Basics of the California Consumer Privacy Act
On January 1, 2020, most larger companies or organizations doing business in California were required to comply with the state’s privacy legislation that establishes a legal and enforceable right of privacy for every California resident. As with GDPR, the new regulations are not just for businesses based in California but rather apply to all companies that do business in the state.
In summary, the CCPA provides the following protections for the personal data of California consumers:
- Ownership. Protects consumers’ rights to tell a business not to share or sell personal information
- Control. Provides consumer control over the personal information that is collected about them
- Security. Holds businesses responsible for safeguarding personal information
Who must comply? Any business or organization that meets just one of the following criteria:
- Have revenues in excess of $25 million
- Buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices for commercial purposes
- Receive 50% of annual revenues from selling consumers’ personal information
What’s at Stake Beyond Regulatory Compliance? Trust
Beyond the regulatory compliance aspect of GDPR, CCPA and other privacy concerns, building consumer trust has become even more important for companies and organizations across the globe. GDPR, CCPA, and related legislation require companies to ask customers for consent before they collect and use their data and they must also keep a record of the consent.
Privacy is also crucial for businesses that want to build deep and trusted digital relationships with their customers. In today’s business climate, customers have high expectations that their personal data is secure and will be kept private. We frequently read about cases of data abuse, breaches, and identity theft and such cases have raised the bar for companies to be seen as trustworthy keepers of personal data. When customers store data with an organization, they are seeking trust and if that trust is breached, it is very difficult to restore.
People will only give a brand their consent to process their data if the company offers both value and trust in return. No trust means no consent and therefore no data thus stalling many sales and marketing efforts. Trust is often considered the currency for companies seeking to obtain customer data.
Privacy Compliance and the User Experience
Under GDPR and CCPA, customers must be able to view, modify, and even revoke their consent at any time. Businesses that provide simple web forms to collect consent and then purposely make it difficult to revoke consent through complex bureaucratic process are no longer in compliance. Furthermore, companies need to clearly inform people why they are collecting the data and what they are going to use it for.
There are quite a few implications for sales and marketing organizations. For example, under GDPR, consent must be opt-in rather than opt-out, thus organizations can no longer use pre-checked boxes on landing pages for gated content to obtain consent. Under CCPA, however, implied consent is still allowed, so a pre-checked box is still compliant. Such differences in regulations can cause headaches for global players faced with the prospect of addressing two major markets with websites and apps that need to display different registration forms. Companies will have to deploy entirely separate websites and apps to address different regions, multiplying the effort to develop and maintain code.
Both GDPR and CCPA prohibit excessive data collection, meaning that companies can only collect personal data that is needed for the service or product they offer. Asking for a phone number or gender to enable the download of a white paper or an e-mail subscription is no longer allowed. Businesses now need to rethink and redesign their user experiences and eliminate data fields on registration pages and other forms that may be considered excessive data collection.
We are in a new era of data privacy with rapidly changing regulatory and compliance rules. Stay tuned to our blog to keep abreast of the topics related to data storage and data protection.