What Is the California Consumer Privacy Act (CCPA)? Advertiser Q&A
The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. The forthcoming law symbolizes how consumer privacy is increasingly taking center stage among governmental bodies in the United States. Preliminary estimates suggest it will cost businesses $467 million to $16.5 billion to comply in coming years.
At this point, it’s safe to say that every major advertiser is aware of the CCPA. But it’s not always easy to understand exactly what this omnibus legislation is all about. So we’re going to answer some question that we’ve been getting. Check it out – the CCPA might apply to you whether or not you do business in California, so it’s important to understand it:
What Is the CCPA?
The CCPA is new legislation designed to enhance privacy rights of California residents. With a population of nearly 40 million, California is considered a bellwether state. Many privacy experts are watching the CCPA closely because of its potential impact on how privacy is legislated across the United States.
How Does the CCPA Enhance the Privacy Rights of California Residents?
The CCPA grants new rights to California consumers, per the CCPA website:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
What Does the CCPA Require of Businesses?
In a single sentence: the CCPA imposes requirements on how businesses collect, use, and disclose information about California residents.
But the legislation is dense and difficult to untangle. Per the CCPA website, businesses must fulfill these obligations:
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
In coming months, what’s likely going to happen is that businesses will learn through trial and error. Stay tuned. And learn from the inevitable violations that are bound to make the news.
Who Must Comply with the CCPA?
Companies doing business in California subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
I’m Not Based in California. Do I Need to Worry about the CCPA?
The conditions stipulated above may indeed apply to you if you are outside California. For instance, if you are buying, receiving, or selling the personal information of 50,000 or more consumers, households, or devices in California, CCPA may apply to you regardless of where you are located. Read this insight for more detail.
What Is the Penalty for Noncompliance?
Businesses may be fined up to $7,500 for violation. Businesses could also face civil damages of up to $750 per violation, per user. The key phrase here is “per user.” A major violation could cost a business millions.
Will More States Enact This Kind of Legislation?
They already are. Nevada has enacted its own version of the CCPA already. Here is more information on how other states are enacting privacy legislation.
How Do I Ensure I Am Compliant?
A number of security firms provide compliance services. Unless you have a strong in-house security team, your best bet is to look for compliance help from a specialist.
Contact True Interactive
To manage advertising online effectively, contact True Interactive. We’re here to help!