The California Consumer Privacy Act and You: Who Must Comply and How

It’s been just over a month since the California Consumer Privacy Act (CCPA) went into effect, making it the first data privacy law in the country. Just like the European Union’s much-maligned General Data Protection Regulation (GDPR) catalyzed widespread change globally, this new law means big things for not just Californian consumers—but to the way organizations like yours collect and handle consumer data.   

What is the CCPA? 

The California Consumer Privacy Act (CCPA) aims to protect the 39.5 million California consumers by giving them control over their data when interacting with a business online. The CCPA specifically gives consumers the right to:  

  • Request disclosure on what personal data has been collected, sold, and disclosed.  
  • Request that companies delete personal data that companies have collected on them, provided that data is not required to doing business with them. 
  • Opt out of having their personal data sold. 

What Does the CCPA Mean for You?  

While the CCPA only currently protects California consumers, it applies to any website California consumers interact with online that collects personal information. For-profit businesses with any presence in the state—even ones who don’t have physical locations or employees located there—must tell consumers how they collect and use personal data and provide methods for consumers to opt out if they meet any of the following criteria:  

  • Earn more than $25 million gross revenue per year 
  • Handle 50,000 or more Californian users, households, or devices’ data per year 
  • Generate more than 50% of annual revenue by selling consumers’ personal data 
  • Own/control or is owned/controlled by an organization that meets any of the above criteria 

If your organization satisfies any of these criteria, you will need to add privacy language disclaimers, establish an opt-out process, provide clear opt-out methods, and ensure you have the capacity and support to implement these requests. And you must act quickly—the CCPA is currently in a pre-litigation grace period, but that grace period expires June 30, 2020. 

How to Get Ahead of the CCPA 

Now is the time to perform compliance assessments and mitigate any risks before your organization is forced to. Starting July 1, CCPA-required organizations will be liable for not complying with the law. For businesses who haven’t yet assessed their compliance, the potential for litigation presents a significant challenge.  

Even if you don’t operate in California, you should be thinking about your organization’s data privacy approach. California may be the first state to enact this kind of legislation, but it won’t be the last. Several other jurisdictions have followed suit by drafting their own privacy laws. Washington State, for example, released language for a new data privacy law that goes even further than the CCPA.  

Legislators know this issue is important to consumers and they’re not waiting for a federal law to be passed. Taking a proactive approach to impending policy changes isn’t just smart operationally. By responding to market demand signals it builds trust in your organization. If today’s wary consumers value control over their personal data, then you should value it too.  

CCPA Compliance: Where to Get Started 

Complying with the CCPA can present particularly steep challenges to smaller teams. With lean budgets and staffing structures, these organizations may struggle to hit compliance milestones even if they recognize the importance of doing so. So, how can your organization become data privacy compliant without diverting time and attention away from its mission and bottom line? Simple. Engage a partner who not only brings technical mastery but a deeper understanding of the larger issue set and policy sphere. One that will ensure you’re not just checking a box, but setting your organization up for broad compliance and long-term success. 

U.Group recently worked with a large national healthcare company to assist with CCPA compliance across their multiple web properties. We created a specialized opt-out webform for their parent site and fed referred requests from multiple child sites into one system to synthesize their CCPA opt-out requests into one funnel. U.Group helped our customer meet these unique compliance needs by establishing a clear compliance strategy, followed by developing a seamless process for documenting and addressing these requests in an integrated manner.  

This type of strategic approach, understanding of our client’s unique business and operating environments, and grasp of the policy issues at hand freed up stakeholders to continue focusing their efforts on providing customers the best healthcare experience possible. That’s the kind of partner we are, that’s the kind of partner you need.  

Do you have a complex problem that’s taking your team away from mission-critical activities? Learn how U.Group can turn your challenges into new opportunities for growth. Get in touch 

Get alerted to new job postings, events, and insights by registering for our monthly newsletter.