CompanyTrends & Consumer Behavior

CCPA: What You Need to Know

By November 22, 2019 No Comments

As a marketer and a consumer, you’re likely no stranger to the increase in consumer privacy regulations when it comes to data processing, ownership, and communication. General Data Protection Regulation (GDPR) set a global standard for privacy regulations in May 2018, and in January 2020, California will be the first state to enforce statewide data privacy laws with the California Consumer Privacy Act (CCPA). 

The CCPA establishes new consumer privacy rights and expands liability for consumer data breaches. In other words, it gives Californians the right to hold businesses accountable for disclosing and storing information collected about them, as well as the right to pursue legal action if their data is breached. Both GDPR and CCPA empower consumers to maintain all rights and privileges to their data, and require companies to adhere to all related protocols for data management. If your company is GDPR-compliant, that means you’ve probably done some of the legwork for CCPA compliance—but we strongly recommend you prepare before the New Year. 

The CCPA grants new rights to California consumers:

  • The right to know what personal information is being collected, used, shared or sold, both as to the categories and specific pieces of information;
  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to opt-out of the sale of personal information;
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

The CCPA applies to certain businesses:

The regulation applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information (“controllers”) and also satisfies ANY one of the following thresholds:

  • Exceeds $25 million gross revenue annually;
  • Handles the personal information of 50,000 or more California consumers, households, or devices annually, or;
  • Derives more than 50% of annual revenue from selling consumers’ personal information.

What you’ll need to do to comply with CCPA:

As a US company, you will most likely need to update your privacy policies to comply with the CCPA. Here are some key recommendations for CCPA readiness and compliance:

  • Decide whether your company will create a separate privacy notice for Californian consumers, or if you’d like to create a universal practice. 
  • Review what personal information your company collects, how it’s used, and any policies or procedures used in collecting the information.
  • Understand whether the information is sold to or shared with third parties, and the purpose of sharing.
  • Establish policies and procedures for when customers request access to, deletion from, or information related to the sale or disclosure of their information, including digital solutions to process these requests and internal training.
  • Review contracts with service providers that use or store any personal information provided by your business, and ensure those providers are also CCPA compliant.
  • Update your company’s privacy policies internally and on your website.

For more information about CCPA compliance, check out the official Californians for Consumer Privacy website and CENTRL’s CCPA Organizational Readiness Checklist.

How Cordial can help:

Data security and privacy have always been top priorities for Cordial. As we did with GDPR, we’re working to provide our clients with tools that enable them to comply with CCPA. 

Data access and portability
To prepare for GDPR, we built the Download Contact Profile feature that will package all of the data related to a specific contact into a single file. You could already meet CCPA requirements using existing Cordial features, but the Download Contact Profile feature minimizes effort by combining all related data collections in a single package from either an API call or a click within the UI. 

Right to be forgotten
For compliance safety, deleting a contact will also remove all custom properties from the contact’s activities (events) collection in Cordial’s database, in addition to removing the contact record itself. We’ve also added support for advanced scenarios where contact records can be stripped of personal data and/or anonymized without destroying the entire contact record. 

Security policy control
For more granular control of the security policies related to tracking events, you can explicitly dictate which contact attributes can be updated via Cordial’s JavaScript listener. 

Our team will continue to track and monitor CCPA and proactively communicate updates over the weeks and months to come. We welcome your questions about our readiness for CCPA and how it affects you. Please contact your CSM with any questions.

Sources: CCPA Fact Sheet; CCPA Organizational Readiness Checklist

Pat Lawley

Pat Lawley

Sr. Platform Engineer Lead & Privacy/Security Lead