In terms of social policy, California is often considered a bellwether state. If California votes it in, other states better pay attention. And, although it isn’t the largest, the state of California holds a great deal of influence. The Golden State is the fifth largest economy in the world and is projected to surpass 40 million residents by 2019—representing approximately one out of every eight U.S. citizens (12.5 percent). California also has 12 percent of the nation's physicians.
Given the state’s impact, it’s no wonder that the California Consumer Privacy Act (CCPA) is becoming an important topic. Although the CCPA does not go into effect until January 1, 2020, there are crucial considerations you need to start thinking about right now.
The Clock Is Ticking
If companies lack compliance in any manner, the fines could be severe
One of the most important compliance factors marketers need to be aware of is that on January 1, 2020, companies must be able to supply data usage records for the previous 12 months. To be compliant with CCPA, companies must begin tracking personal data usage on January 1, 2019—only 54 days away.
If companies are unable to provide the usage records, or lack compliance in any other manner, the fines could be severe. To provide context, on the first day that the EU’s General Data Protection Regulation (GDPR) took effect, Facebook and Google alone were hit with $8.8 billion in lawsuits. We should expect the same aggressive litigation on the first day of CCPA.
What You Need to Know
Laws like this can be confusing—and they can also change. CCPA has already been amended in the four short months since its passing. The best approach is to be prepared for the strictest potential outcome. In order to be ready, there are a few things you should know.
CCPA applies to business that:
The best approach is to be prepared for the strictest potential outcome
- Have annual revenue that exceeds $25M, or
- Buy, receive, sell, or share personal information on 50,000 or more CA households or devices, or
- Derive 50 percent or more of annual revenue from selling consumer personal information
The six main requirements set forth by CCPA include:
- Right to know what category of data is being collected and for what purpose. Individuals must be notified if a company intends to collect additional categories of personal information.
- Right of access and data portability, which includes the specific items of personal information collected, commercial purpose for which a company collects or sells data, and categories of third parties data is shared with.
- Right to request a company to delete personal information previously requested and be “forgotten” by that entity.
- Right to opt out of the selling of personal information to third parties. This right to opt out must include a “clear and conspicuous link” on its homepage indicating “Do Not Sell My Personal Information.”
- Right to equal service and price, which prohibits companies from discriminating against consumers who exercise any of their rights under the CCPA. So, for example, a company cannot charge a consumer more for the same level of service or quality of goods nor can it deny goods or services. Another instance would be that a medical publisher cannot force a physician to supply an email address if the physician is signing up for a print magazine.
- Right to know the source of personal information and whether or not it was provided firsthand by the individual user. This helps avoid sourcing by illegal or unethical means.
Enforcement is already structured and likely to be swift
The law covers traditional personal identification information (e.g. name, social security number, email address), as well as non-traditional items such as biometric data, IP address, internet browsing or search history, geolocation data, audio, electronic, visual, olfactory, or similar information.
Enforcement is already structured and likely to be swift. Fines begin at $2,500 per violation but companies may be charged $7,500 if the violation is found to be intentional. One email to 10,000 California physicians could generate $25 million in fines.
Data Tracking Needs to Begin Now
The most responsible approach is to get all your ducks in a row before you have to worry about ‘catching up’ to compliance
Data privacy will continue to carve its name in the slate of consumer rights. The most responsible approach is to get all your ducks in a row before you have to worry about “catching up” to compliance. If you’re not certain your current data provider is adhering to the CCPA’s requirements, you have every right to request a third-party audit (DMD gets audited by BPA Worldwide, the “gold standard” in third-party verification). This will reveal any data quality issues—and ultimately provide the impetus to partner with a trusted data company.