How CCPA will Impact your Business & Privacy Operations

Have you managed to check-out the footer of the business websites of late? If you have seen the buttons such as “Opt-out form” or “Don’t Sell My Personal Information” at the bottom of the business websites, then you probably already have an idea about what CCPA is. Stepping into 2020, you may be baffled by the question, “How CCPA will impact your business & privacy operations?” What is CCPA? CCPA stands for the California Consumer Privacy Act 2018 & is an act introduced by Ed Chau, to improve the methods of safeguarding the personal data of the customers residing in California (U.S.A). The bill became legally abiding on 28 June 2018 & was officially called AB-375. How Businesses can Gear-up for CCPA To understand how CCPA will impact your business, you need to first understand the scope of CCPA & the right it entitles to the customers who are the residents of California. CCPA defines data in section 1798.140(o)(1) & accordingly the businesses need to do tweaks in their privacy policies & reporting processes based on the inferences drawn from data or when personal data is combined with other data. Businesses need to determine differences between household data & individual data. Suppose a hypothetic scenario wherein a husband & wife share a joint account on a movie sharing service. In such scenarios, businesses will need to introspect whether they need to record their behavior as individuals or as a group. The bill guarantees the customers the following rights regarding their personal data & businesses need to upgrade the operational under tummies to ensure that the same are guaranteed to all their customers who are residents of California & who wish to exercise any of the following rights that they are entitled to under CCPA:
  • Right to know what personal data is collected by the businesses & how it is being used
  • Right to deny the sale of their personal information
  • Right to delete their personal data at will
  • Right to be informed of any changes in the range of personal data collected & to be informed of the categories of personal data collected
  • Right to the children under the age of 16 years to authorize for themselves to opt-in before the sale of their personal information (PI) & right to the parents of children below the age of 13 years to provide consent on the behalf of their children for the processing of their personal data
  • Right to know the details & categories of third-parties with whom the personal data is being shared
  • Right to comprehend the business or commercial purpose behind the data collection
  • Right to lawful actions if the companies breach personal data
  • Right to non-discrimination is the right under the section 1798.120 of CCPA that obliges the businesses not to discriminate against its customers who are residents of California just because they want to exercise the rights they are entitled to under CCPA
The Scope of Personal Data under CCPA CCPA defines “personal information” as any data that identifies, describes or relates directly or indirectly with a particular customer and includes real name, alias, postal address, unique postal identifier, online identifier, Internet protocol address, email address, account name, social security number, or other similar identifiers. The different factors that square measure specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a customer also fall under CCPA. The personal information we tend to gather might embrace associate degree individuals’ number, email address, instructional background, money and payment details, details of certificates and diplomas, education and skills, legal status, status, job title, and CV. Relevant people will embrace colleagues, consumers, members of the general public, business contacts, etc. Personal information is factual (e.g. contact details or date of birth), associate degree opinion a few person’s behaviors, or info which will otherwise impact that individual – personal or business-related. Personal information is also kept through an automatic method e.g. electronic records like profiles or in emails or in manual records that square measure a {part of} a file system or square measure meant to make part of a file system e.g. structured paper files and archives. CCPA defines personal info as info that identifies, describes or links to a selected client or unit like a true name, net Protocol address, email address, account name, passport variety or different similar identifiers. However, the in public accessible info isn’t thought-about as personal. CCPA takes into data solely provided by the client & excludes personal data that was purchased or accessed through a third-party. The categories of personal information under CCPA fall under the following categories:
  • Identifiers:
This category of data includes name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.
  • Customer records information:
This category of personal information includes details such as addresses, telephone number, education, employment status, financial information, passport number & other critical information such as health information.
  • The protected classifications under California or federal law:
This category of personal information includes race, religion, sexual orientation, gender identity, gender expression & age of the customers.
  • Commercial Information:
This data category includes records of personal property, products or services purchased, obtained or considered or other consuming inclinations of the customers exhibited across several platforms across the web.
  • Biometric Information:
This category of personal information includes details such as hair color, eye color, fingerprints, height, retina scans, voice, facial recognition & other biometric data.
  • Information collected from the Internet of Things & other Electronic Activity:
This category of personal information includes information such as browsing history, search history & information regarding the interaction of a customer with an internet website, advertisement or an application. This data resonates with the physical location of the prospects that helps the businesses serve them with hyper-personalized ads.
  • Electrical, olfactory, audio, visual, thermal or similar information:
This data category usually includes a wide array of sensory information pertaining to the prospects.
  • Professional or employment details:
This data category includes the current or past job history or performance evaluations of the prospects.
  • Educational Background:
This information entails information that is not “publicly available personally identifiable information” and has been defined under the California Family Educational Rights & Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
  • Inferences:
This law includes inferences that can be used to create a profile resonating with the preferences, characteristics, psychological trends, behaviors, predispositions, attitudes, intelligence, abilities & aptitudes of the customers. Apart from the major categories of personal data enlisted above, the attorney general of California is entitled to add categories of personal information to address changes in technology, data collection practices, obstacles to implementation & privacy concerns. The personal information under CCPA doesn’t include the publicly available information & information such as financial & medical information regulated by the Health Information Portability & Accountability Act (HIPAA) is exempted under CCPA. CCPA Compliance & the Cost of Non-Compliance The California Customer Privacy Act (CCPA) was signed into law on June 28, 2018, & became effective from January 1, 2020. CCPA Compliance is mandatory for businesses & non-profit organizations (NGOs) that collect the personal data of the customers’ and operates in California & falls under any one of the following pursuits:
  • Has an annual revenue exceeding $25 million
  • Is Involved in buying or selling of personal information of 50,000 or more customers or households; or
  • Is Earning more than 50% of its annual revenue from selling customers’ personal data
Under the act the residents of California have the right to know what sort of personal data is being collected about them, whether it is being sold & if yes, to whom. The privacy rights can be exercised without discrimination of any kind. The businesses need to have a “Do Not Sell My Personal Information” link on the home page of their websites. This link directs the users to a web page enabling them, or someone they authorize, to opt-out of the sale of personal information of any resident of California. Customers can submit requests for accessing their personal data. Operational Challenges under CCPA The methods by which the global businesses possess personal data were stirred with the implementation of the General Data Protection Regulation (GDPR) in 2018. Even if your business abides by GDPR, there will be exclusive operational challenges that you should be expecting with the rollout of CCPA. Read more: GDPR Anniversary Edition: Fines Dealt & Challenges Ahead Businesses will need to prepare well for the challenges such as the impact on their budget & resources. Lee Matheson of International Association of Privacy Professionals elucidates: “Without good data mapping & inventory, no business can hope to accurately make the category-centric disclosures emphasized by the statute, let alone comply with varied requests from customers for specific prices of personal information.” Businesses will face immediate challenges as it wouldn’t be able to raise prices or charge customers for additional data & privacy management efforts. With the anti-discrimination clauses of CCPA coming into play, businesses have limited ability to charge the residents of California for data requests. Despite the fact that the businesses can offer varied prices or financial incentives under several referral programs on the “value” of customer data, measuring the “value” is ambiguously defined under the law. The operational challenges, particularly those pertaining to the privacy operations fall under the following main categories:
  • Reciprocations to the Access Requests:
If a customer, who happens to be a resident of California submits a verified request business must reciprocate with a valid answer within 45 days either in an electronic or transferable format. The obligations to response may differ however, based on what questions the customers have requested & how their personal information is being handled.
  • Review those Third-party Agreements:
Businesses need to know about every third-party involved in the collection, storage, computation, sharing & selling of customers’ personal data. They also need to learn about the operational details of the third-parties that they are dealing with, in terms of what businesses they’re indulged in & their geographical boundaries of operation.
  • Change your Conventional Ways of Communication with Customers:
The CCPA regulations are lengthy and businesses need to understand that the rights guaranteed to the customers themselves are interdisciplinary in nature & accordingly the ways in which businesses communicate with customers need to be changed:
  • Businesses need to inform the customers about the collection of their personal data & about the category of personal data is collected
  • Under the specific right to opt-out of the sale of personal information, businesses must include a “Don’t Sell My Personal Information” link on their home page.
  • Businesses need to publicly share the list of categories of personal information collected by them & need to update the information every 12 months.
  • Customers must be provided with at least two methods for submitting requests for disclosure with at least a toll-free number & electronic mode of form submission highlighted on the website.

Wrap Up

To comply with disclosure requirements & other requests under CCPA, businesses need to ensure that they have a structured system in place for the categorization of customers’ data. Not only the data need to be organized into categories but the categories also need to be tracked. So, if you run a business & are preparing for CCPA wondering how CCPA will impact your business you should start with one product or service at a time. Don’t be bewildered by the question of how CCPA will Impact your business, rather tackle the operational challenges, especially the ones that come with multiple products that trace customers’ data. Keep a track record of the complicated multi-party processes for data storage, manipulation, sharing & selling & the question ‘how CCPA will impact your business’, will never bother you. Valasys Media helps you surface, prioritize & organize your bottom-line endeavors with the help of our tailored B2B services.  Our tailored B2B services include lead generation, account-based marketing, lead nurturing, event promotion services, list building services & content syndication services.

Leave a Reply