In this series of blog posts, we’re taking a long and detailed look at the CCPA to explain what it really means for businesses. Part 1 talked about which businesses need to comply with it and the fines for not doing so. Part 2 then covered the rights it grants to Californian consumers, and what is considered as personal information that needs to be protected.
Now I want to turn the spotlight on the obligations expected from businesses.
What requirements does the CCPA impose on businesses?
If you do business with consumers in California and you’ve got revenues of over $25 million, or you have a database with more than 50,000 individuals on it, you’re required to change the relationship you have with those individuals.
You’re probably accustomed to sweeping up the data your business needs and using it as you wish. That was the case at Redgate prior to the introduction of the GDPR (we do business across the globe, so we’ve been on our own data protection journey for a while now). We have sales and marketing initiatives like most businesses where we target people with messages we think will be of interest to them. The more of the right kind of people we can target, the more successful those initiatives are. All of which means collecting the kind of information that is now regarded as personal by the CCPA.
This changes things. For business-to-consumer companies, it will be enforced from July 1 this year. Business-to-business companies get a bye until January 1, 2021. From those dates, you’ll need to change how you communicate with your customers in eight ways:
Provide notice to consumers at or before the collection of data the categories of personal information that will be collected, and the purpose for which it will be used (and not use the data beyond that purpose).
Disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, so that an informed decision can be made. This should include an estimate of the value of the data, how the value has been calculated, and why the subsequent price or service difference is permitted under the CCPA.
Make requests for information or the deletion of information clear and easy, with two or more methods including at a minimum a toll-free telephone number. Where businesses operate exclusively online, only an email address for submitting requests is required.
Disclose the required information within 45 days, with a 45-day extension when reasonably necessary, provided the consumer is informed. The kicker for me here is that when consumers do request to know what data is held about them, the information disclosed has to include all of the data gathered during the previous 12 months, so this is retrospective. The CCPA doesn’t just cover data going forward – it includes data businesses have collected prior to the legislation being enacted.
Have a reasonable verification process in place to confirm the identity of consumers who wish to request their data, or have it deleted.
Maintain records of consumer requests, and how the business responded to every request, for at least 24 months.
What are the take-aways?
Companies like Google and Facebook have a big challenge here, particularly in terms of disclosing financial incentives and all of the information collected about consumers over the last 12 months.
For many of us, it will be a slightly easier journey – we never sell customer information at Redgate, for example, and we don’t hold a lot of information about the people we communicate with beyond their name, job title and contact details.
But we still have a lot of ducks to line up in a row to guarantee we’re compliant with the CCPA. In part 2 of this series, my colleague Devin Conn pointed out that in many businesses, data is in lots of places and is used for a variety of purposes. He also talked about going on a ‘data diet’ which I think is a great phrase and that’s the biggest take-away.
With obligations to tell consumers what information is being collected about them, and for what purpose – and a further requirement not to use their personal information beyond that purpose – we’re all going to have to be a lot smarter about the way data is managed:
- We need to limit the data we collect, and categorize it using a common taxonomy
- We need to manage it a lot more carefully so that it’s only used for the purpose it was originally collected
- We need to have systems and processes in place that enable us to respond to information requests quickly and easily
Want to know more?
- Part 1: The businesses the CCPA applies to and the penalties for non-compliance
- Part 2: The rights the CCPA grants to California consumers, and what constitutes ‘personal information’
- Part 4: The 3 areas businesses need to focus on to be compliant
For future reference, we’ve also combined them in a comprehensive CCPA whitepaper that you can download and share with colleagues.
Was this article helpful?
Also in Blog
Quick links for this post
First, I cover examples of organizations who illustrate patterns and anti-patterns for DevOps cultural change:
Example 1: What kind of company is Domino's?
Also in Audit & Compliance
It’s just over two years since the GDPR started being enforced and it’s also the month when many businesses in the US now need to comply with the CCPA. So it's an opportune time to talk about one ...
Also about California Consumer Privacy Act
In this series of articles about the CCPA, we’ve been talking about how the new privacy Act affects businesses in California (and businesses outside the state if they handle the data of California r...
Also about CCPA
With the CCPA now enacted, although enforcement doesn’t start until July 1, customers are waking up and starting to ask questions about it. In part 1 of this series, my colleague Ryan Easley wrote a...