California Consumer Privacy Act: What your brand needs to know
Download as PPTX, PDF•3 likes•1,654 views
The California Consumer Privacy Act (CCPA) is landmark data privacy legislation that takes effect on January 1, 2020. It gives California residents expanded rights over their personal data collected by businesses. These include the right to know what data is collected and how it is used, the right to say no to the sale of personal data, and the right to access and delete personal data. The CCPA applies to for-profit businesses that collect personal data of California residents and meet certain revenue or data thresholds. Non-compliance can result in fines of up to $7,500 per violation. Companies need to audit their data practices, get proper consent, and update privacy policies to comply with the CCPA.
California Consumer Privacy Act: What your brand needs to know
- 1. AB-375: California Consumer Privacy Act (CCPA) This document is for informational purposes only and not for the purpose of providing legal advice. Please contact your legal counsel to obtain advice with respect to the CCPA.
- 2. What is the California Consumer Privacy Act? • Landmark policy constituting the most stringent data protection in the United States, passed on June 28, 2018 • Governs the way businesses collect, process and secure California residents’ personal data • Takes effect 1/1/2020
- 3. As of 2017, California is the 5th largest economy in the world What is the expected impact? • CCPA is going to have a wide-sweeping impact on all data collection – both online and offline – and sets a precedent in the US • Paves the way for other states to adopt similar frameworks in the future • Companies must decide whether to – reform their global data protection and data rights infrastructures, – institute a patchwork data regime in which Californians are treated one way and everyone else another, – completely ignore Californians
- 4. Key principles of the CCPA Affects for-profit businesses that collect, use or sell data, and fall into any of these categories: • Generates $25 million or more in annual revenue • Holds the personal data of 50,000 or more people, households, or devices • Generates half or more of its revenue in the sale of personal data The law protects California residents and provides them with the right to: • Know what personal information is being collected about them and how it’s used at or before the point of collection • Know if their personal information is sold or disclosed, and to whom • Say no to the sale of their personal information – Sale of children's data (anyone younger than 16) will require express opt in, either by the child, if between ages 13 and 16, or by the parent or guardian
- 5. Businesses can offer financial incentives for collection, sale or deletion of personal information and requires consumer opt-in Key principles of the CCPA The law protects California residents and provides them with the right to: • Equal service and price, even if they exercise their privacy rights – Businesses can’t deny goods or services, charge consumers who opt out a different price, or provide a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data • Access their personal information in a “readily useable format” that enables its transfer to third parties without hindrance • The deletion of their personal information, including from any third–party service providers used by the business The bill exempts businesses of these measures if it limits the ability to comply with federal, state, or local laws, to complete a requested business transaction, if it infringes on the rights of another individual, etc
- 6. • Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household • Examples include: – Name – Email address – Location data – Biometric data Deidentified (and cannot be re-identified) and aggregate data are not considered personal information What is considered “personal information?” – Device ID – Cookie ID & data – Consistently hashed ID – IP address
- 7. CCPA: What’s at risk? Consumers can pursue private action should companies fail to maintain reasonable security practices, resulting in data breaches • The bill will be enforced by the state’s attorney general • Failure to address violations within 30 days could lead to a $7,500 fine per violation (which can be on a per-record basis)
- 8. What does this mean for your brand? • Opt-in for CRM and data collection must be specific and requires EXPLICIT consent • Personal information collected is limited to the specific use indicated • Data must be accessible, accurate, and available at the customer’s request • Enterprise-wide opt-in statements may not be compliant – unbranded vs branded • Financial incentives can be offered to CA residents as part of the CRM value prop 8
- 9. ACTION STEPS: Being CCPA compliant Conduct an information audit – How is data collected and where is it stored? – How is it accessed, by whom, and for what purposes? – What security protocols are in place to protect data? Educate key stakeholders in your organization – What are the risks and impact this poses to your business? – How does this affect them and what do they need to do differently? Review and revise privacy policies to ensure compliance with CCPA regulations
- 10. ACTION STEPS: Being CCPA compliant Review organizational policies and procedures – Fulfilling personally identifiable information requests of customers – Right to deletion Contact technology and media partners – What are they doing to ensure CCPA compliance? – Do any of your processes need to change to reflect their updates?
Editor's Notes
- #3: Much of the political impetus behind the law’s passage came from some major privacy scandals that have come to light
- #5: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 Say no to the sale of their personal information Businesses will have to put a "Do Not Sell My Personal Information" button on their homepage and corresponding page explaining their rights This can reside on a separate homepage intended for CA residents Sale of children's data (anyone younger than 16) will require express opt in, either by the child, if between ages 13 and 16, or by the parent if younger than that
- #6: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 Business purposes that are exempt: Counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Debugging to identify and repair errors that impair existing intended functionality. Short-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider. Undertaking internal research for technological development and demonstration. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
- #7: Consumers’ personal identifiers, geolocation, biometric data, internet browsing history, psychometric data, and inferences a company might make about the consumer. Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.