CCPA, GDPR – How to Get into Compliance
Here’s what you need to know about data privacy and what your responsibilities are.
It is time for businesses, large and small, to make changes in how they handle consumer data. It’s not just good business practice, it’s the law.
Data privacy has garnered much attention over the past few years. With data being used to influence elections or enrich hedge funds, and after publicized data security breaches, governments decided it was time to take action to limit how personal data is used. GDPR and CCPA are the result.
In the EU, the General Data Protection Regulation (GDPR) was enacted in 2018. In the US, the California Consumer Privacy Act (CCPA) became effective on January 1, 2020. More data privacy laws are in the works.
If your company is doing business in Europe or California or collecting information on individuals from these locations, you should take action immediately to comply with the regulations. If you do not currently fall under the requirements, you should consider enacting data privacy to prepare for eventual standardization of these laws. California’s law serves as a warning that consumers are coming to expect data privacy rights.
Data Privacy and Personalization
As businesses move toward more personalization, maintaining data privacy becomes more complex, but even more critical. Personal data has become big business. It is captured, sold, and dissected through social media, search engines, and on-line shopping. American companies spend nearly $20 billion annually to acquire and analyze consumer data.
With the trend in digital marketing toward personalization and offering a user-centric website experience, most businesses need to collect and use personal data.
Consumers have become used to the idea of their data being collected but they are still concerned about how it is used. Nearly 70% are okay with data being used to make the experience better for individual customers or introducing them to products they might like. They become more uncomfortable when it is used for sharing data with other organizations. It’s important to be transparent with consumers regarding what you do with their data.
Customers are asking more questions during the sales process about how data are captured, used, stored, transferred, accessed and deleted which can cause delays in the sales cycle. The Cisco 2019 Data Privacy Benchmark Study shows:
- 87% of companies surveyed cited delays due to data privacy compliance.
- Businesses that are compliant with GDPR experienced shorter sales delays due to customers’ privacy concerns than those that are not.
- GDPR-compliant businesses were less likely to be breached.
- When a breach did occur, fewer records were impacted.
- These companies are receiving other benefits—greater agility and innovation, competitive advantage, and operational efficiency.
Here’s what you need to know with regards to current laws and the steps you should take to comply.*
California Consumer Privacy Act, CCPA – What is It?
The CCPA is a data privacy law that regulates how businesses handle the personal information of California residents. If you have customers (or online visitors) from California, this applies to you. Here are the main consumer rights enacted in the law:
- Consumers have the right to opt out of having their data sold to third parties
- Consumers have the right to request disclosure of data already collected, including a full list of all the third parties the data is shared with
- Consumers have the right to request deletion of data collected
The law exempts smaller businesses as well as nonprofits. It applies to all for-profit businesses that have any of these characteristics:
- Has annual gross revenue of more than $25mm
- Sells the personal information of more than 50,000 California residents annually
- Derives more than 50% of annual revenue from selling the personal information of California residents
Failure to comply can result in penalties up to $7,500 for each violation—that means if you violate the rights of 100 people, your penalty could be $750,000.
General Data Protection Regulation, GDPR – What is It?
The GDPR is an EU regulation that controls how companies and other organizations handle personal data. The regulations set strict rules on data handling procedures, transparency, documentation and user consent.
Organizations must keep a record of and monitor personal data processing activities. Processing activities include what data are being processed, the purpose of the processing and to which countries or third parties the data are transmitted. All consents must be recorded as evidence that explicit consent has been given.
EU residents have
- The right of data portability
- The right of data access
- The right to be forgotten
This obligation is for all companies who collect personal information on EU residents.
In addition, some organizations who process sensitive information on a large scale must have a data protection office (DPO).
- Organizations with more than 250 employees
- Companies that process personal data to target advertising through search engines, such as Google Ads, based on people’s online behavior
- Organizations that process personal data on genetics and health for a hospital.
Failure to comply with the GDPR can result in fines as high as 4% of your annual revenue.
But Wait, More Data Privacy Legislation are in the Works
In the U.S., more than two dozen states are considering data privacy laws. The potential for differing regulations for all of them has many calling for a single federal standard for data privacy. As a result, the U.S. Chamber has issued model privacy legislation to help standardize state privacy laws.
In the U.S., there are three varying standards: California, Washington, and Florida. Most states considering legislation are following one of these three models. Although the bill failed in 2019, the Washington state legislation will add rules around facial recognition. The Florida legislation was passed in 2014 and addresses actions companies must take in the event of a data breach.
Brazil also has a data protection law, the LGPD. You should expect other countries to enact similar protections.
What is Personal Data? It Can be Hard to Define
To make the rules even more confusing, there are differing approaches to what is considered to be personal data. The GDPR list of personal data is described as anything that could let the individual be identified.
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The CCPA clearly specifies what is considered to be personal information.
- Identifiers such as name, alias, postal address, unique personal identifiers. Online IP address, email address, account name, SSN, driver’s license number, passport number or anything else that can be used to identify the consumer
- Characteristics of protected classifications such as race or disabilities
- Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- Biometric information
- Internet activity including browsing history search history
- Geolocation data
- Audio, electronic, visual, thermal, olfactory or similar information
- Education information
- Employment data
- Profiling such as consumer preferences, behavior, attitudes, intelligence, etc.
Neither the GDPR or CCPA mention facial recognition, but this is included in potential legislation in other states and should be considered a personal identifier.
Practical Steps to Ensure Compliance
If this is confusing to you, you are not alone. An entire industry has sprouted up to help companies comply with the new laws. You can hire data privacy lawyers, purchase compliance software, or install privacy plugins for your website.
In general, if you already comply with the GDPR, you are most of the way there to comply with the CCPA. There are five main things you need to do to meet both regulations.
1. Keep Good Records:
The first step to compliance is understanding what data you collect, how you collect it and how it is used. You also need to know how third-party services (including SaaS providers) on your website use data and that they are compliant. You need to collect and maintain these data:
- Name and contact details
- Reasons for data processing
- Description of categories of data subjects and personal data
- Categories of organizations receiving the data
- Time limit for removal of the data
- Description of security measures used when processing
- Lists of do not sell requests
2. Allow People to Opt-Out or Offer Consent
To meet GDPR standards, you need to get valid consent, prior to processing personal data. All consents must be logged as proof and all tracking of personal data—even by third parties—must be documented. To meet CCPA, this is required only for minors.
Cookies are considered unique identifiers and are included in the personal information under the CCPA. First party cookies often collect anonymous data for its core functions but are deleted after the browser is closed. If it is not anonymous but can be used to create profiles and offer personalized ads, this can also be included under the CCPA.
Third party cookies like those by social media or search engines often collect personal, and sometimes sensitive, information that can be kept for up to 100 years. Google Ads or Google Analytics should be configured to allow visitors to opt-out of tracking.
On your website, you need these characteristics.
- Have a clearly visible footer offering an opt-out for cookies on the website
- Make sure that whenever your website collects personal data you ask for consent.
- Create a “Do Not Sell My Personal Information” link for users to opt out of the sale of personal information
- Enable users to access their settings and make changes to them if they change their mind.
- Forms should tell users how the data will be used and allow users the option to unsubscribe.
3. Provide Information
If a consumer asks for disclosure of their personal information, you must provide the records of personal information collected in the last 12 months. These records should include sources, commercial purposes, and categories of third parties with whom it has been shared. CCPA specifies that consumers can sue if they can’t find out how their data has been collected.
Establish a procedure to respond to data requests.
- Offer users specific and accurate information on all cookies and other tracking technologies
- Introduce a method of verifying the identity of the person making the requests. Keep this documentation.
- With GDPR, you need to be able to delete all records related to a person if they request it.
5. Protect Against and Prepare for Data Breaches
Put protections in place to help reduce costs and minimize impact if there is a breach. Minimizing the amount of personal data that are stored and processed is the best protection against data breaches.
6. Update Your Technology
Using older technology for your website or data storage put you at risk for data breaches and noncompliance. Update your website to include plugins, forms, or extensions that provide cookie opt-outs and visitor consent.
*This article is accurate to the best of my knowledge, but should not be seen as legal advice. You should consult with an attorney before you rely on this information.