California has made changes to its consumer privacy act. Some of the changes will affect how companies do business with state residents. The most notable changes apply to websites. There are new requirements and stiffer penalties for organizations that don’t meet CCPA standards.
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The new consumer data protection law affects businesses with customers in California. Any company that does business in-person or online in California or with a resident of the state falls under CCPA regulations. These standards include companies meeting the primary CCPA website requirements.
In this article, you’ll learn what the CCPA website requirements are and how to meet compliance standards.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act or AB 375 was enacted into law shortly after the passage of the GDPR, which replaced previous European data privacy laws. The GDPR created a standard security framework to use across Europe. It gave individuals greater rights concerning privacy and access to their information while increasing fines for security breaches.
U.S.-based companies are required to follow GDPR guidelines if protected consumer information is shared between organizations. U.S. companies must also adhere to the guidelines set down by the passage of AB 375.
CCPA is similar to the GDPR. It allows Californians to view any personal information a company has on them whenever it is requested. This can include customers asking for a complete list of all third-parties with whom their information was shared. However, while the two acts share these similarities, CCPA takes some of the guidelines a little further.
How Will CCPA Affect My Business?
The California Consumer Privacy Act will affect both your in-person and online marketplaces. CCPA gives consumers several rights that aren’t always covered under other industry data protection laws. The California act supplements other laws designed to protect state residents’ personal information.
Here are the six rules currently enforced under CCPA guidelines. Due to the wide-spread use of online sales for products and services, several parts of the act apply to consumer data’s online protection. Here are the CCPA website requirements that brick-and-mortar storefronts also need to follow.
- The right for California residents to know what personal information is being collected.
Businesses/organizations must let individuals know if they are collecting information on them. This includes all data from your name and email address to your browsing history. If any data shared by an organization – without your consent – can be traced back to you, it violates AB 375.
- The right to know to whom your information is being sold
Individuals can request companies to supply them with the types of third-party organizations with whom they share their information. The names of the third-parties will not be released, but you can demand the removal of your data and prohibit it from being sold.
- Californians have the right to say “no” to the sale of their personal information.
Businesses must give consumers the right to refuse the sharing or selling of their information to third parties. Your request must be honored by the company, and they must also have a link for consumers to click on to opt-out.
- Californians have the right to access their personal information.
Businesses can sell your data as long as they remove any private and protected information. You have the right to request and receive information on third-parties that have access to your non-personal information within 45 days. This includes knowing who has your data, where it came from, and why it was shared. Your request also includes what the third-party intends to do with your non-personal information. You also have the right to have it deleted.
- Californians still have the right to the same service and price if they opted out of information sharing compared to those that didn’t.
It’s not uncommon for businesses to have third-party associates that have access to consumers’ data. Companies are responsible for ensuring that any third-party contractor associated with the organization complies with CCPA rules. If a third-party is in violation, the company related to them could also be subject to fines and penalties.
- Californians have the right to request that their information be “forgotten” by a company.
Consumers have the right to ask companies to delete certain information covered under CCPA. This can include a customer’s name and email address. All departments in the company must follow the customer’s request, including legal, IT, and marketing.
Assess your CCPA compliance
CCPA Website Requirements for Email Marketing
Email marketing is a large part of a company’s advertising platform. However, there are specific CCPA website requirements businesses must follow. CCPA gives consumers more power when it comes to protecting their personal information. For consumers, the act is beneficial; however, it can have the opposite effect on businesses. Many organizations use email marketing to drive more traffic to their online sites or brick-and-mortar stores.
Sending emails can be a successful way to market a business or a product. The main problem with these emails – from the consumer’s point of view – is that they may also be receiving unsolicited messages from third-parties. These third-party emails are often a result of the sale of the consumer’s information.
AB 375 may only protect consumers residing in California, but more states follow suit and pass their privacy regulations. With consumer privacy now being protected for California residents, businesses learn that their email marketing strategies – in-house and by third-parties – need to change.
Here are a few ways CCPA is changing email marketing.
- Email addresses are considered personal information. If a California resident requests the deletion of their email information, a business can no longer send them any emails. If a company sold the consumer’s email information, they must notify the third-party.
- Email data must also be deleted, along with the customer’s name and email address. This data includes all emails the customer clicked on or opened. This information is often gathered by third-party marketers and helps determine which marketing campaigns best fit consumers’ shopping habits and interests.
- Email opt-out must be available to all consumers. This gives customers the option of avoiding emails from the business and any third-party affiliate. Consumers’ information cannot be used in any manner if they select the “opt-out” option.
CCPA is changing how email marketing campaigns are done. There are also fines and penalties for businesses that do not adhere to AB 375 standards, but these can be avoided by following the necessary compliance steps.
How Do Businesses Meet CCPA Website Compliance?
- Update privacy policies
In 2018 businesses affected by GDPR were informed that they must update consumer information privacy policies across all departments and facilities. This includes any third-party affiliates. CCPA also requires businesses to notify their consumers of the new privacy regulations. Companies will have to decide if they want a universal policy for all consumers or separate ones for Californians and non-state residents.
- Data strategies
How companies keep up with data inventories will need to be adjusted. Along with tracking data that includes products, services offered, third-party associates, and consumer information, businesses will also have to add a few columns to their inventory spreadsheets.
As of January 2020, businesses with consumers living in California will have to track the following data to stay compliant with CCPA standards.
- Identify if the data is to be or was sold to a third-party.
- Identify any personal information that was sold to a third-party associate.
- Identify data over 12 months old that is exempt from CCPA.
- Identify if the personal information is covered under HIPAA or other laws that make it exempt.
This can be confusing for some businesses. HIPAA already protects private health information and is subject to different regulations and penalties than CCPA. Any business that has concerns over identifying what personal information is protected by HIPPA or CCPA, a certified technician from RSI Security can help companies track their data and meet compliance requirements.
- Have protocols in place to protect consumer’s privacy rights
Even though CCPA only recently went into effect and other states have not passed similar acts yet, all U.S. businesses should have protocols in place to protect consumers’ privacy. Several of the protocols organizations need to implement have already been covered. This includes:
- The right of access and request
- The right to know who has a consumer’s email information
- The right to request businesses delete all personal information
- The right to request that personal information is not sold
- The right to qualify for sales and other incentives the company offers to consumers that did not “opt-out” of marketing emails.
- Update security protocols to reflect CCPA standards
CCPA standards require that businesses have adequate protection for the consumer data they collect. This includes taking a risk-based approach when the organization addresses any concerns about the confidentiality and availability of personal data. The protocols that are adopted must be consistent across all departments and any third-party affiliates.
- Update agreements with third-party affiliates
Even if a business is compliant with CCPA regulations, it can still incur a fine if a third-party affiliated does not follow the standards set down by the act. All third-parties that purchased consumer email information are required to abide by AB 375. This includes disclosing the information on a consumer – if it is requested – and deleting customer data.
What Are The Penalties for Non-Compliance with CCPA Website Regulations
The Attorney General is responsible for enforcing CCPA regulations. The act also allows private citizens to file civil cases if their rights under AB 375 were violated. This includes theft, sale, or any other type of non-authorized access of private information either by the business or a third-party affiliate.
If the consumer information was breached due to a lack of adequate security, fines from civil litigation could range from $100 to $750 per violation. If the case is escalated due to lack of compliance with CCPA the penalties per violation can be as high as $7,500. These fines can apply to both businesses and their third-party affiliates. Consumers can also bring civil suits against companies regardless of any penalties that might have been the result of the Attorney General’s office.
Understanding and Meeting CCPA Website Regulations
CCPA or AB 375 is a hurriedly written and recently passed act… After a few months, loopholes were discovered, which has brought about questions about the enforcement of various standards. One example of a loophole that directly contradicts a consumer’s right not to be discriminated against due to their choice of opting-out of emails states;
“businesses can offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”
Even though there are loopholes in CCPA, the simple fact that other states are enacting similar standards makes it essential that businesses comply with current consumer information privacy laws.
CCPA website regulations are in effect, and the experts at RSI Security are ready to help organizations meet the security requirements necessary for businesses to meet California’s new consumer privacy regulations.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.