Creating a CCPA Compliance Strategy for Data Collection Procedures in 2020
By now, you may have heard about the new California Consumer Privacy Act (CCPA), which will go into effect on January 1, 2020. However, the big question here is, how will the CCPA affect the consumer data collection process for my business, and is it the same as the GDPR? FormAssembly is committed to helping organizations in all industries become better stewards of the data entrusted to them, so we’re here to help guide you through evolving data privacy developments. Let’s walk through what you need to know about CCPA, and how you can plan for it in the coming year.
What is CCPA all about?
The California Consumer Privacy Act is a state law made to ensure the protection and privacy rights of consumers residing within the state of California. It deals with what organizations can do with the personal information they collect. With the roll-out of the CCPA, Californians will have the right to acquire and even request deletion of any retrieved personal information they’ve disseminated to a business entity. They will also have the right to restrict the organization’s use of their data. Now that you’re familiar with the new act, the next step is to understand the differences between the CCPA and the EU’s General Data Protection Regulation (GDPR).
Why CCPA is different from GDPR?
Businesses that have undergone immense revamping to align with GDPR compliance will have an advantage, but they will still need to enact different data collection procedures to meet CCPA requirements. Here’s a breakdown of those differences:
- Unlike the GDPR, the CCPA will grant individuals the right to opt out of businesses selling their personal information. This obligatory disclosure will need to be made available via a link on websites to inform consumers ahead of time.
- CCPA has a more narrowed focus in that it only applies to California-based businesses with a revenue above $25M, or those whose primary business consists of selling the personal information of consumers.
- The conditions for requesting access and deletion of consumer data for both CCPA and GDPR are different.
- CCPA has uncapped penalties for non-compliance, in which businesses are fined per violation without any sanctions. Conversely, the GDPR can reach up to 4% or $20M as a penalty for a data breach.
How will CCPA impact marketers?
Marketing’s essential function at the enterprise level is to establish models that gather consumer data from their targeted demographic in order to boost sales or generate exposure. However, this will prove more challenging in how marketers collect and use this information, whether it’s requested via subscription forms, landing pages, focus groups, or surveys. The new changes could also impact other common and paramount tasks like A/B testing, website analytics, segmentation, and email marketing.
How to prepare for the upcoming CCPA changes
The best route for marketers and businesses to take would be to pay more attention to their privacy frameworks, ensuring that compliance with CCPA is not assumed through existing GDPR standards. Businesses should have data collection procedures in place addressing both privacy acts.
Keep the following in mind as you plan for CCPA and GDPR in 2020:
- Carry out an internal review prior to 2020 and provide necessary modifications as time progresses to ensure ongoing compliance.
- Review the contract of any third party or organization whose consumer private data is submitted to your business, and disclose this information to consumers.
- Ensure all online and internal privacy policies are in compliance with CCPA and other privacy laws when necessary.
- Erase all obsolete and unused personal information, or information which is requested for deletion by the consumer.
- Ensure your departments are properly trained and working in tandem with one another to minimize potential risks associated with unlawful handling of consumer private data.
- Ensure that any data collection vendors you work with are CCPA compliant. If you use FormAssembly, this requirement is already met.
For more information on evolving regulations and data privacy best practices, check out our State of Data Privacy whitepaper below.