A new year, a new privacy regulation! This time the California Consumer Privacy Act (CCPA) came into effect on 1 January 2020. This is not expected to be the last this year, either, with a series of data privacy laws predicted on a state by state, or even federally, in America in the future.
The CCPA is a piece of legislation that secures the personal information of California residents (called consumers), similar to the way that GDPR protects European citizens. One of the major differences, in my opinion, is that the CCPA focuses on selling data, whereas the GDPR focuses on consent.
Like the GDPR, the CCPA defines personal information as data that can identify an individual.
Who Must Comply?
A for-profit business is subject to the CCPA if it meets one or more of the three defining factors.
- The business has a gross annual revenue of over $25 million,
- It derives 50% or more of annual revenues from selling consumers’ personal information, or
- It buys, receives, or sells the personal information of 50,000 or more consumers, households or devices.
It’s this last one that’s the doozy and will more than likely capture most business. That’s because personal information includes so many things, like credit card details or IP addresses. So, if your website captures 50,000 different IP addresses in a year, and just one of them is a California resident, you must comply.
Devices are also counted individually, so a single consumer accessing your website through their desktop, phone and tablet counts as three sets of personal information.
The act contains provisions to exclude not-for-profit businesses unless owned by a for-profit business, but these have not been tested and so are considered by experts as a bit uncertain.
So, the odds that this might be relevant to us have gone up – best we find out a bit more.
What Does the California Consumer Privacy Act Cover?
The CCPA provides the following rights to California consumers.
Right to know what personal information is collected, how it is collected and if it is shared or sold.
The right to opt-out of the sale of their personal information. Businesses selling consumers’ information will need to provide a place for consumers to remove their consent.
Right to be forgotten, similar to the GPR requirement but there are deletion exemptions under the CCPA.
The right to equal service even if they exercise their other rights like being forgotten or opting out of their information being sold.
How Does Vision6 Help You Comply?
Right to know
In Vision6 contact details are all kept together. You can find the contact details collected and what actions they have taken in the Consent History tab.
If you need to track information that you have shared, you can do this by adding new fields into the Contact List.
Right to opt-out
It is easy to provide a “Do Not Sell My Info” option with Vision6 forms. (Or any other option for that matter.) Simply add a new form that will update your Contact List if users wish to exercise their right. Learn how to do that here, using the Update Profile option.
Right to be forgotten
Vision6 has an email button under the Consent History tab so you can quickly share the details. It has a clear and obvious unsubscribe function included in the footer and so subscribers can easily opt-out at any time. You can delete subscribers from your contact lists if requested.
Vision6 will always take steps to ensure that you have the tools you need to best support your relationship with your subscribers and comply with the relevant requirements.
This is a general guide, focusing on the CCPA in relation to email marketing. As always, you should get specific legal advice for matters relating directly to your business.
This fact sheet has more information about the California Consumer Privacy Act, or find out more about other data protection regulations or go in-depth with the GDPR with our on demand webinar, Expert Series: How to Prepare for Tighter Data Protection Regulations.