The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and goes into effect on January 1, 2020.
By that date, qualifying businesses need to make their data protection and user privacy policies compliant with the new regulations — or pay the high price of negligence.
Compliance may very well be the new normal for any company with a Sales and Marketing function.
Facebook, Amazon, Google, Twitter, Netflix, Apple Music, and other entities servicing users in the eurozone are reeling from GDPR-related issues. Some have already morphed into billion-dollar lawsuits and multimillion-dollar fines.
That begs the question: how will the CCPA affect Sales and Marketing leaders?
What Is the CCPA?
The California Consumer Privacy Act (CCPA) is a California state law that enhances privacy rights and consumer protections for California residents. The CCPA regulates what businesses can do with the personal information they collect and is considered landmark legislation on data protection because of its strict guidelines.
For example, the law gives CA residents rights to all personal information that business may have about them, including the right to have the information deleted, subject to certain restrictions. The CCPA also requires covered businesses to disclose such information and the purposes for which personal data is being held.
Californians Now Own Their Personal Data. So What?
While not as punitive or exacting as the GDPR, the CCPA has stricter mandates in some aspects and broader implications in others. It only expressly protects Californian residents, but the legislation may just as well be considered the US variant of the GDPR (for now), with many other states already following suit.
In fact, even American businesses have joined the call for change. The US Chamber of Commerce proposed a federal privacy law that seeks to reinforce consumer rights and increase transparency.
Our prediction is that we’ll see an official federal law passed with the next 3-5 years. Now is the time to get your organization used to this new way of doing business.
Privacy laws and digital consumer rights may pose tough challenges for many companies, but voluntary standards and self-regulation are no longer enough. The high-profile cases involving the misuse, abuse, theft, and weaponization of personal data only makes the clarion call louder.
So, there’s no going around the CCPA if your organization has even the slightest chance of interacting with a California resident. But if your company is already compliant with the GDPR, meeting the regulatory requirements of the CCPA shouldn’t be too painful.
The trick is to prepare well before the law takes effect.
To be on the safe side, you can start by creating a single user data policy that treats all customers practically as residents of the Golden State (or the EU for that matter).
Hypothetically, it is possible to have one data standard for EU residents, one for Californians, and another for the rest of humanity. But adopting that strategy can be costly and too impractical. It’s much easier and more cost-effective to implement a singular data policy for all customers regardless of where they live.
Don’t Stop at Mere Compliance
As Deloitte aptly described, “GDPR and CCPA are strategic imperatives.” Instead of viewing such regulations as extra baggage that limit agility and hinder growth, leaders of marketing and data units should see a new opening for gaining advantage and achieving goals.
Smart organizations go beyond compliance.
For example, B2B companies like Outreach reconnected with customers prior to the GDPR to provide 100% assurance and show clients how best to use their products under the new regulation.
But internal processes need to be in place to ensure sustained compliance.
According to Daniel Barber, CEO & Co-founder of DataGrail, “Fortune 500 companies often have more than 100 systems that contain personal information. Modern sales and marketing teams need dynamic compliance solutions. Static data maps and manual privacy request workflows are time-consuming and prone to error.
The goal is sustained compliance, which can only be achieved by integrating business systems to support the requirements of Right to Know and Right to Say No requests for the CCPA.”
So, what does the CCPA really mean for your business?
Here are answers to common questions plus some proactive tips on how to stay on top of the new game-changing regulation.
What’s the Difference Between the CCPA and the GDPR?
The CCPA takes a broader view of personal information than the GDPR, but the European legislation is more rigorous overall.
For example, unlike the GDPR, the CCPA does not require companies to report a data breach within a 72-hour window. (Please note, however, that there are existing data breach notification laws in California that businesses should still comply with.)
Here are the key differences between the GDPR and CCPA:
The CCPA applies only to businesses, while the GDPR covers any entity that processes the personal data of protected consumers/residents. The GDPR allows covered entities to establish equivalent mechanisms, while the CCPA prescribes disclosures, communication channels, and other measures. The CCPA uses a broader definition of personal information. Access and deletion requests are both granted but have different conditions. The CCPA sets more rigid restrictions for commercial sharing of personal data. The CCPA does not expressly include the right to correct errors in processed personal data. The CCPA does not expressly include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect). The GDPR set the penalty limit at 4% of global annual revenues, while the CCPA does not have a ceiling on regulator penalties. The CCPA has a minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators, while the GDPR prescribes neither a floor nor a ceiling for damages.
The takeaway: Despite their differences, a business that has complied with the GDPR standards should be able to extend policies and practices to fit well within the CCPA’s requirements.
For more information about the differences between the GDPR and CCPA, check out these resources from The International Association of Privacy Professionals and PricewaterhouseCoopers.
When Will the CCPA Take Effect?
The CCPA takes effect on January 1, 2020. After being passed by the state legislature, the California Consumer Privacy Act was signed into law by Governor Jerry Brown on June 28, 2018.
What Rights Do Consumers Have Under the CCPA?
Under the CCPA, California residents have the following rights.
Know what personal information is being collected about them. Access personal information that has been collected about them. Request the deletion of their personal information, subject to certain restrictions. Prevent the sharing or sale of their personal information to third parties. Sue or join class-action suits against erring businesses. Receive equal service and price even if they exercise privacy rights.
What Constitutes Personal Information?
The CCPA defines “personal information” as any information about a particular consumer or household.
This includes:
names aliases addresses emails account names social security numbers medical information passport details educational information biometric data commercial information IP addresses phone numbers PINs media information geolocation
…and many other pieces of information.
Which Organizations and Companies Are Affected?
The CCPA covers only businesses and any for-profit entities that conduct business in California, collect personal data of California residents, and satisfy at least one of the following conditions:
Generates more than US$25 million in gross revenues Possesses personal information of more than 50,000 California consumers, households, or devices Generates more than 50% of annual revenues from selling the personal information of California residents
This is a narrower scope than the GDPR, which covers any entity that processes EU resident personal data.
What Are the Obligations of Covered Businesses?
Covered businesses need a full legal understanding of the CCPA to minimize their risk of infringements and stiff penalties.
Under the legislation, covered businesses should:
Comply with consumer requests for transparency about their personal information Provide adequate disclosures when asked Delete relevant data (subject to certain restrictions) upon consumer request Adhere to guidelines when it comes to how much data can be collected and for how long Comply with consumer requests to stop sharing their personal information with third parties Provide the same level and quality of service even to consumers who opt to exercise their privacy rights Ensure that any data sharing with third-parties meet all restrictions
To minimize your exposure, the rule of thumb is to only partner with entities that are also compliant with all applicable regulations.
For example, forward-looking B2B companies like Outreach acquire relevant certifications such as the ISO 27001 and undergo annual privacy audits to meet the high data protection standards of both the GDPR and the CCPA.
What Happens When a Covered Business Fails to Comply?
Once notified of a violation by a relevant regulator or administrative enforcer (like the State Attorney General), covered businesses have a 30-day window to comply under the CCPA.
However, there is a pending bill that seeks to eliminate the 30-day window entirely.
Intentional non-compliance will lead to a maximum fine of US $7,500 per violation.
The legislation also establishes the right of consumers to take private action against erring covered businesses. This means that any California resident whose personal information was accessed illegally, stolen, or disclosed as a result of substandard security measures can file a civil suit.
Statutory damages for such civil cases have a minimum of $100 USD and a ceiling of $750 USD per consumer per incident plus any other declaratory, injunctive, and other relief the court deems proper.
At first glance, those numbers may seem small. But consider that most privacy breaches involve hundreds of thousands of records. If each record equals $750 USD, you could be looking at an enormously expensive lawsuit.
In comparison, the GDPR sets neither a floor nor a ceiling for statutory damages.
Compliance Strategies for Sales & Marketing Teams
This section outlines some tips and best practices businesses can adopt in preparation for the implementation of the CCPA in 2020.
We have learned a lot from the struggles and experiences of different companies as everyone transitioned to the exacting GDPR regulatory environment. The CCPA won’t be any different, but it will be less painful for companies who have matured during their migration to the GDPR.
If your business is covered by either or both regulations, the smart move is to approach data protection and privacy with a single, unified strategy.
Companies should not address the issue via a segmented policy by creating separate processes and datasets for EU residents, Californians, and everybody else. Other states, countries, and jurisdictions are already moving towards new data protection regulations.
The CCPA will definitely not be the last privacy regulation your company will need to comply with. A segmented approach to compliance will be extremely cumbersome, inefficient, and costly in the long run.
5 Key Ways to Prepare for the CCPA
1. Determine if the CCPA applies to your organization.
Assume it does if you are a fairly-sized company with crucial customer-facing operations such as digital marketing and sales. If you are unsure, future-proof your business growth and implement these best practices to comply with the CCPA.
2. Begin preparation NOW.
Align your efforts with your GDPR strategy if your business recently transitioned to the EU-sponsored environment.
Although the two sets of regulation do not exactly match, a well-built GDPR/privacy program will make CCPA compliance much easier. As experience preparing for the GDPR proved, a one-year timeline to comply is shorter than it sounds.
It’s a good idea to consult with legal counsel and draw up a comprehensive CCPA checklist and strategy now.
3. Continue to monitor CCPA developments.
Some critical bills are still pending that have could have a dramatic impact on the legislation.
Thoroughly audit your data collection, storage, and management processes. Scrutinize data-sharing practices with third parties. Consider adopting data compliance solutions that address third-party systems.
Assess the quality of your data security and protection apparatus.
Update the language of consumer-facing content regarding their data. Specifically, look at landing pages, subscription and opt-in forms, profile fields, private policy statements, and other materials. Note that the trend is moving towards more transparency.
RELATED: Permission-Based Marketing: How to Sell with User Consent
4. Ensure that you have the required mechanisms and communication channels in place.
To receive personal data disclosure requests from California residents, you need to have the mechanisms and communications channels specified by the CCPA. (Note: The GDPR does not prescribe this requirement and you might overlook this mandatory component.)
That’s going to take time to set up. Here are some ideas to make the transition smoother.
Consider hiring a Data Protection Officer (DPO) if haven’t yet. You can also hire a privacy specialist, chief privacy officer, or just add privacy to your C-suite.
Product-oriented companies should have engineering teams that thrive within a privacy-by-design culture. Meanwhile, services-oriented companies should adopt customer engagement platforms that already comply with existing data regulations such as the GDPR and guarantee full compliance upon the CCPA’s roll-out in 2020.
Ensure that the products and services you purchase and use can support your CCPA compliance efforts:
Does the vendor provide features that enable you to meet the CCPA and facilitate your compliance? Are all appropriate data protection and privacy clauses clearly stipulated in vendor/partnership contracts? Does every tool in your technology stack have adequate data privacy/consent management features? Has the vendor been audited by globally recognized third-party assessors or standards-setting agencies such as the ISO to demonstrate their compliance with the CCPA and the GDPR? Amid mounting regulatory risks and penalties, choose vendors with
relevant certifications on privacy and data protection.
5. Embrace the CCPA for Competitive Advantage.
Give quality service to consumers by protecting their data and diligently owning the responsibility as stewards of customer information. Practice and communicate transparency to encourage customer trust and drive loyalty.
Conclusion
Efforts to standardize and enforce data protection and privacy have taken the business world by storm, with the GDPR leading the way. That being the case, for most businesses that are digitally connected to the global economy, the question is not whether you need to comply, but when.
The GDPR impacts organizations that interact with EU residents, regardless of their office address. The same is true of the CCPA. You don’t need to be in California for the sweeping scope of the CCPA to impact your business. As we learned before, organizations that have chosen to endure the growth pains sooner will have a stronger head start to thrive in the new environment.
You’re in a good position if you already have a solid GDPR program in place. Due to several subtle but important differences between the two regulations, you still need some additional tweaks to fully meet the CCPA’s standards. But if the right mindset and strategy are already there, doing so won’t be a problem.
Transparency and trust are the flipsides of data privacy and protection. As things turn out, this coin is the new currency for tomorrow’s customer-facing organizations. The CCPA and the GDPR just foreshadow the new normal.
These new regulations are opportunities to drive better customer engagement and demonstrate excellent stewardship of consumers’ personal information. At the end of the day, customers will trust you more if they believe you care about their data.
Legal Disclaimer: This article represents our best understanding of the California Consumer Privacy Act at the time of developing the content. We are not lawyers, so please do not construe our suggestions as legal advice. To minimize risks, kindly refer to the original text of the legislation and consult with the appropriate legal counsel.
Written by Martin Rues and Vijay Sihota for SalesHacker
Martin Rues joined Outreach in 2015 as the CISO to build a security program from the ground up. With over 20 years experience in information security, Martin has instilled a culture of security across the company. He has achieved multiple security certifications for Outreach, including SOC 2 Type 2 in late 2016. Prior to Outreach, Martin worked at Ernst & Young where he focused on ethical hacking and regulatory compliance for his customers. His last project with E&Y led him to Microsoft where he spent 10 years as a Director of Security. Martin believes that security doesn’t have to be boring or hard and he leads with an entrepreneurial attitude and a passion for building relationships.
Vijay Sihota is an information security, compliance, quality and privacy leader with over fifteen years’ experience, the majority of which has been in cloud computing. He joined Outreach in 2017 as the Compliance Manager to lead and expand Outreach’s compliance and privacy programs. Vijay previously worked for successful SaaS and PaaS companies, building and improving their compliance programs, as well providing industry-specific compliance guidance. His expertise and collaboration across teams has enabled companies to sell to highly regulated markets such as the federal government, healthcare, and life sciences. Vijay has followed privacy changes in the technology industry for over ten years and, similar to security and compliance, he believes the upcoming privacy regulatory and industry developments will provide key opportunities for businesses to leverage privacy as a differentiator and enabler to better serve their customers.
