Is there any better way to ring in the new decade than more compliance training? Uh, no! Put away that silly champagne and let’s crack open a big ol’ bottle of 2020 California Consumer Privacy Act (CCPA). When the ball drops at midnight on January 1 and CCPA goes into effect, we want to make sure you know what it means, if it applies to you, and what Invoca has done to ensure that we (and, in turn, Invoca customers) are compliant. So grab a glass, sit down by the fire, and let’s get down with CCPA! Oh, go grab that champagne, too. We’re going to need it.
What is CCPA?
CCPA is new state legislation that will provide additional data privacy rights and consumer protections for residents of California. Before you pop on your 2020 party glasses and run out of the room because your business is not based in California, note that CCPA applies to any company that conducts business in or on behalf of anyone in California. Since California makes up 12% of the national population and 17% of its net worth, that likely means you, so you might as well sit back down and keep learning.
CCPA gives California consumers the right to:
- Know what personal data is being collected about them
- Opt-out of having their data sold to a third party or being used by the company they transacted with
- Have access to the data that has been collected on them
- Have any data collected be deleted from a business’s systems
- Not be discriminated against by the company for exercising any of the above rights
If a company conducts business in the state of California and has annual gross revenues in excess of $25 million; possesses the personal information of 50,000 or more consumers, households, or devices; or earns more than half of its annual revenue from selling personal consumer information, then it will be impacted by CCPA.
When looking at how personal data is defined in CCPA, the best way to describe it is that it is broad in scope. Within the regulation, they have defined it as any information that identifies, relates to, describes, can be associated with or links to (directly or indirectly) any particular consumer or household. That definition alone probably has you thinking “they could really mean any piece of data”. And that’s not far from the truth.
To help simplify this, here’s how CCPA categorizes personal data:
- Identifiers (i.e. name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)
- Commercial information (i.e. records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
- Biometric information (i.e. DNA or genetic information)
- Internet or other electronic network activity information (i.e. browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement)
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information provided that it is not publicly available
- And inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, etc.
The good news here is that CCPA and GDPR are extremely similar in their definition of “personal data,” so if you have already gone through the steps to prepare for GDPR last year, then you are already in great shape for when CCPA goes into effect and your teams will mainly be making preparations for how to handle the few areas of difference between the two.
Why CCPA Was Created
With so many new privacy regulations instituted in the last few years, many people are asking why now? (And WHY ME??) It can mostly be attributed to the rise in consumer demand for more control of their personal data. The Pew Research Center found that 75% of consumers say there should be more government regulation of consumer data and how businesses may use that information.
Since the U.S. has not introduced and federal regulations for consumer data privacy, it is up to the states to do so. CCPA is an example of the state of California taking this action and you will likely see more states following suit in the very near future. This will no doubt (eventually) drive lawmakers in Washington to institute a federal regulation as a mish-mash of state laws that make compliance increasingly difficult. This is exactly what prompted the creation of GDPR, so you should just prepare yourself to read another one of these articles on the new U.S. regulation here next year. Sorry in advance.
Why CCPA is Important to Marketers
The bottom line is that marketers use lots of consumer data and technologies that harness it, and if you’re in the U.S., you probably also do business in California. Data privacy regulations will only continue to expand and once the dust settles and people start dissecting the impact of these regulations, industry experts are predicting that there will be either new regulations or modifications to CCPA and GDPR to fill the gaps. This means that assuring compliance will no longer just be a checkbox to be quickly ticked off, but a business requirement for every piece of technology that you use. And there are steep fines and potential PR disasters awaiting those who fail to meet the requirements, just in case you needed some more motivation.
Now, CCPA doesn’t just impact companies and how they handle the data of their customers, but their technology providers as well. In many cases, technology providers and vendors are responsible for handling consumer data for companies, which means that they must not only be compliant but be prepared to walk their customers through the CCPA compliance process.
It might sound like a pain, but it will actually create an opportunity for tech vendors to step up and help their customers by offering to ensure compliance with new data privacy laws and sharing knowledge of the new standards. Ensuring compliance is a huge pain point for companies that work with dozens of tech vendors and partners, so technology partners must be able to help businesses navigate the murky waters of compliance now and in the future, as privacy laws continue to evolve and change.
How is Invoca responding to CCPA?
At Invoca, proper handling of sensitive data has always been and will continue to be a top priority. We recognize that our customers are looking for a technology provider that treats them and their data with the utmost care — not just to comply with the law, but to go above and beyond to earn and keep your trust. This is why we’ve taken a comprehensive approach to preparing for CCPA. Here are some of the key actions that we have taken:
- Implemented a Data Processing Addendum with active customers that mandates we follow the requirements and standards set forth by our clients of collecting, storing and retrieving data on their behalf
- Ensured all third-party vendors we utilize for data collection and storage are CCPA compliant
- Not storing and making data accessible in the Invoca platform that is outside of our client’s instructions or business needs
- Implemented process and mechanisms to allow for data modification or deletion when a customer or their customers submit a request
- Ensuring notification to clients within 72 hours of a data breach
- Offering transparent communication around data access, storage, transmittance, and modification
- Providing regular training to all Invoca employees on CCPA requirements
Like most things compliance, CCPA is complicated and can be difficult to digest. If there is anything you take away from this on what CCPA is, let it be that CCPA covers:
- Processing (doing most anything at all)
- Personal Information (everything except data that is not capable of being associated with an individual or household)
- About California residents/households (40 million — 1 in 8 Americans)
- By Data Controllers (including your customers)
- For commercial purposes (any activity intended to advance a commercial or economic interest)
One way or another, CCPA will impact many if not most marketing professionals. You may not have to be an expert, but you have to be aware of its potential impacts on your business, especially when making technology purchases that may change the way you handle consumer data. If you are an Invoca customer, you can rest assured that we are CCPA compliant. Here’s to 2020 and all of the new compliance standards to come in the new year. Now, where’s that champagne?