The California Consumer Privacy Act (CCPA) was passed in 2018, and it affects companies that handle private data. The act, also referred to as AB 375 follows the guidelines of the EU’s (European Union) General Data Protection Regulation (GDPR) while broadening the definition of what constitutes private data.
Broadening the scope of private data can affect organizations in how they decide what information needs to be protected. This can include emails that contain information considered covered under CCPA. Organizations that use email as a routine form of correspondence can find themselves violating the 2018 privacy act.
What is CCPA?
The California Consumer Privacy Act was enacted into law shortly after the passage of the GDPR, which replaced previous European data privacy laws. The GDPR created a standard security framework to be used across Europe. It gave individuals greater rights concerning privacy and access to their information while increasing fines for security breaches.
U.S. based companies are required to follow GDPR guidelines if protected consumer information is being shared between organizations. U.S. companies must also adhere to the guidelines set down by the passage of AB 375.
CCPA is similar to the GDPR. It allows Californians to view any personal information a company has on them whenever it is requested. This can include customers asking for a complete list of all third-parties their information was shared with. However, while the two acts share these similarities CCPA takes some of the guidelines a little further.
The first step to understanding how CCPA affects organizations and individuals is to understand what rights it protects.
- Right for California residents to know what personal information is being collected.
Businesses/organizations must let individuals know if they are collecting information on them. This includes all data from your name and/or email address to your browsing history. If any data that is shared by an organization – without your consent – can be traced back to you, it is in violation of AB 375.
- The right to know who your information is being sold to.
Individuals can request companies to supply them with the types of third party organizations your information might be shared with. The names of the third-parties will not be released, but you can demand that your information be deleted and that it can no longer be sold.
- Californians have the right to say “no” to the sale of their personal information.
Businesses must give consumers the right to opt-out of sharing or selling your information to third parties. Your request must be honored by the business and they must also have a link for consumers to clink on to opt-out.
- Californians have the right to access their personal information.
Business can sell your data, as long as any private/protected information is removed. You have the right to request and receive information on third-parties that have access to your non-personal information within 45 days. This includes knowing who – email address- has your information, where it came from, and why it was shared. Your request also includes what the third-party intends to do with your non-personal information. You also have the right to have it deleted.
- Californians still have the right to the same service and price if they opted out of information sharing compared to those that didn’t.
It’s not uncommon for businesses to have third-party associates that have access to consumers’ data. Businesses are responsible for ensuring that any third-party contractor associated with the organization complies with CCPA rules. If a third-party is found to be in violation, the business associated with them could also be subject to fines and penalties.
- Californians have the right to request that their information be “forgotten” by a company.
Consumers have the right to ask companies to delete certain information that is covered under CCPA. This can include a customer’s name and/or email address. All departments in the company must follow the customer’s request. This includes legal, IT, and marketing.
CCPA and Email Marketing
CCPA gives consumers more power when it comes to protecting their personal information. For consumers the act is beneficial, however, it can have the opposite effect on businesses. Many organizations use email marketing to drive more traffic to their online sites or brick and mortar stores.
Sending emails can be a successful way to market a business or a product. The main problem with these emails – from the consumer’s point of view – is that they may also be receiving unsolicited messages from third-parties. These third-party emails are often a result of consumer information being sold.
AB 375 may only protect consumers residing in California but more states are following suit and passing their own privacy regulations. With consumer privacy now being protected for California residents, businesses are learning that their email marketing strategies – in-house and by third-parties – need to change.
Here are a few ways CCPA is changing email marketing.
- Email addresses are considered personal information. If a California resident requests that their email information be deleted a business can no longer send them any emails. If a business sold the consumer’s email information, the third-party must be notified.
- Email data must also be deleted, along with the customer’s name and email address. This data includes all emails the customer clicked on or opened. Often this information is gathered by third-party marketers and helps to determine which marketing campaigns best fit the consumer’s shopping habits and other interests.
- Email opt-out must be available to all consumers. This gives customers the option of avoiding emails from the business and any third-party affiliate. Consumers’ information cannot be used in any manner if they selected the “opt-out” option.
CCPA is changing how email marketing campaigns are done. There are also fines and penalties possible for businesses that do not adhere to AB 375 standards but these can be avoided by following the necessary compliance steps.
If the business is already GDPR compliant, there should only be a few steps left to take to meet CCPA standards. However, some businesses might not have European consumers and are unsure of what needs to be done to protect their customers’ information covered by AB 375.
1. Update privacy policies
In 2018 businesses affected by GDPR were informed that privacy policies regarding consumer information must be updated across all departments and facilities. This includes any third-party affiliates. CCPA also requires businesses to notify their consumers of the new privacy regulations. Businesses will have to decide if they want a universal policy in place for all consumers or separate ones for Californians and non-state residents.
2. Data strategies
How companies keep up with data inventories will need to be adjusted. Along with tracking data that includes products, services offered, third-party associates, and consumer information, businesses will also have to add a few columns to their inventory spreadsheets.
As of January 2020, businesses with consumers living in California will have to track the following data to stay compliant with CCPA standards.
- Identify if the data is to be or was sold to a third-party.
- Identify any personal information was sold to a third-party associate.
- Identify data over 12 months old that is exempt from CCPA.
- Identify if the personal information is covered under HIPAA or other laws that make it exempt.
This can be confusing for some businesses. HIPAA already protects private health information and is subject to different regulations and penalties than CCPA. For any business that has concerns over identifying what personal information is protected by HIPPA or CCPA, a certified technician from RSI Security can help companies track their data and meet compliance requirements.
3. Have protocols in place to protect consumer’s privacy rights
Even though CCPA only recently went into effect and other states have not passed similar acts yet, all U.S. businesses should have protocols in place to protect consumers’ privacy. Several of the protocols organizations need to implement have already been covered. This includes,
- Right of access and request
- Right to know who has a consumer’s email information
- Right to request businesses delete all personal information
- Right to request that personal information is not sold
- Right to qualify for sales and other incentives the business offers to consumers that did not “opt-out” of marketing emails.
4. Update security protocols to reflect CCPA standards
CCPA standards require that businesses have adequate protection for the consumer data they collect. This includes taking a risk-based approach when the organization is addressing any concerns about the confidentiality and availability of personal data. The protocols that are adopted must be consistent across all departments and any third-party affiliates.
5. Update agreements with third-party affiliates
Even if a business is compliant with CCPA regulations they can still be fined if a third-party affiliated does not follow the standards set down by the act. All third-parties that purchased consumer email information are required to abide by AB 375. This includes disclosing the information on a consumer – if it is requested – and deleting customer data.
CCPA Non-Compliance Penalties
The Attorney General is responsible for enforcing CCPA regulations. The act also allows private citizens to file civil cases if their rights under AB 375 were violated. This includes theft, sale or any other type of non-authorized access of private information either by the business or a third-party affiliate.
If the consumer information was breached due to a lack of adequate security, fines from civil litigation can range from $100 to $750 per violation. If the Attorney General is brought in due to lack of compliance with CCPA the penalties per violation can be as high as $7,500. These fines can apply to both businesses and their third-party affiliates. Consumers can also bring civil suits against businesses regardless of any fines that might have been the result of the Attorney General’s office.
CCPA or AB 375 is a recent act that was quickly written and passed. After a few months, loopholes have been discovered and this has brought about questions on how the various standards will be enforced. One example of a loophole that directly contradicts a consumer’s right to not be discriminated against due to their choice of opting-out of emails states,
“businesses can offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”
Even though there are loopholes in CCPA, the simple fact that other states are enacting similar standards makes it important that businesses are complying with current consumer information privacy laws. This is especially true if the business is already operating in Europe or has plans to expand.
CCPA is similar to GDPR and the experts at RSI Security are ready to help organizations meet the security requirements necessary for business in the U.S. and Europe.