We’ve passed the threshold of January 1, and a lot of businesses are still confused about CCPA compliance. If you're feeling this way, you're not alone. The New York Times reports that even major tech companies interpret the law differently. Even though enforcement doesn't start until July 1, there are still things to consider in terms of CCPA compliance decisions. Here’s what you need to know.
CCPA Obligations Begin Now
As you’re well aware, consumers are very concerned about their privacy. Recent research shows that 79% of consumers are concerned about data security and privacy issues and 35% of U.S. broadband households faced a data security problem—including identity theft, data theft, or a virus/spyware infection—in the past 12 months.
Some companies believe that they do not have compliance obligations until July 1, when enforcement by the California Attorney General is set to begin. This is not true, since CCPA obligations related to privacy notices and honoring the rights of California consumers began January 1. Violations of CCPA from January 1 to June 30 will be subject to enforcement action beginning July 1. If your company has not yet updated its privacy notices and put processes in place to grant the rights of consumers under CCPA, you are risking fines.
To Sell or Not to Sell? That Was SO 2018
Fun fact: Companies that do not sell personal information (and are therefore not required to post a "Do Not Sell My Info" button on their website) actually had to take action before the end of 2018. Specifically, they needed to ensure that they:
- Were not selling personal information, as defined under the CCPA; and
- Had appropriate agreements in place with their vendors specifying that no sale of personal information was taking place between the parties.
This is because companies are only deemed to not "sell" personal information, for the purposes of not displaying the "Do Not Sell My Info" button, if they have not engaged in the practice of selling personal information in the previous 12 months. Companies that did not take this action before January 1, 2019, could be deemed as having sold personal information in the 12 months preceding January 1, 2020. Double check your vendors, and consult with your legal and compliance teams to make sure you’re in the clear on these requirements.
What Direction to Take
There’s not yet consensus on how compliance should work, due in part to the fact that the California Attorney General has not yet published his final guidance on how the regulation will be applied and enforced. Thus, businesses are taking different approaches to compliance. The New York Times article mentioned above outlines how one of the largest tech companies introduced a system that allows ad clients to restrict it from using consumer data for anything other than fraud detection and ad measurement. Meanwhile, another major tech company does not see itself as a seller of people’s data and encourages its advertisers to “reach their own decisions on how to best comply with the law.” A third tech giant now extends CCPA protections to all users, no matter what state they live in. Other companies, such as Evite, are even more aggressive. Although it doesn’t sell personal information, Evite still posted a “Do Not Sell My Info” link on its website and will let users make detailed choices about sharing the data that is collected about them.
The bottom line when dealing with the management and sale of personal data is to follow the counsel from California Attorney General Xavier Becerra: “Businesses will have to treat that information more like it’s information that belongs, is owned by, and controlled by the consumer, rather than data that, because it’s in possession of the company, belongs to the company.” Sound familiar?
As you examine your CCPA compliance decisions, be future focused. Make sure you allow consumers to enforce their rights, even if fines are not yet being levied. It will help build trust with your customers and keep you on the right side of regulation.
How does Sparq help you comply? We created an infographic to outline the basic rights afforded individuals under CCPA. It will help you understand how you can support your customers’ rights under the new regulations when using our products.
What Do You Think?
Where’s your company on CCPA compliance? Are you moving forward or taking a “wait and see” approach when it comes to implementing changes? Click the social icons to give your feedback or ask any questions you might have concerning regulatory compliance.