Technology makes it easy to learn more about your customers to streamline your marketing. Businesses have used new tech to collect data surrounding their consumer bases for years now, which made the issue of privacy a worldwide topic of discussion.
In May 2018, the world saw lawmakers enact the General Data Protection Regulation (GDPR) law, which was the first of its kind to protect customer data and regulate data collection. Businesses that had European consumers quickly adapted their practices to comply with the law, but if your company operated only within the U.S., you could continue to work as usual.
California quickly followed the example set by the GDPR when the state legislature passed the California Consumer Privacy Act (CCPA) in June 2018. Before it goes into effect on January 1, read about how you should prepare your business practices to meet the law’s requirements.
1) Review Your Data Collection
If you own a large company, you may operate technology that regularly mines vast amounts of consumer data. It’s in your best interest to audit that data and review what you’ve collected.
Information is only valuable for a certain length of time and not everything is worth collecting. Review your data and where it comes from, which may mean talking with potential partners who collect this data for you. Businesses of all sizes should learn when not to retain out-of-date information and to treat consumers outside of California the same as local residents.
Wondering if your business must comply with this law? It depends on the size of your company. Any for-profit company that meets one of the following conditions should follow the CCPA:
- You collect information on over 50,000 consumers or households every year
- You make half your annual profits from selling personal data or information
- You receive over $25 million in yearly revenue
This includes businesses based in other states that have consumers located in California or paid for data from California residents.
2) Look at Third-Party Contracts
Because it’s easy to mine data, many companies work with data centers to store their information. Vendors may use that data for analytics or surveys to improve collection and usage.
Review all vendors and contracts to ensure they’re in line with the CCPA. According to the new law, third parties should not:
- Sell consumer information without consent
- Access personal info by reaching out to the consumer
- Collect data on individuals younger than 16 without parental consent
Discuss these specific mandates with third-party contracts so you can continue working with them after January 1.
3) Create a Privacy Board
Once you know what you collect, why you need it and if your vendors are in CCPA compliance, it’s in your best interest to create a privacy board. Choose a representative from each department in your company, like marketing, IT, sales, and legal.
Each person will monitor data collection within their department after January 1 so more people are on the lookout for compliance issues. They should also know when to share or delete data.
A Constituent Relationship Manager (CRM) can help organize collected data for you, especially if your business relies on donors or volunteers.
4) Prepare for Data Breaches
Data breaches are a modern risk to all businesses. Now that most California and U.S. companies will check their data and restructure how they collect it before January 1, hackers know they’ll have access to different kinds of information.
In case a breach occurs, review your state’s notification laws so you alert your consumer base about a violation of personal information within the mandated three-day period.
5) Form a Request Process
The CCPA also grants consumers the right to request that businesses delete their personal data. To do that, they’ll need to let you know their preferences. Form a request process through your website, phone number or company email address and train a customer support team to handle these concerns. You are required by law to alert your consumers of their right to this provision.
6) Stay Up-to-Date
After the law goes into effect on January 1, it can still change. Lawmakers will try to pass amendments to define the CCPA more specifically and narrow its focus. You can stay up-to-date if you track the amendments online to read about them and prepare in advance. Potential modifications include things like:
- Expanding the data breach notification requirement to 45 days
- Allowing individuals to sue businesses regarding their personal data
- Changing the definition of “agents,” “consumers” and “personal information”
Preparing for the CCPA by using these tips and researching it regularly in the future will keep your business compliant with the law and allow you to continue using personal data to grow your company.