The California Consumer Privacy Act (CCPA) went into effect on January 1. Whether or not your business is located in California, if you collect data from individuals in California, you may fall under this new law. Fortunately, there is a six-month grace period before enforcement begins July 1.
Beware, if your business falls under CCPA, noncompliance could cost your business millions of dollars and a lot of bad press.
Balancing Data-Driven Marketing With Individuals’ Right to Privacy
We all know that data that helps us know and understand our buyers has become the most prized possession of B2B marketing and sales teams. The General Data Protection Regulation (GDPR) in the EU that took effect May 2018 had a major impact on U.S. businesses with EU customers concerning what data we could collect and what we could do with it. With the California Consumer Privacy Act, we now have another set of standards with which B2B marketers may need to comply.
Even if it doesn’t apply to you now, Michael Bird at Dun & Bradstreet notes in a Demand Gen Report article, “What Do B2B Marketers Need To Know About Data Regulation?,” that at least 20 additional states are considering similar legislation. It’s also likely that, as some point in the not-too-distant future, there may be federal regulations that standardize consumers’ privacy rights.
Let’s review the basics for B2B marketers.
What Rights Does CCPA Give to California Consumers?
The California Attorney General’s office has published a California Consumer Privacy Act (CCPA) Fact Sheet that highlights the requirements under the CCPA. It grants the following rights to California consumers:
- The right to know what personal information is collected, used, shared or sold
- The right to delete personal information held by businesses and, by extension, a business’s service provider
- The right to opt out of sale of personal information.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA
Armor has also published a valuable CCPA Cheat Sheet that highlights how the CCPA consumer rights are based on three principles:
- Control over who can access their information
- Transparency about how companies will use their information
- Accountability of companies for misuse of consumers’ information
Armor’s webinar, “Privacy & Security: Preparing for CCPA Compliance,” covers what businesses need to know.
The definition of personal data is quite broad. Armor webinar presenters Mike Annand, Director of Customer Compliance, and Carlin Dornbusch, CISSP, President of American Cyber Security Management, reviewed the wide range of personal data types, summarized here.
Does Your Business Fall Under CCPA Rules?
If any one or more of the following conditions applies to your business, you must comply with the CCPA rules:
- Gross annual revenues exceed $25 million
- Buy, receive or sell personal information of 50,000 or more consumers, households or devices
- Derive 50% or more of annual revenues from selling consumers’ personal information
What Must Businesses Do to Comply?
Now you know if CCPA applies to your business. What are you required to do under these new regulations?
- Provide notice to consumers at or before data collection
- Create procedures to respond to requests from consumers to opt out, know and delete
- For opt-out requests, provide a “do not sell my info” link on your website or mobile app
- Respond to requests from consumers to know, delete and opt out within specific timeframes
- Treat user-enabled privacy settings that signal a consumer’s choice to opt out as a validly submitted opt-out request
- Verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business
- If unable to verify a request, it may deny the request but must comply to the greatest extent it can; e.g., treat a request to delete as a request to opt out
- Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information and explain how the incentive is permitted under the CCPA
- Maintain records of requests and how they responded for 24 months to demonstrate compliance
Further, according to Annand and Dornbusch, there appear to be nuances for B2B marketers that differ from B2C marketers. These may include a 10-day period to remove an individual’s data versus 45 days for B2C marketers. In addition, businesses will need to keep a record of when an individual’s information was removed and be prepared for an audit. It’s recommended you consult your business’ attorneys go help determine what you must do to comply.
The DGR article cited earlier, “What Do B2B Marketers Need To Know About Data Regulation?,” also provides more detail on how businesses will need to manage the data they collect and what responsibility they assume when they collect data from third parties.
What Are the Noncompliance Penalties?
Companies can be fined up to $7,500 per record for a violation, even if that violation does not result in a data breach. That can add up fast for a company with tens of thousands of records. Further, they may be responsible for damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater. Even beyond that, if a breach does occur, the company would have all breach-related costs such as recovery, legal notification, etc.
I strongly recommend you educate yourself on the details of the CCPA. Watch the Armor webinar, read up online, consult with your corporate attorneys and make sure your company leadership is taking action to ensure compliance.