A couple years ago, GDPR made us all revise our data protection compliancy. Now there are new data protection regulations coming on January 1, 2020. The California Consumer Privacy Act will come into effect to protect Californian residents’ personal information. Here’s what you need to know to get ready and why it is important to be CCPA compliant even if your business isn’t based in the US.
What is the CCPA?
CCPA stands for the California Consumer Privacy Act, said to be the United States’ most stringent privacy law.
California will become the first state to roll out such expansive data protection regulation when it comes into effect on Jan. 1, 2020.
Since GDPR (General Data Protection Regulation) was implemented – which marked the biggest change to EU data protection law in 20 years – we’re seeing a global shift to better personal data protection.
In fact, the CCPA shares similar principles to GDPR – especially when it comes to extensive rights for individuals, and extraterritorial scope.
Let’s look at what the CCPA is all about, how it might affect your business, and how you can get ready.
Who does the CCPA protect?
It regulates the way your business handles California residents’ personal information – regardless of your relationship with them.
Will the CCPA affect me?
You’ll need to comply if your business makes over $25 million revenue a year, processes (buys, sells, receives or shares) 50,000 or more Californian consumer records each year, or gets 50% of its annual revenue from selling Californians’ personal information – even if your business is based outside the state.
The bill also applies if you share common branding (like your name, service mark, or trademark) with a business that meets these criteria.
Why should I comply?
Being transparent about the way you process customers’ data – and handling it properly – helps build trust and cooperation.
And as privacy laws continue evolving, people are more aware than ever of their rights. So you need to take care of data protection across your business activities.
With GDPR, we’re already familiar with this at GetResponse – and data protection is at the core of our business.
There are severe penalties if you don’t comply with the CCPA. Aside from lost customer trust, you could face a maximum fine of $750 per consumer or violation. That means that if you collect data from 1,000 California residents, you could be fined $750,000.
Also, if you don’t meet certain data security requirements, consumers can demand that you fix it within 30 days, or risk legal action.
How should I comply?
Being transparent
Consumers have the right to know what personal information you process – and how you do it. It’s a good idea to review your information notices and privacy policies, and make sure they mention:
- Types of personal data your business collected, sold, or disclosed within the last 12 months.
- How and why you use personal data.
- With whom you share personal data.
Your privacy policy should be easy to access on your website, and you should review it every year to keep it up to date.
How service providers process your Customers’ data
Do you engage third-party service providers to process customers’ personal information? Then you need to:
- Evaluate your chosen processor.
- Set up a data processing agreement.
- Forward them any requests to delete data.
If you upload your contact list to GetResponse, we become the data processor. And we’ll help you comply with these obligations.
We already have Data Processing Agreements (DPAs) to meet your GDPR requirements. We will also include specific provisions in our Terms of Service as being an integral part of your Agreement, so you know that we will comply with CCPA when processing your Contacts’ personal information on your behalf.
Your Customers’ rights
Just like GDPR, CCPA focuses on the rights of individuals.
For instance, customers can ask you for their personal data – as well as why, where and with whom it was collected, sold or shared. You have 45 days to respond to the request, and you must provide information about how the data was handled within the year preceding the request.
We’ve made it easy for you to comply, with these options in your GetResponse account:
- Your contacts can view and update their data in your GetResponse account. They simply click the “Change contact details” link that’s automatically included in your message footer.
- You can also update your contact’s data upon their request. Just go to the Contacts section of your account, search and click on their name, and edit the custom fields. You just can’t change their email address and opt-in proof.
- You can export a contact’s details at any time, and send it to them as a CSV, XLS or XML file.
Deleting the data
If a customer asks you to delete their data, you must remove everything you’ve collected – and ask your service providers to do the same, except you have other legal grounds to process the data.
To comply, look for these options in your GetResponse account:
1. Your contacts can unsubscribe from your list via the link we automatically add to your message footer. See how a contact can unsubscribe from your list and more on updating footer links.
2. You can also remove contacts from your list or entire account if they ask you to. Here’s how:
3. Our customer support team can also remove them for you.
Remember to ask any other data processors (such as third-party services) to erase their data – or do it yourself.
Opting out of selling the data
Customers can also prevent you from selling their personal information. To make it easy for them, add a clear and visible “Do not sell my personal information” link on your homepage.
You can also use Consent fields (formerly known as GDPR fields): simply create it as a ‘consent’ that subscribers can manage.
If your customers are 16 years or younger, you’ll need their express consent to sell their data.
Being free from discrimination
You can’t charge different prices, offer different services or deny them to people who exercise their rights under the CCPA.
In some cases, and under certain circumstances, you can offer financial incentives to collect, sell, or not have their personal information deleted.
How can I get prepared for CCPA?
Here’s a handy guide to help you get ready:
1. How do you process personal information?
Check:
- When and how you collect it.
- Where, for how long, and what systems you use to store it.
- With whom you share it.
Review this across your organization, including your human resources or customer service teams.
2. How will you comply?
Check if your systems make it easy to follow the rules for data deletion, access, portability, and opting out.
You could:
- Set up 2 different submission methods for customer request.
- Elect a person or team to deal with requests within 45 days (like our Data Protection Officer).
- Set up processes to handle opt-out requests.
- Review your online privacy policies.
- Train your customer-facing staff on privacy practices.
We have Customers outside California. What should we do?
Should you extend the CCPA privacy rights to customers living outside California – or have separate privacy policies and ways to handle personal data?
That’s up to you. To help you decide, consider this:
- Can you easily distinguish between information on California residents and those in other states?
- How will it impact your customer relations if you tell non-Californian customers they don’t have the same rights as Californians?
- If you voluntarily make CCPA compliant statements to consumers across the US – will you be able to live up to those statements?
- Are other states likely to follow California’s move with their own privacy obligations?
What’s next?
Looking ahead, California’s Attorney General will announce rules on how to implement the regulations.
This will all happen by January 1, 2020. So stay tuned! We’ll keep you in the loop.