Last year, GDPR made us all revise our data protection compliancy. But, there are new data protection regulations coming on January 1, 2020. The California Consumer Privacy Act will come into effect to protect Californian residents’ personal information. Here’s what you need to know to get ready and why it is important to be CCPA compliant even if your business isn’t based in the US.
What is the CCPA?
CCPA stands for the California Consumer Privacy Act, said to be the United States’ most stringent privacy law.
California will become the first state to roll out such expansive data protection regulation, when it comes into effect on January 1, 2020.
Since GDPR (General Data Protection Regulation) – which marked the biggest change to EU data protection law in 20 years – we’re seeing a global shift to better personal data protection.
In fact, the CCPA shares similar principles to GDPR – especially when it comes to extensive rights for individuals, and extraterritorial scope.
Let’s look at what the CCPA is all about, how it might affect your business, and how you can get ready.
Who does the CCPA protect?
It regulates the way your business handles Californian residents’ personal information – regardless of your relationship with them.
Will the CCPA affect me?
You’ll need to comply if your business makes over $25 million revenue a year, processes (buys, sells, receives or shares) 50,000 or more Californian consumer records each year, or gets 50% of its annual revenue from selling Californians’ personal information – even if your business is based outside the state.
The bill also applies if you share common branding (like your name, service mark, or trademark) with a business that meets these criteria.
Why should I comply?
Being transparent about the way you process customers’ data – and handling it properly – helps build trust and cooperation.
And as privacy laws continue evolving, people are more aware than ever of their rights. So you need to take care of data protection across your business activities.
Since GDPR, we’re already familiar with this at GetResponse – and data protection is at the core of our business.
There are severe penalties if you don’t comply with the CCPA. Aside from lost customer trust, you could face a maximum fine of $750 per consumer or violation. That means that if you collect data from 1,000 California residents, you could be fined $750,000.
Also, if you don’t meet certain data security requirements, consumers can demand that you fix it within 30 days, or risk legal action.
How should I comply?
Consumers have the right to know what personal information you process – and how you do it. It’s a good idea to review your information notices and privacy policies, and make sure they mention:
- Types of personal data your business collected, sold, or disclosed within the last 12 months.
- How and why you use personal data.
- Who you share personal data with.
How service providers process your Customers’ data
Do you engage third-party service providers to process customers’ personal information? Then you need to:
- Evaluate your chosen processor.
- Set up a data processing agreement.
- Forward them any requests to delete data.
If you upload your contact list to GetResponse, we become the data processor. And we’ll help you comply with these obligations.
We already have Data Processing Agreements (DPAs) to meet your GDPR requirements. And you will be able to download a copy of our DPA for CCPA compliance in your account settings, via the DPA tab.
You will also be able to generate a downloadable personalized contract with us.
Your customers’ rights
Just like GDPR, CCPA focuses on the rights of individuals.
For instance, customers can ask you for their personal data – as well as why, where and with whom it was collected, sold or shared. You have 45 days to respond to the request, and you must provide information about how the data was handled within the year preceding the request.
We’ve made it easy for you to comply, with these options in your GetResponse account:
- Your contacts can view and update their data in your GetResponse account. They simply click the “Change contact details” link that’s automatically included in your message footer.
- You can also update your contact’s data upon their request. Just go to the Contacts section of your account, search and click on their name, and edit the custom fields. You just can’t change their email address and opt-in proof.
- You can export a contact’s details at any time, and send it to them as a CSV, XLS or XML file.
Deleting the data
If a customer asks you to delete their data, you must remove everything you’ve collected – and ask your service providers to do the same, except you have other legal grounds to process the data.
To comply, look for these options in your GetResponse account:
1. Your contacts can unsubscribe from your list via the link we automatically add to your message footer. See how can a contact unsubscribe from my list and updating footer links.
2. You can also remove contacts from your list or entire account if they ask you to. Here’s how:
3. Our customer support team can also remove them for you.
Remember to ask any other data processors (such as third-party services) to erase their data – or do it yourself.
Opting out of selling the data
Customers can also prevent you from selling their personal information. To make it easy for them, add a clear and visible “Do not sell my personal information” link on your homepage.
You can also use GDPR fields: simply create it as a ‘consent’ that subscribers can manage.
If your customers are 16 years or younger, you’ll need their express consent to sell their data.
Being free from discrimination
You can’t charge different prices, offer different services or deny them to people who exercise their rights under the CCPA.
In some cases, and under certain circumstances, you can offer financial incentives to collect, sell, or not delete their personal information.
How can I get prepared for CCPA?
Here’s a handy guide to help you get ready:
1. How do you process personal information?
- When and how you collect it.
- Where, for how long, and what systems you use to store it.
- Who you share it with.
Review this across your organization, including your human resources or customer service teams.
2. How will you comply?
Check if your systems make it easy to follow the rules for data deletion, access, portability, and opting out.
- Set up a toll-free number and email address for customer requests (like ours: firstname.lastname@example.org).
- Elect a person or team to deal with requests within 45 days (like our Data Protection Officer).
- Set up processes to handle opt-out requests.
- Review your online privacy policies.
- Train your customer-facing staff on privacy practices.
We have customers outside California. What should we do?
Should you extend the CCPA privacy rights to customers living outside California – or have separate privacy policies and ways to handle personal data?
That’s up to you. To help you decide, consider this:
- Can you easily distinguish between information on Californian residents and those in other states?
- How will it impact your customer relations if you tell non-Californian customers they don’t have the same rights as Californians?
- If you voluntarily make CCPA compliant statements to consumers across the US – will you be able to live up to those statements?
- Are other states likely to follow California’s move with their own privacy obligations?
Looking ahead, California’s Attorney General might announce rules on how to implement the regulations.
For instance, he could clarify what information you need to add to your customer notices. Or prescribe a standardized “Do Not Sell My Personal Information” logo. He might also outline how to respond to customer requests, or add new categories for personal information and identifiers – to respond to changes in technology, data collection, obstacles implementing the rules, and privacy concerns.
This will all happen by July 1, 2020. So stay tuned! We’ll keep you in the loop.