In 2018, the California State Legislature passed the most comprehensive consumer data privacy act in the history of the United States, paralleling the European Union’s data privacy law (GDPR) passed two years earlier.
The CCPA echoes the sentiment that the commercial use of personal data needs greater regulation as we move toward the future of the digital economy. The CCPA takes effect in 2020, leaving businesses with many questions about the compliance, regulations, penalties, and what exactly constitutes personal information.
1. What is CCPA?
2. When does it go into effect?
3. Who does it affect?
4. How do I comply with CCPA?
5. What are the penalties?
6. How far back must my data report go?
7. Who is covered by CCPA?
8. CCPA vs GDPR: What’s the same, what’s different?
9. What is considered personal information under CCPA?
10. What do I do if my data is too messy to follow CCPA?
The California Consumer Privacy Act (CCPA) is the most comprehensive data privacy law in US history. It allows any California resident to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.
CCPA affects consumer data in two ways:
- Establishes and protects data privacy rights for California residents
- Enforces regulations on businesses pertaining to the housing, sharing, and sale of personally identifiable information (PII)
Alastair Mactaggart, the real estate magnate behind CCPA, describes its purpose as giving consumers “the right to know and the right to say no.”
The California data privacy law goes into effect on January 1st, 2020. However, businesses have been given a grace period of 6 months to comply with the new legislature.
On the consumer side, this law already covers you if you are a California resident. But for businesses that meets the requirements below, you’ve got until July 1st, 2020 to comply with CCPA.
The CCPA places new obligations on organizations that collect and sell personally identifiable information (PII) of California consumers.
The CCPA is enforceable against businesses that meet the following criteria:
- Annual gross revenue of over $25 million.
- It engages in buying/selling/receiving data of at least 50,000 consumers, households, or devices.
- It generates at least 50% of its annual revenue from selling consumers’ personal information.
Regardless of whether your organization is B2B or B2C, if you engage in commercial data activities with any California residents, you must comply or face the penalties.
To comply with the California Consumer Protection Act, companies need to do the following:
- Provide 2 methods for a person to request access to their PII, have it deleted, and opt-out of its sale: a toll-free telephone number; and a web address to the designated CCPA page
- Respond to verified consumer requests and opt-out requests within 45 days
- Ensure you can find all instances of that data across all systems (e.g. CRM, marketing automation platform, ERP, data lakes, etc)
- Provide a portable report of an individual’s PII which may be delivered by mail or electronically
- Include a “Do Not Sell My Personal Information” link on your company’s website homepage
Fines for companies are $2,500 per violation (and $7,500 for willful violations). Companies are also open to lawsuits from California residents, should the offending company not follow protocol. Fines for individuals who partake in the sale of data are between $100 and $750 per violation.
In addition to the myriad of regulations, business must follow with the “look back” requirement. Under the CCPA, the PII in a portable report must cover the 12-month period preceding the date upon which the covered business receives a verifiable consumer request.
The California legislature defines PII (personally identifiable information) as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
This covers information such as:
- Postal address (& other geolocation data)
- IP Address
- Email address
- Account Name
- Social Security Number
- And other personal identifiers
What if my database is too messy to comply with CCPA?
Many customers using a CRM or marketing automation system have asked us about how we help with CCPA compliance.
When personally identifiable information is scattered across multiple records, it is nearly impossible to create a single, portable file with all of an individual’s PII in one single report. In other words, when you’ve got duplicates in your systems, you’re putting yourself at risk of getting huge fines or worse.
Mari Miyamoto, product manager at Tradeshift, describes how the RingLead Platform helps Tradeshift comply with data privacy regulations by improving database hygiene and cleansing their CRM and marketing automation data.
For compliance, having multiple records was a potential threat. In case you had somebody who opted out, it was registered on a single record, but maybe not another one. So we wanted to make sure that we always had one record as the source of truth and that all teams were looking at the same data.
The RingLead Platform is built with the industry’s most powerful duplicate matching algorithms for Salesforce, Marketo, Pardot, and Eloqua.
Our suite of customer data hygiene solutions can help you cleanse, organize, and protect your database so you never have to spend time and money wrangling data to comply with CCPA.