The CCPA includes sweeping legal changes that will significantly disrupt traditional business and marketing operations. Find out how to minimize the disruption to your business at MatrixPoint.

On January 1^st, 2020, the California Consumer Privacy Act, or CCPA, went into effect. The CCPA introduces restrictions on data use and gives consumers rights and access to their data as it relates to a business’s collecting, sharing, or selling activities, and these changes will be enforced with significant fines, fees, and penalties where companies have been found in breach of the new CCPA rules.

The CCPA will have a significant impact on any businesses it regulates, so it’s incredibly important to ensure that your business is compliant with the new regulations. To streamline your compliance checks and updates contact MatrixPoint for a free consultation by calling 800-683-6983 or filling out our contact form.

How Does The CCPA Affect Businesses?

Not all businesses are impacted by the new CCPA regulations, but they do apply to companies generating over $25,000,000 a year in revenue, businesses where information sharing makes up 50% of revenue, and businesses storing the information of 50,000 or more CA consumers.

If your business meets these criteria, then it must make several important changes to become compliant with the CCPA; otherwise, your business will not only face heavy fines served by the California Attorney General’s Office but also severe consumer backlash.

Speaking of fines, in the event of a CCPA violation, your business may face penalties ranging from $2,500 to $7,500 per impacted California resident, depending on whether the violation is deemed “unintentional” or “intentional”.

If, however, the accrued damages are valued at a higher amount, then the business will be responsible for paying this amount instead. Needless to say, violating the CCPA can be financially devastating to businesses of all sizes, so it’s critical they take steps to protect themselves at the earliest opportunity.

The CCPA affects businesses in other ways as well, including:

• Updating all Agreements & Policies to Include CCPA Language
• Responding to Requests
• Improving Security to Prevent Data Breaches

Ensuring All Agreements & Policies Include CCPA Language

To become CCPA complaint, businesses must update and rewrite all public notices and privacy policies to ensure consumers understand their rights under the CCPA. Additionally, these notices must be accessible, plainly visible, and easy to read.

The CCPA also requires businesses to include details about their data collection practices, how it’s collecting data, and if the data is being shared or sold to a 3^rd party vendor.

What’s more, businesses are now also required to disclose any future changes made to public notices and privacy policies to all impacted consumers, as the CCPA may be amended in the coming months and years.

Responding to Requests

Under the CCPA, consumers can make 3 kinds of requests:

1. The right to know what information a business has collected about them
2. The right to submit a request to a business to have personal information deleted (under certain conditions, businesses can deny this request)
3. The right to opt-out of the sale of personal information

Once a request has been made, a business is required to confirm receipt of the consumer’s request within 10 days. This confirmation must also include information detailing how the business will handle the request, how the consumer’s identity will be verified, and when the consumer can expect a response.

A business will have 45 days to respond to a consumer request (beginning on the day the request was received); however, a business may take an additional 45 days for a maximum of 90 days to respond to the request if the business provides the consumer with a reason for the extension.

Additionally, there are further stipulations as to how a business must respond to a request:

• Scope of Response – Businesses must include the 12-month period preceding the data of the business’s receipt of the request[i]
• Exclude Personal Information – Businesses must not disclose specific pieces of personal information to a consumer if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks[ii]
• Security Measures – Businesses must use reasonable security measures when sending/receiving personal information to a consumer in response to a request[iii]
• Categories of Personal Information – When responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, businesses must provide the consumer an individualized and meaning response –businesses cannot tell the consumer to refer to its privacy policy unless the privacy policy discloses all the information required to be included in a such a response[iv]
• Addressing Denials: Verified Requests – the CCPA requires businesses to provide an explanation whenever a verified consumer’s request to know personal information is denied in part or as a whole; furthermore if the request is denied only in part, businesses must disclose the rest of the requested information[v]
• Addressing Denials: Unverified Requests – When businesses cannot verify the identity of the consumer making a request, the CCPA stipulates that businesses must not disclose the personal data[vi]
• Households – When a “household” request is made, businesses may only provide personal data if the request is verified to have come from all members of the household[vii]
• Service Providers – the CCPA requires service providers to explain any denials of requests for personal data[viii]

CCPA Violations & Data Breaches

When a CCPA violation occurs, businesses will have 30 days to fix the issue. Please note that data breaches are also considered a violation of the CCPA, so it’s important for businesses to take measures to secure and protect internal servers, networks, etc.

And when it comes to data breaches, the Attorney General’s Office individually calculates fines according to several criteria, such as whether the breach was intentional or unintentional, how long the breach was open before disclosure and the net worth of the affected company.

How the CCPA Affects Marketing

While the CCPA does have an impact on marketing, it is mostly geared towards ensuring the privacy of the consumer is respected. For example, the CCPA specifically states that collecting data from ad impressions and other ad reception information is an acceptable practice, as long as all the other CCPA guidelines are being followed.

To ensure your marketing practices follow CCPA guidelines, the first step is updating your privacy policy to explain what information you’re collecting and how users can request the specific details you’ve collected about them. You also need to outline the user’s rights for accessing their data, finding out who you’ve shared it with, or even deleting. It’s important that all of this is expressly stated and obvious to the consumer, as CCPA requires full transparency

Your business will need to clearly explain whether you’re using personal data for the purpose of analytics, developing new features, advertising, surveys, or for any other similar activities. This even applies to common data collection practices like using cookies.  

If you are currently or have previously shared data with outside companies, you will need to include this practice in the privacy policy, and you’ll need to explain how users can request finding out who their data has been shared with, along with giving them an option for preventing you from continuing to share it in the future. This includes any service or website that you may use in email marketing campaigns, such as services that distribute advertisements to large numbers of email addresses at a time. 

The new CCPA regulations may seem scary with how much transparency they require for marketing practices, but consumers tend to prefer purchasing from companies that are transparent, so even though getting compliant requires a lot of work and explaining complicated processes, it may also be an opportunity to further increase trust for your brand, especially if you do a good job of implementing the new procedures.

Can I Still Retarget Customers That Come To My Website?

The CCPA does not explicitly prohibit retargeting customers, but it does require that your company make it explicitly clear that you’re doing this in the privacy policy, and you’ll have to offer users the option of opting out of retargeting entirely as well. This will likely cut down on the number of consumers that you are able to retarget, but that’s part of the rules for the CCPA so there’s no way around it.

Can I Still Buy Data To Target Customers?

Yes, you can still buy personal data under the CCPA, but you will not have as much freedom with it as was previously allowed for.

First, you have to be capable of explaining what data you have on specific consumers, how and why it was collected, and you’ll have to be able to stop sharing that data or delete it outright if the consumer asks you to do so.

Should I Stop My Online Marketing Efforts?

Absolutely not. Because the CCPA allows people to opt-out of having their data shared, sold, and used, many advertisers are worried that it will be cataclysmic for their marketing strategies, and while the new law will certainly impact marketing, it doesn’t mean online marketing has to stop entirely.

The CCPA may add certain complications if you are used to doing things a certain way, but they are ultimately not severe enough to stop you from doing something that has proven to be such a useful business practice, so long as you do it in full compliance with the CCPA. The CCPA won’t end online marketing efforts, but it will require that you alter your marketing strategies.

For instance, if email marketing campaigns are a big part of your business, you may want to go about it differently now.  Because individuals can opt-out of having their information shared, certain consumers that are frustrated with the frequency of advertisement emails are likely to choose to opt-out of the emails or to have their information deleted so that the company serving email ads to them isn’t able to contact them at all anymore.

Using that example, if you cut down on the frequency of specific emails, make them more engaging or interesting, or find some other way to improve your emails, then you’re less likely to end up with overwhelming numbers of opt-outs and deletion requests.

The best way to find out exactly how the CCPA will impact your business will be to hire a data protection privacy expert who can review your business practices inform you of exactly what needs to be done to ensure compliance with the new regulations.

Contact MatrixPoint For Assistance

To ensure that your business is in alignment with all of the CCPA’s changes, schedule a free consultation with MatrixPoint.

Call us at 800-683-6983, or simply fill out our contact form.

[i] Id. § 999.313(c)(8)

[ii] Id. § 999.313(c)(3)

[iii] Id. § 999.313(c)(6)

[iv] Id. § 999.313(c)(9)

[v] Id. § 999.313(c)(5)

[vi] Id. § 999.313(c)(1)

[vii] Id. § 999.318

[viii] Id. § 999.314(d)