Sailthru’s Thoughts on Navigating CCPA
California’s new data privacy law, the California Consumer Protection Act (CCPA) came into force on January 1, 2020. Much like GDPR, its counterpart in the EU, this law responds to the ever-growing use of individuals’ personal information by giving California consumers — broadly defined as “a natural person who is a California resident” — a set of data privacy rights that support the ideals of transparency, freedom of choice, access, and fairness.
As a digital solution focused on relationship-driven businesses in professional and financial services, we at Sailthru care about the privacy laws that impact our clients and our clients’ clients, and provide solutions to support best practices in data and compliance globally.
Though CCPA is still being updated and amended, we’ve gathered a few thoughts on CCPA that may be helpful. As with any new regulation, you should confer with your legal and privacy experts to fully understand how this impacts your business.
What Are the Main Changes to Data Protection in California?
- Strict transparency obligations
- A broad new definition of “personal information”
- Several new rights for consumers
- A new regime of fines that can be levied on businesses that fail to protect consumers’ personal information
Whose Data Is Protected?
CCPA covers the personal information of California “consumers.” Under CCPA, a consumer means:
“(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.”
CCPA’s definition of “personal information” has a broad scope.
Personal Information is “information that identifies; relates to; describes; is capable of being associated with; or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This means that, even when data is tied to a unique ID that doesn’t identify a specific person, the idea of a person, based on the collected personal information, is enough to be protected.
Who Needs to Comply?
The CCPA defines several types of entities — including business, service provider, and third-party — each of which has its own obligations under the law. The full text of CCPA should be considered when deciding which of these apply to your organization, as the definitions are multi-part and your organization may meet the criteria of more than one entity type.
What Rights Does CCPA Give to California Consumers?
The privacy rights under CCPA are:
- The right of Californians to know what personal information is being collected about them
- The right to request that a business delete any personal information about the consumer which the business has collected from the consumer
- The right of Californians to know whether their personal information is sold or disclosed, and to whom
- The right of Californians to say no to the sale of personal information
- The right of Californians to access their personal information
- The right of Californians to equal service and price, even if they exercise their privacy rights
What Changes Do I Need to Consider?
While we can’t tell you exactly what to do in order to comply with CCPA, there are a few general topics and good data privacy management practices that can help you navigate the act’s requirements.
- If you have an existing privacy program created in response to GDPR, consider how this program might help you comply with CCPA’s provisions. There are requirements that overlap, and some others that require CCPA-specific solutions. Be sure that data subjects in either jurisdiction understand how you’ll support their privacy rights.
- Make sure that your privacy and cookie notices are up-to-date with the appropriate information to provide transparency to individuals about how you collect, process, and share their personal information, as well as how they can exercise their rights under CCPA.
- Perform data mapping exercises to understand the categories of data subjects, personal information, and any recipients of that information (service providers, third parties, affiliates, etc.) so that you can respond to requests for access to or deletion of personal information. These data maps should also help you determine how existing contracts with vendors facilitate CCPA compliance, or how those should be amended in light of this new privacy law.
- Consider how you will need to approach CCPA’s rules on selling data. Do you currently sell data, as defined by CCPA? How do you provide notice of the sale of data? How can individuals opt out of the sale of their data?
- CCPA Homepage
- International Association of Privacy Professionals Resources
- Summary of revisions to CCPA
This post is not a comprehensive evaluation of CCPA and its requirements; only you can fully evaluate the implications of this new law for your business. That said, we are confident in our readiness to support our customers’ plans. If you have any questions, you may contact our privacy team at firstname.lastname@example.org.
DISCLAIMER: This blog post provides general information and discussion about email marketing and related subjects. The content provided in this blog (“Content”) should not be construed as, and is not intended to constitute, financial, legal or tax advice. You should seek the advice of professionals prior to acting upon any information contained in the Content. All Content is provided strictly “as is” and we make no warranty or representation of any kind regarding the accuracy or quality of the Content and assume no responsibility for errors or omissions in the Content.