What consumer data is covered by the CCPA?
The CCPA carves out a broad definition of personal data by defining it as "information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household." Using this definition, you should identify which of your company's collected data falls under this umbrella. If your company uses third-party data, identify the sources, and be prepared to answer any CCPA requests. Despite its third-party source, your company is responsible for this data as if it collected the information.
As a marketer, you should ask yourself if all the data you are collecting is necessary and identify what is sensitive information. Next, you should consider deleting the non-pertinent data and encrypt what's sensitive.
What other steps should I take for CCPA compliance?
If you are a marketer or advertiser for a company that falls under one of the categories above, here are a few steps that you can take to prepare for the change:
- Know where the data is stored in order to have it readily available when a consumer makes a verifiable request
- Audit marketing list data and organize it by source (internal or third-party)
- Update your company's privacy policy and send it out to your marketing list to inform CA consumers of their new guaranteed privacy rights
- Rethink your method of data collection and only collect information that you need. The less unnecessary data you collect, the more likely you are to remain CCPA compliant
What else should I know about the rights of California consumers?
The CCPA has several guaranteed rights written into it:
- Companies must inform consumers at or before the point of data collection what categories of personal information will be collected and the purpose of collecting it
- Consumers may request information regarding the data collected and request records for the 12-month period preceding the date of request
- Consumers may opt-out of the sale of their personal information
- Consumers may request to have their information deleted
Instead of seeing CCPA compliance as an obstacle that one must deal with, your company can use the new regulation as an opportunity to revisit its data collection strategy altogether. Rather than operating under the old mentality of "collect as much data as possible," think about why you are collecting the data and gather it in a meaningful way. By doing this, you may be able to offer more transparency to your customers, which is usually looked upon favorably.
If you have questions about how CCPA might apply to your business, ask a lawyer.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.