minimum a toll-free telephone number. Where businesses operate exclusively online, only an email address for submitting requests is required.

Disclose the required information within 45 days, with a 45-day extension when reasonably necessary, provided the consumer is informed. The kicker for me here is that when consumers do request to know what data is held about them, the information disclosed has to include all of the data gathered during the previous 12 months, so this is retrospective. The CCPA doesn’t just cover data going forward – it includes data businesses have collected prior to the legislation being enacted.

Have a reasonable verification process in place to confirm the identity of consumers who wish to request their data, or have it deleted.

Maintain records of consumer requests, and how the business responded to every request, for at least 24 months.

What are the take-aways?

Companies like Google and Facebook have a big challenge here, particularly in terms of disclosing financial incentives and all of the information collected about consumers over the last 12 months.

For many of us, it will be a slightly easier journey – we never sell customer information at Redgate, for example, and we don’t hold a lot of information about the people we communicate with beyond their name, job title and contact details.

But we still have a lot of ducks to line up in a row to guarantee we’re compliant with the CCPA. In part 2 of this series, my colleague Devin Conn pointed out that in many businesses, data is in lots of places and is used for a variety of purposes. He also talked about going on a ‘data diet’ which I think is a great phrase and that’s the biggest take-away.

With obligations to tell consumers what information is being collected about them, and for what purpose – and a further requirement not to use their personal information beyond that purpose – we’re all going to have to be a lot smarter about the way data is managed:

  • We need to limit the data we collect, and categorize it using a common taxonomy
  • We need to manage it a lot more carefully so that it’s only used for the purpose it was originally collected
  • We need to have systems and processes in place that enable us to respond to information requests quickly and easily

Want to know more?

This is the third in a series of blog posts about the CCPA from me and my colleague, Devin Conn. If there’s an area of particular interest, you can discover more about it right now:

  • Part 1: The businesses the CCPA applies to and the penalties for non-compliance
  • Part 2: The rights the CCPA grants to California consumers, and what constitutes ‘personal information’
  • Part 4: The 3 areas businesses need to focus on to be compliant

For future reference, we’ve also combined them in a comprehensive CCPA whitepaper that you can download and share with colleagues.

For more information about how Redgate can help your business meet the obligations of the CCPA, visit the Redgate Solutions page online, or connect with me on LinkedIn.