Just when you thought you understood everything you needed to about GDPR and consumer privacy policy the California Senate and Assembly unanimously approved the California Consumer Privacy Act of 2018 (CCPA). Here's what you need to know to update your business procedures, and avoid heavy penalties, and possibly even a class action.
On June 27, 2018, the CCPA was passed and signed the same day by Governor Jerry Brown. Even if you’re not located in California, businesses all over the nation and even the globe will feel the changes. Save your company money and headaches by familiarizing yourself with the entirety of the CCPA here. For now, here's the rundown of what you need to know and change regarding your businesses' data collection and privacy protection.
The CCPA, which has been categorized as the most "GDPR-like" Privacy Statute passed in the United States, will require businesses that process personal information to update their privacy policy, internal and external procedures, and employee training of face the penalties. Organizations will need to take stock of their privacy and security practices and comply with this new law by January 1, 2020. Non-compliance could result in statutory damages between $100 and $750 per consumer, per incident.
Change #1: Consumer Rights
The revision of consumer rights now requires a business to provide consumers with the right to:
- Know and obtain a copy of the categories of their personal information that’s collected.
- See whether their data is sold or disclosed, and to whom;
- Opt out of the sale;
- Access and delete their personal information; and
- Equal service and price (non-discrimination) for individuals that exercise their privacy rights.
Your To-Do: Update privacy policy communication channels to notify consumers of their rights and how they can use them. Your business must create channels in which consumers can view what personal information has been collected about them, to opt out of the sale of their data and have access to delete it.
Change #2: Definition of Personal Information
The CCPA aims to encompass all of the sensitive and personal information consumers would like to manage. Here are the additions that will now be categorized as personal information:
- IP addresses
- Geolocation data
- Biometric information
- Device and cookie IDs
- Internet activity information like browsing history, purchase history or tendencies
- Characteristics concerning an individual’s race, color, sex, age, religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status.
- Inferences that are drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characters, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
Your To-Do: Revise your Privacy Policy with the updated consumer rights and personal information definition. Make sure your company has personal and sensitive information properly sorted and accessible to the consumer.
Change #3: Privacy Policy and Procedures There's no Need
Companies must update their privacy policies with a description of a consumer’s rights under the CCPA. Companies will also be required to inform consumers what data they are collecting and release any disclosures related to a company’s sale of personal data. Additionally, a company must have a webpage on their website where consumers of and authorized representative can opt out of any sale of their data.
Your To-Do: Create a new procedure that briefs consumers of their rights and any proposed sale of their personal information, and provides them with access to exercise their right to deny any sale of their personal data. Create a webpage where consumers or an authorized representative can opt out of any personal data sale.
Change #4: Train Staff on CCPA
Moreover about procedural changes, there must be employee training that guarantees all individuals responsible for handling consumer inquiries about privacy practices in compliance with the CCPA are notified of the requirements and how to direct consumers to exercise their rights.
Your To-Do: Train all staff involved in the acquisition and management of consumers’ personal information and educate them fully on the requirements of the CCPA, as well as your new company procedure.
Change #5: Contracts and Third-party Limitations
A data collection businesses must always provide explicit information and opportunity for consumers to veto any sale of their personal information. The consumer must be provided the proper paperwork to deny the sale and must complete and submit the paperwork in order for the consumer to deny the sale. It’s also important to note that personal data cannot be purchased and then resold without providing explicit notice to the consumer with an opportunity to opt out.
Your To-Do: Put a system in place to alert consumers of any proposed sale of their data, including information on the purchasing company.
Change #6: Consumer Waivers and Liability Limitations
Be warned, any provision that appears to target arbitration clauses and class action waivers will be void and unenforceable if they attempt to waive a consumer’s right under the act. The CCPA establishes that any provision of a contract of any kind that aims to waive or limit a consumer’s rights under the Act, including any right to a remedy or means of enforcement, will be contrary to public policy and thus void.
Your To-Do: Do not attempt to add in any clauses that waive a consumers rights within the CCPA.
Change #7: Statutory Damages
Every consumer has the right to individually seek actual and statutory damages. Furthermore, if it’s ruled that the breach occurred as a result of a failure to maintain reasonable security procedure the company will be subject to higher fines. The initiation of an individual or class action for statutory damages requires consumers to provide companies with 30 days written notice of the specific provisions the consumer alleges were violated under the CCPA. The company then has to remedy the issues within 30 days of receiving the written notice.
Your To-Do: Stay on top of any 30 day notice your company receives regarding and individual or class action suit. Remedy any violation within those 30 days.
Penalties for Violation of CCPA
With any breach of conduct or legal violation, there are consequences. The Act renders a business in violation of the Act if it fails to cure any alleged misconduct, violation, or wrongdoing within 30 days after being notified of the alleged noncompliance. Also, any business, service provider or another person that violates the CCPA is liable for a civil penalty. Furthermore, any violations found to be intentional may be liable for a civil penalty of up to $7,500 per violation.
Once you have your compliance procedures in place, learn how to take use your event data to power your Account-Based Marketing strategy in our webinar with Sirius Decisions.