The California Consumer Privacy Act (CCPA) comes into force in January 2020 (with proposed regulations released not long ago), and it gives California consumers and businesses both new rights and new obligations.
W2O recently held a webinar, moderated by Larry Dobrow, Senior Editor at MM&M, to discuss the Top 10 things organizations need to know about the CCPA.
Following is a recap of our recent webinar on the topic. You can also view the webinar recording here, or watch it below.
1. The CCPA applies to California residents. Specifically, it applies to “every individual who is in the state for other than a temporary or transitory purpose.” Most legal experts are assuming this means a resident as defined by the California tax code, although it’s not stated explicitly in the CCPA. There are a few possible methods of determining residency that organizations may consider, including using an IP address or a third-party verification service. Some organizations are simply treating all Americans as if they were California consumers.
2. Employees are mostly exempt – for now. In a last-minute amendment, CCPA has exempted all employees, job applicants and vendors of organizations subject to the CCPA until January 1, 2021. While organizations still must disclose to consumers the categories of information they collect, they do not yet have to respond to other requests such as requests to delete their personal data.
3. Not all businesses are subject to the CCPA. Only for-profit organizations that do business in California are impacted. The CCPA does not apply to government or non-profits. Also, at least one of three thresholds must be met – an organization must either exceed a gross revenue of $25 million, handle the personal information of 50,000 or more consumers / households / devices, or realize 50% or more of revenue from selling personal information.
4. The CCPA has new notice and disclosure requirements. Generally, this means that most organizations must update their privacy policies to include descriptions of new consumer rights, and disclosure of the categories of information they collect.
6. Businesses must respond to consumer requests in a timely manner. Requests to know what personal data an organization holds and requests to delete that data must be acknowledged in 10 days and acted upon in 45 days. Requests to opt-out must be acted upon “as soon as possible” but no longer than 15 days.
7. Businesses must provide a specific opt-out of sale mechanism. That mechanism is prescribed by the CCPA to include a “Do Not Sell My Personal Information” link conspicuously displayed on the website, and a webform where a consumer can make that request.
8. Identity verification requires careful attention. Consumer identity must be verified, and the best case scenario is to use a secure customer account to do so. In the absence of an account, the regulations provide specific criteria. For example, requests to know categories of information must match two data points, requests to know specific detailed information must match three data points, and the consumer must provide a signed declaration that they are who they say they are. Verification for requests to delete personal data depend upon the sensitivity of that data.
9. Businesses using third-party information must ensure notice was provided by the source. Any organization using the data of a California resident that it did not collect directly from the consumer must either contact the consumer directly to provide notice or obtain an attestation from the source that notice was provided at the time of collection.
10. Collecting data from minors requires opt-in consent. The CCPA adds special rules for minors. The data of anyone under the age of 16 can only be sold with opt-in consent, or with the consent of a parent or guardian for anyone under 13 for both the federal Children’s Online Privacy Protection Act (COPPA) and the CCPA.
Bonus – 11. Privacy is good for business. Beyond simply compliance, privacy is now a key competitive differentiator. As privacy awareness has grown, consumers are actively seeking out brands they trust. Having a reputation as a business that protects consumers’ personal data will clearly differentiate a business from its competitors. When individuals know that their data is being used only in ways they expect, and in service of their best interests, the result is increased trust, loyalty and engagement.
While that trust is important in all industries, it’s particularly critical in healthcare. Delivering on the privacy promise at every stage of a relationship with a doctor and patient builds the trust required to make healthcare decisions – ranging the gamut from prescribing/taking a new prescription medicine to inserting/being implanted with a pacemaker or other life-saving medical device.
Healthcare and pharmaceutical companies must take proactive measures to build robust data privacy programs across every interaction and ensure that their audiences are aware of these steps. With marketing and communications now reaching so many patients and healthcare professionals, and with patient preference and marketing having a large impact on prescribing decisions, data protection and privacy has become one of the primary methods of building trust.
In addition to gains in audience trust and engagement, comprehensive data privacy and protection programs result in a plethora of other benefits. These include a reduced risk of data breaches, increased shareholder value, more desirable M&A positions, and higher operational efficiency, among others.
If your organization hasn’t yet embraced privacy as a fundamental value, now is the time to take action. The CCPA is the direct result of an increase in the public’s awareness, and it’s just the beginning. Multiple states have their own privacy bills coming soon, and a new and more robust ballot measure in California for 2020 is already being promoted for signatures. Organizations that take action now will be far ahead of their competitive set, winning audience trust and gaining market share.