Effective January 1, 2020, companies that serve California residents and businesses need to comply with new regulations regarding consumer privacy. The California Consumer Privacy Act (CCPA), like the European Union’s General Data Protection Regulation (GDPR) that went into effect this past spring, is designed to protect consumer data. Signed into law on June 2018, CCPA is currently the most comprehensive privacy law in the U.S.
What is the CCPA?
The act allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that their data is shared with. In addition, the law allows consumers to sue companies if the privacy guidelines are violated, even if there is no data breach.
Does the CCPA affect you?
If your company has employees, customers or consumers who reside in California (now or in the future), ask yourself these questions:
- Are you a for-profit company doing business in California? (Non-profit organizations are exempt.)
- Do you or your business contacts meet at least one of the following criteria?
- Your gross revenue exceeds $25 million
- You receive and/or share personal information for at least 50,000 California residents annually
- At least 50 percent of your annual income is derived from the sale of personal information.
It’s important to note that companies don’t have to be based in California or have a physical presence there to fall under the law.
Compliance checklist
If you meet at least one of the above criteria, you need to take steps to meet the legislation’s requirements (and quickly). Some of the guidelines require you to:
- Update your privacy policy and terms of use
- Review areas of compliance and review and update every 12 months
- Train affected employees on protocols and privacy laws
- Ensure marketing information is in compliance with CCPA laws
- Include specific opt-out information on your website or create a unique homepage for California consumers
- Establish a toll-free number for the handling of CCPA related requests
- Satisfy consumer requests via electronic communications that do not request them to establish an account
- Document all collected personal information for the last 12 months
- Create procedures for responding to consumer requests
- Create a database of business contacts from whom you receive and/or buy consumer information as well as to whom you send consumer information.
B2B extension
An amendment to the act gives B2B companies a one-year reprieve to comply with some aspects of the CCPA. You must provide an opt-out option and cannot discriminate against users who use it, but you do have an extension to meet compliance obligations with customers. Marketing efforts are not specifically exempted and should follow the rules currently in place.
What happens if my company is not in compliance with the CCPA?
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, the government can levy a fine of up to $7,500 per record. The bill provides for an individual’s right to sue in addition to an allowance for class-action lawsuits for damages.
What to do now
If you meet any of the criteria of CCPA, you will have to be able to demonstrate legal compliance with CCPA and/or other consumer privacy laws at some point this year. If you haven’t already done so, assemble a team to determine how CCPA will affect your organization. CCPA is all about the data-where it is, where it came from, what is it, how are you storing it, why are you collecting it, and what are you doing with it. To learn more about trends impacting B2B marketers, contact Trade Press Services today.