California Consumer Privacy Act (CCPA)
ActiveDEMAND stays on top of relevant privacy laws to ensure our customers have access to tools to ensure compliance. From GDPR to CASL and now CCPA, ActiveDEMAND provides the tools needed to be compliant. The California Consumer Privacy Act (CCPA) becomes effective January 1, 2020, but businesses with clients or prospects in California should take action now to get compliant. The new act mostly focuses on collecting and selling personal data.
Does it apply to my business?
Do you do business in California and do one of the following?
- Generate more than $25 million in revenue per year
- Have information on more than 50k contacts/households/devices
- Earn more than half your revenue per year from selling consumer information
Then it does apply.
What do you need to do by the letter of the law?
- Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
- Implement a way to get parental or guardian consent for minors
- Have a “do not sell my personal information” link on your homepage that sends people to a form where they can opt out of having their data sold
- Don’t request opt-in for at least 12 months after a Californian opts out
- Give people an option to submit data access requests including a toll-free number
With penalties of $7500 for each intentional violation and $2500 for each unintentional violation, the legislation has some teeth. On top of that, data breaches where the businesses did not implement and maintain “reasonable security procedures and practices” can come with private lawsuits with $100-700 per consumer are possible.
What should you do if you do business in California?
Start getting a plan together now. Once the regulations come into effect consumers can request data that extends to the prior 12 months. So to be compliant, be prepared to provide data for all of 2019. So what else needs to get done before 2020? We recommend:
- Create an Opt-Out link, Database, and Procedure: Opting out means more than just getting off an email list
- Ensure that your employee off-boarding process includes removing their access
- Ensure your employees use strong passwords
- At a minimum, add a toll-free number so people can request personal data and data deletions. Realistically, you’ll want to also have an automated way of handling these requests.
- Create Opt-Out Procedures:
- to disclose upon request the categories of personal information being collected along with the purposes for those categories being collected
- a system to document requests for data access and deletion. The system should also be able to automate verifying the request and the deletion of data
- create an inventory of collected personal information and categories and the points of the collection
- create an inventory of collected business contacts, and categories of business contacts, from/with whom personal information and categories are shared
- Maintain opt-out/opt-in consent records
- Create “request personal data” forms that automatically send the info
- Create personal data deletion request forms that record and automate steps
- Create “Do not sell my personal information” request forms to stay compliant with CCPA
- Setup a data retention policy