If your organization operates in California, or processes data from many California residents, you are likely subject to the California Consumer Privacy Act (CCPA). One component of the CCPA requirements is adhering to the new CCPA Lookback Period rules, which extend data subjects’ rights to their data into a retroactive period of 12 months. Following these rules means upholding data subjects’ rights in the present and future while accounting for the past, as well.
California Consumer Privacy Act (CCPA)
If your business processes data belonging to residents of California, and you meet certain size or revenue requirements, you must abide by the California Consumer Privacy Act (CCPA). It doesn’t matter where your company is located; it can impact you regardless. A significant aspect of compliance is CCPA data breach notification. Similar to other frameworks in the US and globally, data subjects have a right to know if their information has been compromised.
Companies that market services or products to consumers in California must comply with CCPA email marketing guidelines to protect data privacy. Essentially, the CCPA protects the rights of consumers in California regarding the collection, use, or sale of personal data. Read on to learn more about CCPA email marketing compliance.
How to Maintain CCPA-Compliant Email Marketing
For businesses with consumers in California, CCPA email marketing laws can help protect customer data from breach attacks. Marketing to consumers via email requires adhering to California email marketing laws regarding consumers’ rights to:
- Know how their data is used
- Request that their data be deleted
- Opt-out of email marketing
- Exercise their rights without discrimination
With the help of a CCPA compliance advisor, your business will implement processes that comply with CCPA email marketing guidelines, protecting the overall security of consumer data.
Download Our CCPA Compliance Checklist
The CCPA Right to Know and Email Marketing
The CCPA email marketing guidelines require businesses to inform consumers in California about all aspects of data collection, processing, and usage.
Specifically, consumers have the right to request information regarding:
- Categories of personal data collected
- Sources of data collection
- Business use of the collected data
- Sharing of data with third-parties
Businesses whose consumers are residents of California must comply with CCPA email marketing laws to protect consumer privacy rights.
The CCPA Right to Delete and Email Marketing
Under CCPA email marketing laws, guidelines for businesses to follow under the “right to delete” include:
- Consumers have the right to request the deletion of data collected by businesses, including any data collected by third-party vendors.
- Your business must also disclose to consumers their right to have personal information deleted.
- Third-party service providers must delete any data collected on behalf of a business if the consumer request was directed to the business in question.
CCPA email marketing laws can help your business protect the privacy and security of consumer personal information.
Consumer Requests and CCPA Compliance
Compliance with CCPA email marketing guidelines regarding consumers’ rights to information disclosures and deletion requires businesses to simplify processes for submitting consumer requests.
The following considerations can help your business develop CCPA-compliant processes for consumer requests regarding the disclosure or deletion of personal information:
- You must provide at least two methods for submitting requests, some of which include:
- Email addresses
- Paper forms
- Depending on the type of business location (e.g., online, physical, multichannel), methods must be accessible to all consumers and include:
- A toll-free number for all businesses
- A website for businesses with websites
- An email address for businesses that are exclusively online
- Where consumer accounts are used to request information:
- Consumers should be able to submit requests without creating accounts.
- Consumers can also submit requests through accounts they previously created.
The ease by which customers can submit requests for disclosure or deletion of their data strengthens your compliance with CCPA and email marketing laws and helps protect your business reputation.
- Response timelines – The deadline to respond to consumers’ requests for information is 45 calendar days. However, this deadline is flexible to a 45-day extension if you notify consumers.
- Request consumers for additional verification information
- Use requested information for strictly verification purposes
- Consumer information cannot be verified
- Consumer requests are unreasonable, based on excessiveness (i.e., you have provided information twice within 12 months) or your ability to demonstrate that they’re extremely unfounded
- Sensitive information will be disclosed, including social security numbers and account information (e.g., bank account numbers, passwords)
- Compliance or legal restrictions will be violated
- Requested information belongs to CCPA-exempt categories, some of which include medical information and consumer credit reports
The CCPA Right to Opt-out and Email Marketing
When consumers exercise their CCPA email marketing right to opt out, you must stop selling their personal information. Considerations for complying with CCPA right to opt-out include:
- Respect for opt-out requests – Compliance with CCPA email marketing opt-out requests means businesses must:
- Avoid selling consumers’ personal information following opt-out requests, except if consumers provide reauthorization
- Delay sending opt-in requests to consumers for at least 12 months
- Sale of children’s personal information – As a business, you can only sell information belonging to children if you obtain:
- Opt-in from the child, if the child is below the age of 16 but above 13)
- Opt-in from the child’s parent or guardian, if the child is below the age of 13
- Clarity of opt-out instructions – Per CCPA email marketing requirements, you must also provide clear instructions for consumers to submit opt-out requests via:
- Conspicuous link on your business website containing “Do Not Sell My Personal Information”
- Verification of opt-out requests – Although the CCPA does not require you to verify the identity of the consumer submitting an opt-out request, you can:
- Request additional information to confirm consumer identity
- Use requested information only for verification purposes
- Submission of opt-out requests – You must also provide two or more methods for consumers to submit opt-out requests. One of the most common methods is the Global Privacy Control (GPC) tool, a user-enabled global privacy control, which is:
- A fast and accessible way for consumers to opt-out of the sale of their information
- Flexible for consumers to submit requests across web applications and devices
Complying with California email marketing laws will help protect your business from data breach risks, especially those related to the sale of consumers’ personal information.
CCPA Non-Discrimination and Email Marketing
Per CCPA email marketing laws, consumers that exercised their CCPA rights are protected from discrimination via:
- Denying them goods or services
- Pricing items differently
- Offering non-standard quality of items
When consumers exercise their CCPA email marketing rights, your company is protected if:
- You cannot complete transactions or provide goods and services due to the deletion of consumer personal information
- Marketing emails (e.g., promotions, discounts) are in exchange for the use of consumers’ personal information, especially when the value of information is equivalent to the financial incentive you offer
- Following the exercised right to delete or opt-out, consumers cannot participate in special promotions requiring the exchange of personal information
However, consumers can request information about the specifics of special offers to guide their decisions about exercising CCPA rights. Working with a CCPA compliance partner can help you address gaps in compliance with CCPA email marketing laws.
Streamlined CCPA Email Marketing Compliance
Email marketing to consumers in California requires businesses to comply with California email marketing laws, which protect consumer data privacy. Working with an experienced CCPA compliance advisor will help you streamline CCPA email marketing compliance.
Maintaining CCPA compliance will also help prepare your organization for adherence to other data privacy laws and regulations that are continually arising (e.g., the EU’s GDPR, Virginia Consumer Data Privacy Act).
Contact RSI Security today to learn more about streamlining your CCPA compliance policy and strengthening your data privacy.
Download Our CCPA Compliance Checklist
Assess where your organization currently stands with being CCPA compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
The California Consumer Privacy Act (CCPA) protects the rights of data subjects in California. The CCPA statute of limitations refers to two things, broadly: the timeframe within which legal action may be brought against an organization for violating CCPA rights and the duration for which such an organization is allowed to retain data pertaining to a California consumer. Our guide will break down these definitions and explain other essentials of CCPA compliance.
The California Consumer Privacy Act (CCPA) took effect on July 1, 2020, providing state residents with the most comprehensive data privacy protections in the US. Comparable to the EU’s GDPR, the CCPA specifies individuals’ rights regarding companies collecting, using, and storing their personal data.
Privacy by design (PbD) is a preventative approach to data privacy protection developed by Dr. Ann Cavoukian in the 1990s. Its initial purpose was to develop a robust, scalable model for data privacy that would surpass “privacy enhancing technologies” (PETs) and then-weaker regulatory compliance requirements to guarantee full data privacy.
The California Consumer Privacy Act (CCPA) is barely in full swing, and regulators have already pushed through an update, proposition 24.Proposition 24 and the updates to the CCPA have left many businesses confused about the state of their privacy compliance.
It is not often that you find yourselves amid a data crisis, but when you do, you’ll be thankful for all the prior effort you put into designing a response plan.
This article will examine the basic approach to data breach response planning and the steps involved.
The regulatory landscape has shifted once again, and California regulators have pushed through new CCPA website requirements.
Following proposition 24, organizations will now have to address the changes to the CCPA.
Join us in this article to explore what these new changes mean, how they affect your business, and how you can become CCPA website compliant.