The California Consumer Privacy Act (CCPA) is landmark data privacy legislation that takes effect on January 1, 2020. It gives California residents expanded rights over their personal data collected by businesses. These include the right to know what data is collected and how it is used, the right to say no to the sale of personal data, and the right to access and delete personal data. The CCPA applies to for-profit businesses that collect personal data of California residents and meet certain revenue or data thresholds. Non-compliance can result in fines of up to $7,500 per violation. Companies need to audit their data practices, get proper consent, and update privacy policies to comply with the CCPA.
California Consumer Privacy Act: What your brand needs to know
1. AB-375:
California Consumer
Privacy Act (CCPA)
This document is for informational purposes only and not for the purpose of
providing legal advice. Please contact your legal counsel to obtain advice with
respect to the CCPA.
2. What is the California Consumer Privacy Act?
• Landmark policy constituting the most stringent data protection in the United States, passed
on June 28, 2018
• Governs the way businesses collect, process and secure
California residents’ personal data
• Takes effect 1/1/2020
3. As of 2017, California is the 5th largest economy in the world
What is the expected impact?
• CCPA is going to have a wide-sweeping impact on all data collection – both online and offline –
and sets a precedent in the US
• Paves the way for other states to adopt similar
frameworks in the future
• Companies must decide whether to
– reform their global data protection
and data rights infrastructures,
– institute a patchwork data regime in which Californians are
treated one way and everyone else another,
– completely ignore Californians
4. Key principles of the CCPA
Affects for-profit businesses that
collect, use or sell data, and fall into
any of these categories:
• Generates $25 million or more in annual revenue
• Holds the personal data of 50,000 or more people,
households, or devices
• Generates half or more of its revenue in the
sale of personal data
The law protects California residents
and provides them with the right to:
• Know what personal information is being
collected about them and how it’s used at or
before the point of collection
• Know if their personal information is sold or
disclosed, and to whom
• Say no to the sale of their personal information
– Sale of children's data (anyone younger than 16)
will require express opt in, either by the child,
if between ages 13 and 16, or by the parent
or guardian
5. Businesses can offer financial incentives for collection, sale or
deletion of personal information and requires consumer opt-in
Key principles of the CCPA
The law protects California residents and provides them with the right to:
• Equal service and price, even if they exercise their privacy rights
– Businesses can’t deny goods or services, charge consumers who opt out a different price, or provide a different quality of
goods or services, except if the difference is reasonably related to value provided by the consumer’s data
• Access their personal information in a “readily useable format” that enables its transfer to third parties
without hindrance
• The deletion of their personal information, including from any third–party service providers used by the
business
The bill exempts businesses of these measures if it limits the ability to comply with federal, state,
or local laws, to complete a requested business transaction, if it infringes on the rights of another individual,
etc
6. • Any information that identifies, relates to, describes, is capable of being associated with, or
could reasonably be linked, directly or indirectly, with a particular consumer or household
• Examples include:
– Name
– Email address
– Location data
– Biometric data
Deidentified (and cannot be re-identified) and
aggregate data are not considered personal information
What is considered “personal information?”
– Device ID
– Cookie ID & data
– Consistently hashed ID
– IP address
7. CCPA: What’s at risk?
Consumers can pursue private action should companies
fail to maintain reasonable security practices, resulting
in data breaches
• The bill will be enforced by the state’s attorney general
• Failure to address violations within 30 days could lead
to a $7,500 fine per violation (which can be on a
per-record basis)
8. What does this mean for your brand?
• Opt-in for CRM and data collection must be specific and requires EXPLICIT consent
• Personal information collected is limited to the specific use indicated
• Data must be accessible, accurate, and available at the customer’s request
• Enterprise-wide opt-in statements may not be compliant – unbranded vs branded
• Financial incentives can be offered to CA residents as part of the CRM value prop
8
9. ACTION STEPS: Being CCPA compliant
Conduct an information
audit
– How is data collected and
where is it stored?
– How is it accessed, by
whom, and
for what purposes?
– What security protocols
are in place to
protect data?
Educate key stakeholders in
your organization
– What are the risks and
impact this poses to
your business?
– How does this affect them
and what do they
need to do differently?
Review and revise privacy
policies to ensure
compliance with CCPA
regulations
10. ACTION STEPS: Being CCPA compliant
Review organizational policies and
procedures
– Fulfilling personally identifiable
information requests of customers
– Right to deletion
Contact technology and media partners
– What are they doing to ensure
CCPA compliance?
– Do any of your processes need to change
to reflect their updates?
Editor's Notes
Much of the political impetus behind the law’s passage came from some major privacy scandals that have come to light
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
Say no to the sale of their personal information
Businesses will have to put a "Do Not Sell My Personal Information" button on their homepage and corresponding page explaining their rights
This can reside on a separate homepage intended for CA residents
Sale of children's data (anyone younger than 16) will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
Business purposes that are exempt:
Counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
Debugging to identify and repair errors that impair existing intended functionality.
Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
Undertaking internal research for technological development and demonstration.
Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Consumers’ personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer.
Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.