Coming off the heels of the GDPR (General Data Protection Regulation), the California Consumer Privacy Act of 2018 is going live January 2020 and 10 other state based online-privacy based legislation are on the way. The CCPA is the most recent piece of legislation in the US specific to companies with annual gross revenues over $25 million, who annually handle personal information. Due to the expansive, borderless nature of the internet both the GDPR and CCPA have extraterritorial reach and enterprises should be taking care to ensure compliance. The truth is even if you’re GDPR compliant, you still have a little work to do for CCPA compliance.
The beauty of these regulations is that they can be leveraged as marketing points, showing your customers how seriously you take data breaches, data collection and their overall privacy. The kind of information the GDPR is looking for includes, but is not limited to: names, aliases, addresses, emails, account names, social security numbers, medical information, passport details, educational information, biometric data, commercial information, IP address, phone numbers, PINs, media information, geolocation, and other info.
The point of the CCPA is for consumers to be in control of what information companies store and sell about them. How? It grants consumers the ability to request that their personal information be deleted, requires companies to disclose the information they collect, and requires businesses to inform people of why their information is being held. It also requires them to disclose which third parties receive the information.
Failure to comply with GDPR policies can result in fines up to 4% of your annual revenue. Comparatively, according to the CCPA, depending on how many individual’s rights you violate your punishments could be uncapped. Aside from fines, failing to respect consumer data can cost you a competitive edge over companies that do. Transparency is all the rage these days, with most consumer groups containing a large percentage of millennials. The majority of your online goers are curious about how you are protecting them.
Below is a little list of FAQs companies might come across during their CCPA transition. When on a call with a customer, designing an information collection form, or publishing information for your company – you can think about these requirements as something you might include as part of that process in order to remain transparent along the way:
1. Is your link to opt out of data or request information on personal data visible and readily available?
The opt-out link should be extremely accessible to consumers on your home page, in their profile settings, or when they sign up to ensure those who want to can do.
2. Have you updated your company’s privacy page to alert consumers to your compliance?
When the CCPA goes live, people are going to be curious about who has their information and how they can control it. We’ve all had conversations where we are freaking out because we googled monkeys and got advertisements about the zoo. Get ahead of the trends and show your commitment to data privacy and consider issuing an alert to all your customers.
3. Do you have a process in place to handle data deletion requests at consumer request?
As someone whose job it is to worry about the appearance of your company, ensuring an intentional message and communication of that message is vital. It’s a bad look (read: illegal) if 45 days have gone by and no one has responded to a customer’s request. Ensuring your company can respond to and act on deletion requests in a timely manner could save you from a PR disaster, because it’s proven that only one wrong tweet from the right tweeter can cause a major (and likely avoidable) stink. Getting the response timing down and the process running smoothly can also help your company avoid fines, law suits and/or uncapped penalties.
4. When customers are filling out forms, is your company including a button that says, “Do Not Sell My personal information”?
It’s the “Do Not Call List” of telemarketing for the internet. Before selling contact information of potential leads, ensure that no one on that list requested you not sell their information – regardless of its obtainability.
Many marketing technology platforms have taken steps to assist marketers with compliance. Keep in mind, that platforms are designed to help you make things happen, but not necessarily help you abide by key pieces of legislation. If someone uses accounting software to launder money – it’s the user, not the platform, that would likely be at fault. With any platform in your tech stack, using it with the basic data privacy regulations in mind will come in handy for preventing fines or misrepresenting your company.
As an example, Oktopost allows users to delete any personal information being stored at an individual’s request. Users can also tailor how long such information might be retained or discontinue any tracking moving forward. We take data privacy seriously at Oktopost and have taken multiple steps to ensure our tool’s ability to accommodate your legal needs. Read more about our company’s security and customer data protection here.
Disclaimer: This article is the result of my research. I am not a lawyer nor am I certified to provide legal advice. If you feel you need legal advice, please consult an attorney regarding laws around CCPA/GDPR/internet privacy compliance. I do not represent the state of California or the EU in any way. For more information please visit GDPR or CCPA.