In 2018, the California State Legislature passed the most comprehensive consumer data privacy act in the history of the United States, paralleling the European Union’s data privacy law (GDPR) passed two years earlier.

The CCPA echoes the sentiment that the commercial use of personal data needs greater regulation as we move toward the future of the digital economy. The CCPA takes effect in 2020, leaving businesses with many questions about the compliance, regulations, penalties, and what exactly constitutes personal information.

What is CCPA?

The California Consumer Privacy Act (CCPA) is the most comprehensive data privacy law in US history. It allows any California resident to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.

CCPA affects consumer data in two ways:

  1. Establishes and protects data privacy rights for California residents 
  2. Enforces regulations on businesses pertaining to the housing, sharing, and sale of personally identifiable information (PII)

Alastair Mactaggart, the real estate magnate behind CCPA, describes its purpose as giving consumers “the right to know and the right to say no.”

When does CCPA go into effect?

The California data privacy law goes into effect on January 1st, 2020. However, businesses have been given a grace period of 6 months to comply with the new legislature.

On the consumer side, this law already covers you if you are a California resident. But for businesses that meets the requirements below, you’ve got until July 1st, 2020 to comply with CCPA.

Who does the CCPA affect?

The CCPA places new obligations on organizations that collect and sell personally identifiable information (PII) of California consumers. 

The CCPA is enforceable against businesses that meet the following criteria:

  • Annual gross revenue of over $25 million.
  • It engages in buying/selling/receiving data of at least 50,000 consumers, households, or devices.
  • It generates at least 50% of its annual revenue from selling consumers’ personal information.

Regardless of whether your organization is B2B or B2C, if you engage in commercial data activities with any California residents, you must comply or face the penalties.

How to comply with CCPA:

To comply with the California Consumer Protection Act, companies need to do the following:

  • Update privacy policy to include a section about CCPA 
  • Put a disclaimer and link to the privacy policy wherever data is collected (e.g. forms, trade show booths, live events)
  • Provide 2 methods for a person to request access to their PII, have it deleted, and opt-out of its sale: a toll-free telephone number; and a web address to the designated CCPA page 
  • Respond to verified consumer requests and opt-out requests within 45 days
  • Ensure you can find all instances of that data across all systems (e.g. CRM, marketing automation platform, ERP, data lakes, etc)
  • Provide a portable report of an individual’s PII which may be delivered by mail or electronically
  • Include a “Do Not Sell My Personal Information” link on your company’s website homepage

What if I don’t comply with CCPA?

Fines for companies are $2,500 per violation (and $7,500 for willful violations). Companies are also open to lawsuits from California residents, should the offending company not follow protocol. Fines for individuals who partake in the sale of data are between $100 and $750 per violation.

How far back must my data report go?

In addition to the myriad of regulations, business must follow with the “look back” requirement. Under the CCPA, the PII in a portable report must cover the 12-month period preceding the date upon which the covered business receives a verifiable consumer request.

Who’s covered under the CCPA?

If you are a California resident (as shown officially in tax documentation), you are now able to access, delete, and opt-out of the sale of your personally identifiable information (PII).

CCPA vs GDPR: What’s the same, what’s different?

Top 10 CCPA Questions Answered: Everything You Need to Know about the Data Privacy Law
The CCPA allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
GDPR is stricter than CCPA in that it not only pertains to businesses but any entity that houses, transfers, or sells personal information. Under the EU law, these all fall under the designation of “data controllers.”
Businesses have until July 1st to make any changes necesary to their website and database operations.
This simply means that parties not located within the jurisdiction of the law must still adhere to the regulations. i.e: just because your business may not be headquartered in California or Europe does not mean it is free from liability.
As opposed to the stricter opt-in clause of the GDPR, businesses only need to take action should a consumer request a report. Therefore, under the CCPA you do not need to ask consent to sell data, only allow for a person to opt out.
The CCPA only applies to non-profits that are tied to a larger corporation that meets the CCPA requirements mentioned above.

What is PII under CCPA?

The California legislature defines PII (personally identifiable information) as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

This covers information such as:

  • Name
  • Postal address (& other geolocation data)
  • IP Address
  • Email address
  • Account Name 
  • Social Security Number
  • And other personal identifiers

What if my database is too messy to comply with CCPA?

Many customers using a CRM or marketing automation system have asked us about how we help with CCPA compliance. 

When personally identifiable information is scattered across multiple records, it is nearly impossible to create a single, portable file with all of an individual’s PII in one single report. In other words, when you’ve got duplicates in your systems, you’re putting yourself at risk of getting huge fines or worse.

Mari Miyamoto, product manager at Tradeshift, describes how the RingLead Platform helps Tradeshift comply with data privacy regulations by improving database hygiene and cleansing their CRM and marketing automation data.

For compliance, having multiple records was a potential threat. In case you had somebody who opted out, it was registered on a single record, but maybe not another one. So we wanted to make sure that we always had one record as the source of truth and that all teams were looking at the same data. 

The RingLead Platform is built with the industry’s most powerful duplicate matching algorithms for Salesforce, Marketo, Pardot, and Eloqua.

Our suite of customer data hygiene solutions can help you cleanse, organize, and protect your database so you never have to spend time and money wrangling data to comply with CCPA.

Learn more about the RingLead Platform