CCPA: What is it and who is affected?
The California Consumer Privacy Act (CCPA) was signed into law in June 2018, and it stands as the first United States Law that followed the European GDPR. It went into effect in 2018, but requirements for organizations go into place in 2020.
The CCPA protects the personal information of California residents, and affects any business who interacts with California residents. Businesses must also satisfy one of the following criteria: annual gross revenues of over $25 million, processes personal information of over 50,000 consumers, households, or devices, or earns more than half of its revenue from selling personal information. Under the CCPA, personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This can apply to Social Security numbers, purchase histories, and online tracking technologies, some of which can impact the way marketing works now.
With the new act, consumers now have more control over the information they provide. Businesses must notify consumers about exactly what information is being collected and where this information will be used. Consumers are also given the opportunity to opt-out of having their personal information sold to third-parties. Businesses must post a “Do Not Sell My Personal Information” link on its homepage, so people can decide whether they consent to their information being sold or not. Consumers are also given the right to request removal of all personal information a business or third-party has on them. The business can only deny deleting information that is required to complete a transaction with their business. Lastly, consumers cannot be discriminated against if they exercise their rights under the CCPA.
Since the CCPA has already been amended once, it may go through a few more updates before 2020. However, impacted businesses should start forming privacy notices, update any policies and procedures, and make the required changes to their websites. It is also recommended that businesses track exactly what personal information they are currently collecting, where the information is stored, and if the information is going to any third parties.
Industries that will be affected most:
1. Social Media Companies
A big wake up call for consumers was when Cambridge Analytica gained access to information on over 50 million Facebook users. Consumer trust was lost in the process and people are hesitant about putting their information into social media platforms now. The CCPA will help ease that hesitation for consumers, but social media companies now have to work twice as hard to track their data. Since most/all social media companies do business in California, they are going to be required to have the “Do Not Sell My Personal Information” on their homepage.
2. Online Retailers
After the privacy law went into effect in the EU, one-third of consumers intended on contacting online retailers to remove their private information. Researchers predict that consumers will make a similar trend once the CCPA is in full swing. This means that online retailers will not be able to use the personal information for marketing purposes and information cannot be sold to third-parties.
Banks tend to look at purchase data as a means to market their own or third-party products. This new law categorizes purchase data into personal information, which means banks must get consent before using this information. This is big for banks, since there has been a history of distrust in the banking system. Consumers may be wary of giving consent to the use of the purchase history, since it may further solidify that distrust.
This new law will impact the way businesses collect information, while giving the power back to consumers. Consumers have gone years without knowing that their information was being sold and used. Knowledge is power, and now the consumers have both.