The California Consumer Privacy Act (CCPA) will be taking effect in less than six months, which means that Digital Marketers and technologists need to be prepared to ensure their websites are properly compliant. What do you need to do to be ready? Here is some high-level information that should help you determine your next steps.
What is it, and when does it start?
Passed in June of 2018, CCPA regulations will take effect January 1, 2020 (although some provisions have been delayed until July 1, 2020). At its core, the CCPA is a personal data protection law passed by the State of California that provides consumers more information and control over how their data is being used and requires companies to be more transparent in their handling of consumer data.
Does it apply to me?
These regulations apply to organizations if they collect personal data of California residents, and meet any one of the following additional criteria:
- An annual gross revenue of $25 million or more
- 50 percent or more of annual revenue is derived from selling the personal information of consumers
- Personal information of at least 50,000 California residents or households is obtained, bought, or sold on an annual basis
You should note that the law has a pretty broad interpretation of “California resident” as it is defined as not only any person who lives in the state, but also covers California residents while they are traveling in other states.
When it comes to privacy regulations, even if you’re unsure if your organization is exempt or not, we are strong advocates of the ‘better safe than sorry’ philosophy. Employing best practices when it comes to managing your customers’ data is a good way to help avoid possible fines as well as other potential data or privacy headaches further down the road.
Ultimately, if you’re still unsure about whether these regulations are applicable to you, you should seek legal advice to determine if CCPA laws apply to your organization.
How do I ensure my site is compliant?
To ensure your compliance with CCPA, here are some of the actions we recommend you get started on (keeping in mind that you should obtain professional legal advice to ensure complete compliance):
- Your policy needs to clearly state information on what personal information you collect, how you do so, and why.
- It must also tell users how they can request access to their personal data you have collected, as well as explain how they may move, update, or delete this data.
- You must specify what method you use to verify the identity of individuals who make data information requests.
- If you engage in any sales of personal user data, your policy needs to state the details of how this information is shared, and how users can opt out of the selling of their data.
- Ensure your website has a method in place to verify user identity
- To be compliant with CCPA, you’ll need to make sure that any person who submits a data request is really the individual they request something about. Of course, it makes common sense to be following this process as a data privacy best practice anyway.
- Introduce a “Do Not Sell My Personal Information” link on your home page that allows users to opt out.
- CCPA does not prohibit the sale of user data, but it does require you make it an easy task for customers to opt out, so this link should be made obvious and easily accessible.
- This is also a good time to audit your data security practices as a whole. What are your methods for allowing users access to their own data, as well as your safeguards for making sure user data is safe from unauthorized access?
- Make sure you are accurately tracking and saving evidence of user consent received
- Under CCPA regulations, you do not need to obtain prior consent of users aged 17 and above in order to sell their personal data. However, prior consent from minors must be acquired before selling their personal information.
- For those aged 13 to 16, this consent needs to be obtained directly from the user. For those younger than 13, it is necessary to obtain consent from their parents or guardians.
- As a best practice, you should not only keep each and every consent obtained from minors and their parents, you should also be storing documentation of all users who have either given or rejected consent. Be sure to audit your process for managing this data properly.
Where can I learn more?
BlueModus, as a premier technology agency, has a team of developers and strategists well-versed in website data management practices. We can perform a thorough audit that will analyze your existing platform configuration, to uncover potential compliance or data management issues, as well as make recommendations on how to fix or improve any issues. Contact us today to get started.
Read more about compliance from BlueModus: