consumer data privacy ccpa
Water Cooler
Back to Blog

How Wisconsin Businesses Can Prepare for California’s Consumer Privacy Act (CCPA)

Derek Blaszak

Director of Digital Marketing

Whether it’s because people are creeped out by the thought of Alexa and Google constantly listening to their lives or fed up by data breaches and practices that put personal information in questionable hands, lawmakers in the U.S. are taking action … starting with a new digital privacy law in California.

But, it’s also a law that will impact businesses in Wisconsin and all over the country.

Privacy around personal data has become a major issue. Most people know that big tech companies such as Google, Facebook, and Amazon are collecting information about them based on what they do online, and what’s potentially picked up via the microphone on a smart device.

Smaller companies, including B2B organizations, are also collecting and storing some personal data from customers and website visitors. That could include anything from email addresses and contact information to credit card numbers and other sensitive data.

Beginning in 2020, organizations that potentially do business with people residing in California will need to take a close look at how they handle data privacy and protect personal information. The California Consumer Privacy Act (CCPA) goes into effect on January 1st, and it is likely the first of similar state laws looking to regulate data collection and storage practices.

You may recall hearing about the European Union’s General Data Protection Regulation (GDPR) law, which went into effect in May of 2018. Even though it is an EU law, GDPR affected the marketing efforts of many businesses in the United States, including several of Element’s clients.

Because we live in a global economy, any company that does business with people in the EU had to examine its data collection practices, and in many cases, make some changes.

More than a year ago, we explained on the Element blog that California would be the first state to adopt a regulation similar to GDPR. Now, there are just a matter of months before businesses will need to ensure they are in compliance.

Because California is such a populous state, one out of eight Americans will be covered under CCPA. And, it’s likely that this is just the beginning of a shift towards increased data privacy. According to the National Law Review, several other states are considering measures that are similar to CCPA.

Getting prepared ahead of the 2020 deadline for CCPA will help ensure you can continue doing business in California and will be ready when other state laws are passed.

7 Things You Should Know About CCPA Compliance

Many business owners and marketing leaders have questions about what CCPA means for the company, their website, and online marketing efforts. Here are some of the key details of the law and how it could impact your organization.

1. Who Does CCPA Affect?

CCPA is designed to protect consumers. But the rules extend to B2B operations as well, since there is still personal information being collected. As explained on the JDSupra.com legal blog:

“Despite its ‘Consumer Privacy Act’ title, as currently drafted, CCPA applies to any business that meets the criteria listed … even if it does not deal directly with consumers. The definition of ‘consumer’ is also very broad and includes any individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California but is outside the state for a temporary purpose.”

There has been some effort to avoid forcing small businesses to comply with CCPA, but that is an area of confusion. Lawyers and businesses are concerned about what’s often described as vague language in the legislation, especially the question of whether employees would be included in the definition of consumers. In some cases, an individual could be both an employee and a customer of a business.

Here are the basic thresholds that would require CCPA compliance:

  • You are a for-profit organization doing business in California (even without a physical presence) and collect personal information from residents of the state
  • Your company has annual gross revenue that exceeds $25 million
  • Your company possesses the personal information from more than 50,000 consumers, households, or devices
  • Your company earns more than half its annual revenue from selling personal information

Businesses that are controlled by an entity that meets the criteria above would also need to comply. So, if you are a smaller enterprise with a large parent company, CCPA compliance may be required.

2. What Defines Personal Data?

What alarms most people about consumer data collection are things like smartphones and other devices listening to your private conversations and using that information. CCPA, however, gets much more rudimentary when it comes to defining personal data.

Personal data could include full names, postal, email, and IP addresses as well as much more sensitive data such as social security numbers, tax information, passport numbers, and insurance policies. An individual’s personal characteristics, like their height, weight, and eye color are also included.

One important way the CCPA differs from GDPR is that it extends beyond basic personal information to household information. The California law, however, does not consider information that is publicly available to be personal.

To help manage CCPA compliance, some organizations may want to evaluate the kinds or personal data they are collecting and determine what is truly necessary and will provide the most value to the business and the user experience.

3. Providing Access and Control to Personal Data

Much like GDPR, CCPA aims to give consumers more control over their personal data, including how it is stored, used, and shared.

Under CCPA, an individual from California has the right to inquire about what information a business is collecting about themselves, their household, children, and devices. This can be done as often as once per year. People can also request that their data be deleted.

This means any company that must comply with CCPA must also have a way to produce the information and provide it to those who request it. Plus, organizations must have a way to expunge the data as well.

As you may have noticed since the implementation of GPDR, many websites are letting people know they are placing cookies in a visitors’ browsers that follow them around the web. Others have also added “opt-in” boxes to pages with forms that collect info. These will become even more commonplace with CCPA.

4. Selling Personal Information to Third-Parties

In addition to being transparent about the information being collected, upon the request of a California resident, businesses must also reveal any third party organizations to which they’ve sold consumer data. Furthermore, businesses meeting this criteria must reveal all categories or kinds of information that was sold.

The easiest way to avoid any worries about this part of CCPA is to not sell your customers’ personal information to third parties. This requirement is mostly meant for companies such as Facebook and Google who use consumer data to support their online advertising platforms.

If, for some reason, you are selling personal data, you must provide an opportunity for users to opt out with the click of a mouse. This option must be easily accessible on any page that collects personal info.

5. Securing Personal Information

Safeguarding customer information from security breaches is another aspect of CCPA. The law requires what it describes as “reasonable security measures.” What defines “reasonable” seems to be another gray area of the regulation. Although, a 2016 California Data Breach Report from the state’s Attorney General mentions following specific international standards and points to a list of 20 controls from the Center for Internet Security (CIS).

CCPA also imposes increased fines and penalties for failing to have adequate cybersecurity measures in place. Violators are subject to fines up to $7,500 as well as civil damages of between $100 and $750 per consumer record, per incident. That could add up quickly.

No website or network connection can be 100 percent secure. But, in order to be CCPA compliant, you should make sure to have robust cybersecurity solutions in place to protect the sensitive data hackers try to access.

6. Personal Information and Minors

CCPA protects children and teens from collection of personal information by requiring companies implement a process for obtaining parental consent. The law increases the age limit requiring parental consent from 13 to 16.

This means websites marketing to minors will need to ask about a user’s age if it plans to collect any data. If a company is storing information on children and teens, it either needs to develop a separate process for California residents or change its overall method.

7. Equal Service and Price

One final consumer protection in CCPA ensures that California residents who invoke their rights under the law are treated the same as those who do not, or who are not residents of the state.

This means businesses cannot charge California residents more, deny them service, or provide lesser-quality service to individuals who request access or opt out of data collection.

Staying Agile in an Always-Changing Digital World

Depending on what industry you’re in, the way you market to prospects, and the way you communicate with customers, CCPA may or may not have an impact on your business.

However, most companies are doing businesses nationally, or may have plans to expand. Plus, more organizations are increasing their digital focus, selling products and services through e-commerce websites and using marketing automation to nurture leads generated through inbound marketing.

While Element does not provide legal advice, we do stay on top of the requirements involved with the online marketing regulatory environment. Our experts can evaluate your situation and, along with guidance from your legal team, develop solutions to ensure compliance. That way, you’ll be prepared for the launch CCPA in 2020 and whatever comes next.

At the end of the day, we should all be putting the needs of our customers first. Even though regulations can be a hassle, protecting the privacy of the people who put their trust in you is worth a little extra effort.

Before you go and make a bunch of changes to your website and online processes, make sure you get some professional legal guidance. We’re creative marketers at Element … not seasoned lawyers. And while we’d love to help you grow your business with an integrated marketing strategy, most of our courtroom experience comes from watching Ally McBeal and Boston Legal.