The California Consumer Privacy Act (CCPA) will be enforced on January 1, 2020. We were nervous when the GDPR (General Data Protection Regulation) came into play, and that only governs the use of E.U. citizens’ data. The California law applies to personal data on any state resident, regardless of the location of the marketer. Many believe this is only the first of many states to follow.
Companies that are not compliant with CCPA are subject to hefty monetary penalties though a recent study of US Brands reflected that 56% of businesses surveyed don’t believe they will be compliant by the January 1 kick-off.
In the survey, many businesses sited the cost to become compliant as a major obstacle and equal to the price of a full-time employee. Some companies feel their business isn’t big enough to be subject to the law, or don’t think it applies to them.
To comply with CCPA, marketers must be able to respond to Californians’ requests about their personal data which include:
• Knowing what personal data is being collected
• Can request details on how their data is being processed
• Can access their personal data
• Can request to have their personal data deleted
• Know whether their personal data is sold or disclosed to third parties
• Decline or opt-out of the sale of their personal data
Many believe that the CCPA is complicated, and it is poorly written, leaving a lot of the verbiage open to interpretation.
The main goal of the law is to regulate the collection and sale of Personally Identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.
Now, individuals can tell you to stop disclosing their data to others; and you must comply. One cannot deny goods or services to anyone because of their data opt-out and that is making for a slippery slope. In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? One writer compared it to The Eagles Hotel California tune, “you can check out any time you like, but you can never leave.”