Coming soon, consumers in California will take back control over their personal data. The California Consumer Privacy Act (CCPA) was signed into law in June 2018, and after a comment and public forum period, will take effect in January 2020. The law grants consumers new rights when it comes to the collection of personal information. How is CCPA going to impact the Market Research industry and where do we go from here? How will it affect the market research panel management software you use?
The CCPA regulations give Californians the right to know what personal data is being collected about them, and to whom any personal data was sold or disclosed. Additionally, CCPA permits the opting-out of the sale of personal data and permits consumer access to their personal data. A California resident can request that a business delete any collected personal information about them. Anyone exercising these privacy rights should be free of discrimination, too.
What exactly is meant by Personal Data? Any information that identifies, relates to, describes, or can be associated with (directly or indirectly) an individual consumer or household. Publicly available information does not apply. For example, Social Security Numbers, drivers’ license ID, insurance policy numbers, real name, aliases, postal address, email addresses, would all be considered personal data.
Key Legal Details
CCPA grants the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.
A business must make disclosures about the personal information (PI) and the purposes for which it is used.
The law requires the business to delete PI upon receipt of a verified request.
Consumers can opt-out of the sale of personal information by a business, and the law prohibits the business from discriminating against the consumer for exercising this right, including charging the opt-out consumer a different price or providing that consumer a different quality of goods or services, except in cases where the difference is reasonably related to value provided by the consumer’s data.
The law authorizes businesses to offer financial incentives for collection of PI.
Businesses cannot sell the PI of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt-in.
Who must comply with CCPA?
CCPA regulates any for-profit business that collects personal data and transacts business in the state of California with gross revenues over $25 million or with more than 50,000 personal information records or earns more than 50% of its income from the sale of consumer personal information. Note: meeting any ONE of those criteria means that business must comply with CCPA regulations.
- For minors under the age of 13, a process must be implemented to get parental consent, and for people ages 13 to 16, affirmative consent is needed.
- Companies must put a link on their website home page called “Right to Say No to Sale of Personal Information,” which connects to an “opt out” website.
- Methods for submitting data access requests must be implemented.
- Privacy policies must be updated.
- Companies must avoid requesting “opt-in” consent from any California resident who has opted out previously, for 12 months since the opt-out request.
Remedies and Sanctions
Authorized companies and others can work on behalf of California residents to assist them with the opt-out process.
Companies that suffer data security breaches or data theft can be sued and are liable for damages of $100 to $750 per California resident and per incident, or actual damages (whichever is greater).
Note that the California Attorney General has the option to prosecute a company in lieu of civil suits.
We’ve heard this story before…
If all of this is sounding familiar, it is because the EU recently implemented the General Data Protection Regulation (GDPR) in 2018. There is plenty of overlap between GDPR and CCPA.
They define personal data the same way, and that means, very broadly. This isn’t just social security numbers and credit card accounts. It is much more than that.
Both GDPR and CCPA grant right to consumers with respect to removal, disclosure, and portability of PI. Businesses must be mindful that affiliated third parties also adhere to consumer privacy requests.
Both insist on proactive communication with consumers in the form of public disclosures and updated policy notifications. This will likely activate more consumers to make opt-out requests.
Both enhance child data protective measures. Consumers under the age of 16 must opt-in before personal data can be shared, and those under age 13 must get parental consent before opting-in.
While there are plenty of similarities to GDPR, one significant distinction is that CCPA extends data protection to households, too. Another difference is that CCPA imposes some limits on the exercise of consumer rights, more than are found in GDPR. It is wise to consult with your legal team to make sure you know the key distinctions.
Next steps and top priorities
- If you are already complying with GDPR, you are in a strong position to comply with CCPA, too, because they have so many commonalities. Leverage the work you have already done on this front by adapting existing compliance policies to conform to the new law.
- Classify and map your data. Which personal data must be protected? Who has access to it? Do third parties have access? Make sure you chart the workflows and how to get at the data subject to removal requests.
- Redouble your data security efforts. The downside risk of any data breaches and data theft are greater than ever.
- Track the third parties. You will be expected to know which third parties have access to personal data, and you must make good faith efforts to control how they use it. For instance, third parties are not permitted to sell that data.
- Be open about your disclosures. The spirit of CCPA is all about informing consumers of their rights and protections. Opt-out notices must be made available BEFORE PI is used. The opt-out feature must always be available to consumers.
Taking the Long View
While companies will be scrambling to adjust business practices in the short term to comply with CCPA, it would be wise to think ahead.
- Start thinking globally. It would be naïve to think that California will be the last state in the union to pass data protection laws. Other states and countries are sure to follow this lead. Studies show that consumers are concerned about personal data protection, and companies need to get out in front of the issue. Anticipate the probabilities and start working now on a global compliance policy.
- Make the mental shift from compliance to commitment. Start shifting the company mindset to a more proactive, principled and ethically valued approach to personal data protection. Tout personal privacy as a value, and make consumers aware of it. Be transparent. Consumers will come to appreciate and trust you for it.