What Is the CCPA (and are you prepared)?
The 2020 new year brought with it the most comprehensive consumer privacy legislation ever passed in the United States.
On January 1, the California Consumer Privacy Act (CCPA) went into effect, giving California residents significantly more control over how companies collect and use their personal data. Meanwhile, businesses are now required to be far more transparent about how they’re collecting, sharing, and using consumer data and information — and are prohibited from selling customer data without their consent. If they fail to do so, they could be subject to crippling penalties.
Whether you’re a California resident or a company that does business with California consumers, this new law likely applies to you. Despite this legislation being passed in 2018, a poll conducted in August of 2019 found that 56% of businesses felt they would not be fully prepared for these new rules and regulations. So, we wanted to write this blog to give you the information and resources you need to be compliant with the CCPA, avoid substantial fines, and execute more successful inbound and outbound marketing campaigns.
Just as the CCPA is following in the footsteps of Europe’s recent GDPR legislation, many other American states will likely follow California’s lead and implement new laws of their own. So, even if your business is not currently impacted by this new legislation, it’s important that your company adapts to the evolving landscape early on.
Please keep reading to learn more about the CCPA, how it affects both consumers and businesses operating in California and with California residents, and what you can do to ensure marketing compliance.
Does the CCPA Apply to Me?
If you do business in California, there’s a good chance the CCPA applies to you. The CCPA applies to any business with consumers in California, any business that collects personal information from California residents, and any business that does one or more of the following:
- Achieves an annual gross revenue in excess of $25 million
- Buys, sells, or shares the personal information of more than 50,000 California residents, households, or devices
- Generates 50% of more of its income from selling consumers’ personal information
Please note that, according to the CCPA, a business is any “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Therefore, nonprofits and government agencies are currently exempt from CCPA provisions. But, regardless of your company’s size or structure, you’re required to comply with the CCPA if you meet the qualifications above.
If you have additional questions about whether the CCPA applies to you or your business, please follow this link to get in touch with Act-On’s Professional Services team.
What Are the Key Elements of the CCPA?
The CCPA aims to protect how our data is collected and prevent it from being shared with or sold to third-parties. To do so, companies will now be required to:
- Provide more stringent and prominent privacy policies on digital properties and emails
- Include a link on the homepage of their website for consumers to opt-out of having their personal data sold
However, the CCPA is far more detailed than the two bullets above. Let’s explore some of the specifics as they relate to individuals and businesses.
CCPA for Individuals
- Right to Request Deletion
Consumers have the “right to deletion,” and businesses are required to direct any service provider to delete the individual’s personal information upon request.
Act-On helps by providing an “Erase Contact” tool built into our platform for users to permanently delete contacts from all of their records.
- Right to Access
California residents have the right to access any personal data collected within the last 12 months. Businesses are required to respond to requests within 45 days.
Act-On helps by providing an easy way to download a contact’s timeline related to all actions and messages received.
- Right to Stop Processing
Companies must provide a link on their website homepage for individuals to opt-out of all communications.
Act-On helps by enabling standard opt-out procedures to stop all communications.
- Right to Stop Third-Party Transfer
Businesses must have a link on their home page titled “Do Not Sell My Personal Information” allowing individuals to opt-out from businesses selling their personal information.
CCPA for Businesses
- Website Policy
Businesses are required to include language on their website and/or mobile application that explicitly states the following (either/or):
- “Do not sell my personal information”
- “Do not sell my info”
- Record-Keeping Training
Businesses are required to train all employees on logging all requests related to the CCPA for the past 24 months.
Businesses are required to verify that the individual requesting an action is who they say they are.
There are a few caveats to when and why a company is within their rights to maintain its consumers’ personal information. Businesses are allowed to keep their customers’ personal data if the information is necessary:
- To fix errors
- For the company to exercise their free speech or protect other consumers’ right to free speech
- For the public interest
- To comply with laws and policies
What Are the Penalties for CCPA Non-Compliance?
In order to properly enforce this new legislation, the penalties for non-compliance with the CCPA are severe. All violators are subject to significant fines, loss of reputation, and potentially fewer customers and revenue.
There are three separate ways in which these penalties will be enforced.
- Private Enforcement: If a business knowingly and willfully sells a consumer’s data without their consent, the consumer can file a lawsuit for damages between $1,000 and $3,000. Bear in mind, these suits are for privacy losses, so there’s no requirement to show loss of property or money to be compensated.
- Government Enforcement: If a business does not comply with CCPA guidelines within 30 days, the State’s Attorney General’s Office is expected to file suit. If another 30 days of non-compliance pass following this initial notification, the business is subject to a $7,500 fine for each infraction.
- Consumer Enforcement: Consumers who are the victims of a security breach are eligible to receive between $100 and $750 per incident — and potentially more if a court deems additional relief is appropriate. Depending on the scope of the potential breach, businesses could easily be fined millions of dollars.
Maintain CCPA Compliance With Act-On
At Act-On, we’re dedicated to helping all of our customers maintain compliance with all data privacy laws and legislation. While we are not in a position to legally advise you regarding your CCPA obligations, we are willing to provide insight into how to adapt your approach to the CCPA using our platform and services. Still, CCPA compliance is a shared responsibility, so you should understand the obligations your business faces.
Our customers leverage the Act-On platform to meet their CCPA requirements through:
- Capturing consent for web tracking
- Capturing consent through double opt-ins for outbound communications
- Managing withdrawals and opt-outs through CRM integration
Additionally, our contact report functionality allows all of our users to print a PDF that contains all activity information for every contact on their list.
If you’re interested in learning more about the CCPA, please contact one of our knowledgeable marketing automation experts to schedule a demo of how our platform helps marketers remain compliant and deliver successful marketing campaigns.