15 minute read

A Marketer’s Guide to Navigating CCPA

This guide was last updated on February 19, 2020, to reflect the most recent regulation modifications. Want to print this guide for future reference? Download a PDF version here.

CCPA is here—and it’s complex, confusing, and scary. Most of this is due to the lack of easily digestible information and guidelines out there for B2C marketers to ensure they’re doing everything they need to ahead of the 2020 enforcement deadline.

Since most of us don’t speak lawyer, it’s difficult to understand what is required across internal systems and vendors being used, and the responsibilities for ensuring compliance within your organization may not be 100% clear right now. Throw in the fact that there’s no standardized way across technology systems to execute on opt-ins, opt-outs, and requests under the law, making each one a unique negotiation and process to handle. Penalties for non-compliance are potentially huge—7-8 figures even for relatively small, unintentional violations—making it that much more important for you to take action.

Freaking out a little bit? Well don’t, because this guide’s for you (we also have a webinar recording available to walk you through this, too). After conducting our own extensive research, here are the key components of CCPA and the steps you need to take to properly prepare your customer data and marketing for compliance.

Jump to Section: What Is CCPA? | Does CCPA Apply to Me? | Consumer Rights Under CCPA | What CCPA Means for Marketers and Execs | Marketer's CCPA Checklist | Other Resources Out There | How SmarterHQ Complies

What Is CCPA?

The California Consumer Privacy Act (CCPA) is a law passed by the California state government in 2018. It has been amended and clarified ongoing throughout 2019, and is set to go into effect in 2020. The law’s start date is January 1, 2020, and enforcement will begin by July 1, 2020, at the latest.

The law is meant to protect consumer personal information as well as increase control of and transparency around how the personal data of California residents is being used.

Often referred to as a “GDPR-esque” regulation, what CCPA is trying to accomplish is similar in spirit to GDPR, but different in subtle ways that call for a deeper understanding of its requirements on behalf of everyone involved—especially marketers who depend on processing personal data to communicate with their customers in an effective and relevant way.

Does CCPA Apply to Me?

Or the question you’re really asking: “Should I really care about this?” Simply put, if you’re doing marketing at any level of scale to people in California, you should care, and you should continue reading this post.

The law impacts all companies that have meaningful level of business with California residents, even if the company is not based in California. So if your brand does more than $25 million in annual revenue with California residents, collects information on 50,000+ people, households, or devices in the state, or collects more than 50% of annual revenue from selling consumer data, then the law applies to you.

CCPA allows for large state-imposed damages via lawsuit and creates new opportunities for consumers to seek class-action damages for violating its provisions, so consumer brands that ignore or procrastinate on compliance are introducing huge risk into their business.

Consumer Rights Under CCPA

At a very high level, CCPA outlines three key focus areas of consumer rights that brands must comply with:

1. Consumers have the right to know what categories of personal information your business and its service providers are collecting, why that information is being collected, and can even request the full contents of all their personal information that you have stored.

Information that can be requested falls under the following categories: name, email address, browsing history, geolocation data, biometric information, personal property records, purchase records, employment-related information, protected class characteristics, education information, stored audio or similar, inferences drawn from all protected information. Official definition can be found in this document, subsection (o).

2. They have the right to request the deletion of that personal information, unless it qualifies under the list of allowed exemptions (d), which include if the personal information is necessary for the business to maintain the information in order to complete the transaction, ship the product, or provide the service requested by the customer, detect security incidents, protect against malicious acts, etc.

3. Consumers have the right to opt out of the sale or exchange of their personal information with any other party outside of your business and its service providers.

Requests for access to data and to delete it have to be properly verified by your business, and consumers can’t be treated differently as a result of exercising these rights.

There are a lot of additional details, exceptions, and guidelines in the proposed regulations that people in various roles have to be aware of in the law and the regulations. But, if your business is making reasonable efforts to act on these rights, the risk of penalties and lawsuits should be greatly reduced.

What CCPA Means for Marketers & Execs

If you’re doing marketing at any level of scale to people in California, you need to be very clear in your own understanding of how personal data is being used to message to consumers and serve them at your organization. Your team will also need a clear understanding and is likely required to be trained on the law and how to help consumers exercise their rights.

Other responsibilities to clarify or delegate in your organization as soon as possible:

  • Know who is responsible for mapping personal dataacross all of your systems, both internal and vendor, that are in place and know who is responsible for gathering information for notices. If you had to comply with GDPR, previous data mapping exercises required for compliance with that regulation will likely be useful here.
  • Know who’s responsible for making sure those notices are presented to consumers once the law goes into effect, and that the plan and timeline are clear on providing a way for consumers to exercise their rights under CCPA.
  • Understand at a high level the processes that will be used when consumers exercise their rights to make sure they are exercised in the time period required across all the many systems internally and with vendors and service providers.
  • If you’re providing discounts or incentives in a way that could be perceived as exchanged for personal information (e.g. providing a promotional code upon signing up for the email list), understand and be able to communicate how you calculate the monetary value of that personal information so that it can be communicated in the privacy policy per CCPA.

Marketing systems, CRMs, CDPs, DMPs, and the like are not the only systems at consumer brands that collect and process personal data. But, they are the systems and use cases in the crosshairs of CCPA.

Digital advertising technology and practices that have been common in the “adtech” world are the ones most impacted and introduce the most risk under CCPA, so if you are responsible for advertising, start there. However, if you are able to send a message to anyone on any paid, “earned,” or “owned” channel, you’ll need an understanding and a process on how the systems you’re using to send messages will comply with the law—or you will risk some very expensive consequences.

IT or tech teams internally and vendors or service providers should be able to help you get prepared and are hopefully well into their own projects to comply. Make sure you’re engaging with them in addition to legal teams working on contracts with vendors to ensure everyone involved is ready and able for consumers to exercise their rights.

Finally, you’ll want to think through how to comply with the law in a way that minimizes impact on your goals and priorities. Providing clarity on how you and your company are using personal information in a responsible way is the best strategy to ensure consumers don’t opt out and that both your messaging tactics and your brand promise stay strong across your entire customer base. This leads us to the...

Marketer’s CCPA Checklist

CCPA will likely not be enforced by the California Attorney General before July of 2020, but businesses subject to the law and its regulation should make every effort to ensure that all of the applicable items below are checked off as soon as the law goes into effect on January 1:

Responsibilities

There are many responsibilities in complying with CCPA. Marketers should be sure that the following roles are defined within your organization:

  • It’s clear who is responsible for carrying out consumer rights requests, both online and offline, and training the people who might be called upon to handle them or assist consumers in exercising their rights.
  • It’s clear who is responsible for reviewing the actual proposed regulations in full to make sure specifics of how it impacts your business vs. others are accounted for.
  • It’s clear who is responsible for working with vendors that collect and store consumer personal information to ensure they comply and that processes to comply are clear and agreed upon.

Privacy Policy

In order to comply with CCPA, businesses need to update their privacy policy to:

  • Explain the consumer’s right to know what personal information is collected, disclosed, or sold.
  • Describe the categories of personal information your business is collecting, why it is being collected, and categories of who it was shared with looking back 12 months.
  • Explain that the consumer has a right to request the deletion of personal information stored by the business and its service providers.
  • Provide instructions on how to submit a verifiable request to access the personal information stored by a business and its service providers, as well as requests that it be deleted.
  • Describe the process of how requests for access and deletion will be verified.
  • Explain that the consumer has a right to opt out of the sale of their personal information, along with a fully compliant “notice” of that right outlined in the regulations or a link to one.
  • Provide instructions or a link on how to opt out of sale of personal information (see “do not sell my info” section below).
  • Explain that a consumer can not be discriminated against by the business for exercising their rights under CCPA.
  • Provide contact information for questions or concerns about the business’ privacy policies and practices, that reflect the way the business primarily interacts with consumers.
  • Provide the date the privacy policy was last updated.
  • Ensure the privacy policy is accessible to consumers with disabilities.
  • If any financial incentives are provided in exchange for personal information (e.g. providing a promotional code upon signing up for the email list that can’t be obtained without signing up), it is described (see “financial incentives” checklist below).
  • If the business buys, sells, receives, or shares the information of 10,000,000 or more consumers, provide key metrics on rights requests laid out on page 20 of the proposed CCPA regulations.

“Do not sell my info” links and landing page

If your business sells or discloses personal information to any other party beyond contracted service providers, you’ll need to make sure “Do not sell my info” links and landing pages are created and:

  • A link with the text “Do Not Sell My Personal Information” or “Do Not Sell My Info” is placed on the homepages of all business websites and on any download or landing pages for mobile applications.
  • The “Do Not Sell My Info” landing page provides notice of the consumer’s right to opt out of the sale of information and provide a form to submit that request.
  • The “Do Not Sell My Info” landing page provides instructions for any other methods that the consumer can use to submit their opt-out request and how people acting as “authorized agents” can submit on a consumer’s behalf along with the required proof.
  • The “Do Not Sell My Info” landing page provides a link to the business’ privacy policy and is accessible to consumers with disabilities.
  • At least one additional method beyond a form is available, such as a toll-free phone number, a designated email address, a form submitted through offline channels, etc.
  • It’s a good idea to centralize all rights requests such as access or deletion requests into a single spot like this one.
  • Decide whether you will follow the proposed guidelines for the “Do Not Sell My Info” icon released in the February 2020 update to the proposed regulations on page 8.
  • Sign up for the CCPA email updates list to be notified of updates to the regulations as they happen.

Financial incentives for personal information

If you give any kind of financial incentive (more information and examples are given on page 28 of the CCPA proposed regulations) such as a discount or rewards in exchange for personal information, you’ll need to make sure of the following in the privacy policy or some other clearly visible location:

  • Provide a brief and clear summary of what the incentives are in terms of price or service difference is described.
  • Provide a description of the “material terms” of the incentive and what categories of personal information are relevant to them.
  • Information on how the consumer can opt in to receive the benefit is clear.
  • Consumers are notified of their right to withdraw at any time and given instructions on how to do it.
  • Explain why the financial incentive or service difference is allowed under CCPA.
  • Provide a “good faith estimate” (more info starting on page 28 of the CCPA proposed regulations) of the value of the consumer’s data that justifies the financial incentive or service difference.
  • Describe the method used to come up with the estimate of value.

Carrying out rights requests

Businesses that have to carry out rights requests should make sure that it is clear internally who will uphold and carry out the following CCPA regulations:

  • How our business will respond to all rights requests within 10 business days.
  • How our business will carry out all personal information access and deletion requests including all service provider systems within 45 calendar days, or a maximum of 90 calendar days with a reasonable explanation.
  • How our business will verify the rights to access and delete personal information and prevent harming consumers if unauthorized requests are made. (More info available starting on page 21 of the CCPA proposed regulations)
  • How our business will verify the authenticity of authorized agents acting on consumers’ behalf. (More info available starting on page 25 of the CCPA proposed regulations)
  • How requests that cannot be verified will be presented with details on how to make an opt out request instead.
  • How our business will honor requests to opt out of the sale of personal information within 15 business days.
  • How our business will notify third parties who were sold a consumer’s data in the 90 calendar days preceding the request not to further sell that information and notify the consumer that this has been done.
  • How our business will establish, document, and comply with a training policy, and how it will complete the required training of all the employees that interact with consumers and/or handle rights requests.
  • Whether our business will try to determine if requests to opt out are fraudulent, and if so how it will demonstrate a good-faith, reasonable, and documented belief that it is fraudulent and how the requesting party will be provided an explanation of the denial as a result.
  • How our business will create a two-step opt-in process involving a request and confirmation for people who have previously opted out before selling their personal information going forward.
  • If sale of personal information is required to complete a transaction, how our business will inform a consumer that has opted out and provide instructions on how to opt-in.
  • If our business has “actual knowledge” that it collects or maintains the personal information of minors at least 13 and less than 16 years of age, how it will establish, document, and comply with a reasonable process for allowing minors to opt-in. (More info available starting on page 25 of the CCPA proposed regulations)
  • How our business will maintain records of consumer rights requests under CCPA and how our business has responded to those requests for at least 24 months, as well as how consumers will be informed that those records will be retained for record-keeping.

Vendors or “Service Providers”

If your business works with vendors or any other company that qualifies as a “service provider” under CCPA that collects and/or sells personal information, you will need to ensure the following:

  • All applicable service providers you work with are prepared to comply with CCPA when consumers exercise their rights.
  • Categories of personal information collected, disclosed or sold by each relevant service provider are defined so that they can be added to the “right to know” notice in the privacy policy as described above.
  • The process by which your business will pass along relevant rights requests and the timing of completion is clarified and agreed upon with each applicable service provider you work with.
  • Service providers are not using personal information collected on your behalf for the purposes of providing services to another business, person, or entity, unless those services involve data security, fraud, or illegal activity prevention. Building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source, is specifically called out as not permitted.
  • Service providers either will process rights requests they receive directly or know how to direct requests they receive that relate to your business to the proper channels.

Other Resources Out There

How SmarterHQ Complies

SmarterHQ complies as a "service provider" to your business under CCPA, similar to how we comply as a “processor” of data under GDPR, and we plan to comply under all applicable future data regulations.

Consumer rights are exercised via requests made to the business they have a relationship with under those regulations, and those requests are verified and passed to SmarterHQ and other relevant service providers on behalf of their customers.

Our team is committed to ensuring you achieve faster compliance with CCPA with minimal disruption to KPIs. If you’re a client of SmarterHQ looking for process details and specifics on how we comply with the rights created and clarified by CCPA, please reach out to your Client Success Director.

Need to print, save, or share this post for future reference? Download a PDF version here.

Watch our 30-minute CCPA webinar for a thorough walkthrough and additional details.