The CCPA includes sweeping legal changes that will significantly disrupt traditional business and marketing operations. Find out how to minimize the disruption to your business at MatrixPoint.
On January 1st, 2020, the California Consumer Privacy Act, or CCPA, went into effect. The CCPA introduces restrictions on data use and gives consumers rights and access to their data as it relates to a business’s collecting, sharing, or selling activities, and these changes will be enforced with significant fines, fees, and penalties where companies have been found in breach of the new CCPA rules.
The CCPA will have a significant impact on any businesses it regulates, so it’s incredibly important to ensure that your business is compliant with the new regulations. To streamline your compliance checks and updates contact MatrixPoint for a free consultation by calling 800-683-6983 or filling out our contact form.
Not all businesses are impacted by the new CCPA regulations, but they do apply to companies generating over $25,000,000 a year in revenue, businesses where information sharing makes up 50% of revenue, and businesses storing the information of 50,000 or more CA consumers.
If your business meets these criteria, then it must make several important changes to become compliant with the CCPA; otherwise, your business will not only face heavy fines served by the California Attorney General’s Office but also severe consumer backlash.
Speaking of fines, in the event of a CCPA violation, your business may face penalties ranging from $2,500 to $7,500 per impacted California resident, depending on whether the violation is deemed “unintentional” or “intentional”.
If, however, the accrued damages are valued at a higher amount, then the business will be responsible for paying this amount instead. Needless to say, violating the CCPA can be financially devastating to businesses of all sizes, so it’s critical they take steps to protect themselves at the earliest opportunity.
The CCPA affects businesses in other ways as well, including:
To become CCPA complaint, businesses must update and rewrite all public notices and privacy policies to ensure consumers understand their rights under the CCPA. Additionally, these notices must be accessible, plainly visible, and easy to read.
The CCPA also requires businesses to include details about their data collection practices, how it’s collecting data, and if the data is being shared or sold to a 3rd party vendor.
What’s more, businesses are now also required to disclose any future changes made to public notices and privacy policies to all impacted consumers, as the CCPA may be amended in the coming months and years.
Under the CCPA, consumers can make 3 kinds of requests:
Once a request has been made, a business is required to confirm receipt of the consumer’s request within 10 days. This confirmation must also include information detailing how the business will handle the request, how the consumer’s identity will be verified, and when the consumer can expect a response.
A business will have 45 days to respond to a consumer request (beginning on the day the request was received); however, a business may take an additional 45 days for a maximum of 90 days to respond to the request if the business provides the consumer with a reason for the extension.
Additionally, there are further stipulations as to how a business must respond to a request:
When a CCPA violation occurs, businesses will have 30 days to fix the issue. Please note that data breaches are also considered a violation of the CCPA, so it’s important for businesses to take measures to secure and protect internal servers, networks, etc.
And when it comes to data breaches, the Attorney General’s Office individually calculates fines according to several criteria, such as whether the breach was intentional or unintentional, how long the breach was open before disclosure and the net worth of the affected company.
While the CCPA does have an impact on marketing, it is mostly geared towards ensuring the privacy of the consumer is respected. For example, the CCPA specifically states that collecting data from ad impressions and other ad reception information is an acceptable practice, as long as all the other CCPA guidelines are being followed.
Your business will need to clearly explain whether you’re using personal data for the purpose of analytics, developing new features, advertising, surveys, or for any other similar activities. This even applies to common data collection practices like using cookies.
The new CCPA regulations may seem scary with how much transparency they require for marketing practices, but consumers tend to prefer purchasing from companies that are transparent, so even though getting compliant requires a lot of work and explaining complicated processes, it may also be an opportunity to further increase trust for your brand, especially if you do a good job of implementing the new procedures.
Yes, you can still buy personal data under the CCPA, but you will not have as much freedom with it as was previously allowed for.
First, you have to be capable of explaining what data you have on specific consumers, how and why it was collected, and you’ll have to be able to stop sharing that data or delete it outright if the consumer asks you to do so.
Absolutely not. Because the CCPA allows people to opt-out of having their data shared, sold, and used, many advertisers are worried that it will be cataclysmic for their marketing strategies, and while the new law will certainly impact marketing, it doesn’t mean online marketing has to stop entirely.
The CCPA may add certain complications if you are used to doing things a certain way, but they are ultimately not severe enough to stop you from doing something that has proven to be such a useful business practice, so long as you do it in full compliance with the CCPA. The CCPA won’t end online marketing efforts, but it will require that you alter your marketing strategies.
For instance, if email marketing campaigns are a big part of your business, you may want to go about it differently now. Because individuals can opt-out of having their information shared, certain consumers that are frustrated with the frequency of advertisement emails are likely to choose to opt-out of the emails or to have their information deleted so that the company serving email ads to them isn’t able to contact them at all anymore.
Using that example, if you cut down on the frequency of specific emails, make them more engaging or interesting, or find some other way to improve your emails, then you’re less likely to end up with overwhelming numbers of opt-outs and deletion requests.
The best way to find out exactly how the CCPA will impact your business will be to hire a data protection privacy expert who can review your business practices inform you of exactly what needs to be done to ensure compliance with the new regulations.
To ensure that your business is in alignment with all of the CCPA’s changes, schedule a free consultation with MatrixPoint.
Call us at 800-683-6983, or simply fill out our contact form.
[i] Id. § 999.313(c)(8)
[ii] Id. § 999.313(c)(3)
[iii] Id. § 999.313(c)(6)
[iv] Id. § 999.313(c)(9)
[v] Id. § 999.313(c)(5)
[vi] Id. § 999.313(c)(1)
[vii] Id. § 999.318
[viii] Id. § 999.314(d)