3 Things to Know About California’s Consumer Privacy Act

Published by Keslie Wright in Marketing on January 9, 2020

This past year, we took a serious look at our privacy policy to ensure that not only were we doing right by our website visitors but that our clients were also upholding security best practices. While we understand that GDPR may not apply to our audiences directly, we also recognize that it’s a good standard for our business. With California’s recent introduction of the California Consumer Privacy Act (CCPA), the standards set by GDPR may have just been that first step toward being prepared for compliance regulations in the US. How does the CCPA compare to GDPR? And, what should you be doing to keep your business protected from non-compliance?

What is CCPA

California has been the leader in streamlining legislation and regulations for the safety of its residents for years — specifically when it pertains to data security. That’s why it’s no real surprise that they’re the first state to develop and pass a privacy act that puts securing consumers’ personal information at the forefront.

The CCPA — which went into effect January 1, 2020 — ensures that California residents have a right to learn what data companies collect about them and opt-out of their data being collected. They also have the power to ask companies to delete any stored data and restrict the sale of their personal data. This applies strictly to California residents. While the full impact of this act is still being determined, there are a few different ways that this will directly impact US businesses.

CCPA vs GDPR

Similar to GDPR, CCPA applies to a certain group of people. GDPR impacts anyone targeting EU data subjects, while the CCPA protects California consumers. Even though targeted individuals may be slightly different, both regulations protect natural persons compared to legal — or artificial — persons.

GDPR focuses on ensuring businesses are prepared for data breaches and that they take the right steps if one occurs, but instead of the proactive approach, the CCPA focuses on the punishments of what can happen to a business if they experience a data breach. Consumers in California have the right to sue a business for losing their information in a breach if negligence was involved.

Perhaps the most major difference is how each regulation treats opt-out requests. The GDPR does not actually require businesses to opt-out of selling personal data, rather they allow for data subjects to remove their consent for data processing activities and third-party marketing activities. The CCPA — however — makes sure that businesses and service providers comply with consumer’s opt-out requests and cannot sell their data for a minimum of 12-months after the consumer opts out.

3 Ways CCPA Can Impact Your Business

So, what does all this mean for your business? If you don’t currently do business with anyone from the state of California, and you don’t plan to ever do business with anyone from the state of California in the future, then it doesn’t mean anything — yet. Just like CCPA passing fairly soon after GDPR, you can expect that most other states will follow their lead in the near future. Until then, you can prepare for compliance — along with anyone else doing business with California residents — by making these three changes:

1. Add a link to your site homepage that says, “do not sell my personal information” if your site features registered user accounts, and there is a possibility you might resell user data from those accounts. This link should allow users to opt-out of their data being sold for a minimum of 12 months. The link should be clearly visible and could be displayed in the footer next to your privacy policy link.

2. Comply with consumers’ opt-out requests. It can be frustrating to lose valuable user data — especially when you’re trying to be helpful and show users related items that you think they may want — but it can be even more frustrating for a consumer to request information be deleted and find out that it has not. Respect their choice and strictly comply with regulations set by CalOPPA, CCPA, and GDPR.

In some cases, you may not be able to delete stored data because it’s being used for administrative purposes or legal reasons. If that is the case, you must respond to consumers’ requests within 45 days. This can be extended to 90 days after consumer notification.

3. Do not reauthorize the selling of personal information until more than 12-months after the consumer has opted out. A lot can change within a year, but what shouldn’t change is how you handle the data of a consumer who has opted out of your data storage and sales.

The Symphony Agency Helps You Remain Compliant

We’ve worked with hundreds of businesses across the medical, legal, cybersecurity, and HVAC industries, so we know the importance of secure data and meeting compliance regulations. We strive to help our customers become or remain compliant by implementing best practices across our website development projects.

For more information about CCPA, GDPR, and updating your privacy policy, contact us, or email your success manager.

*This blog post was written to provide general information about privacy policies and CCPA compliance. For more information, visit the links provided.

Share this post:Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

Comments