As with every new year, 2020 will bring with it new business goals and a new budget. Unique to 2020, however, will be new privacy requirements—particularly those outlined by the California Consumer Privacy Act, or CCPA.
On Jan. 1, 2020, the CCPA goes into effect, changing the rules of data collection and privacy in the United States (not just California). If your organization has been working on the preparation for compliance throughout 2019 (Kudos to you, if so!), you are likely one of the lucky few. For many organizations, the realization that time has flown by and they are now up against a hard deadline has them scrambling to put compliant processes in place.
If you find yourself in this position, fear not. In this article, we’ll walk through the requirements for your business (as outlined by the CCPA) and help with prioritization to help guide you to compliance in no time.
It’s important to first recognize who the CCPA applies to. Unlike recent European privacy laws that many are familiar with (GDPR and ePrivacy Directives), the CCPA does not apply to all businesses in California or those who market to Californians. In order for CCPA to apply to your organization, you must fit within one of the following characteristics:
- Annual gross revenues exceed $25 million;
- Annually buys, receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Don’t fit into any of these requirements? You’re in the clear (for now, until your business grows to hit these thresholds). For those of you that do fit the criteria, let’s first simplify the primary requirements of the CCPA.
Transparency and Disclosure
The primary focus of the CCPA is the requirement to make users aware of any Personal Information (PI) being collected about/from them, how it is being used, and with whom it is being shared or sold.
[Editor’s note: More information about specific transparency and disclosure requirements can be found in our downloadable Privacy Notice Checklist.]
Rights Afforded to Users
In addition to the requirements for disclosure to users of your organization’s digital properties, rights are also guaranteed to users. These include the right for users to get access to Personal Information that has been collected about them, the right to have their Personal Information deleted, and the right to opt-out of any selling of their Personal Information.
[Editor’s note: Further specifics about the rights guaranteed to users can be found in our Quick Guide to CCPA.]
Keeping these requirements in mind, let’s now explore the steps necessary to get compliant with respect to your tags and digital assets. (These steps are listed in order of importance to help you prioritize your roadmap.)
1. Data collection (tag) audit
The first, and foundational, task in your journey to CCPA compliance is to audit and take an inventory of all the data being collected across your digital assets. The mechanism by which data is collected on your digital web properties is via tags and pixels that load across your site(s). As a result, we need to understand what tags are loading, where they are loading, how they are loading, and what data is being collected by each platform.
For the specifics of conducting an audit, download our eBook on the topic here.
At the end of your tag audit, you should have a documented evaluation understanding what data is being collected on your site.
2. Mapping of data collected
Now that we understand what data is being collected, it’s important to understand and map where the data is going, what platforms it’s being shared with, if it’s being sold, and how it’s being used.
All of this information is going to be necessary to 1.) understand the full scope of CCPA implications as it relates to each platform, thus informing necessary actions for compliance, and 2.) updating and adhering to the transparency requirements of the legislation.
Walk the data that is collected by each platform through your internal systems and downstream systems to fully document:
- If data collected in one platform is being shared or combined with data from another platform. Where does this data end up?
- How the data points being used.
- Is the data is sold at any point. If so, to whom?
Understanding these items will help in the following stage.
3. CCPA evaluation for each platform found in audit
Now that we know what platforms are loading and the data collected from each (from our audit and inventory), and we understand how that data is flowing through our internal systems (from our data mapping activities), we now have the information necessary to conduct a CCPA evaluation.
In this evaluation we want to ask questions of our data to get answers necessary to inform our CCPA preparation efforts.
[Specifics for how to conduct this analysis can be found in our eBook on the Tag Governance Audit process. You can download that here.]
4. Disclosure and Privacy Notice Update
We have covered the disclosure and notice requirements above, which you can read about here. With a properly conducted CCPA evaluation, all of the necessary information to include in these will be readily-available. You will just need to plug the information in as required.
5. Mechanism to adhere to access and deletion requests
The final stage of CCPA preparation will be the implementation of a mechanism to provide user’s their Personal Information upon request and to delete their Personal Information upon request.
The mechanism will need to include a few different components. First, you will need a way for users to submit their requests. As outlined in the legislation, this needs to be both via a link/form on your website as well as via a phone number. For these requests, you will need to understand what information is going to be necessary to receive from the users in order to properly carry out their requests.
Second, you will need to understand how to export and/or delete Personal Information from each of the platforms in use in which you are collecting and storing this information. The means for doing this is likely to be different in each platform but all major marketing, advertising, and analytics technologies should have a solution. If not, it’s time to re-evaluate the technical tools in use on your sites.
Finally, you must have a means of easily communicating with the users to first acknowledge their requests, then manage communication and delivery of the data requested.
CCPA Crunch-Time is Now
Seems like a lot, and with the New Year right around the corner, there is indeed little time left. One thing to keep in mind is that, while the CCPA goes into effect on Jan. 1, it does not become enforceable until July 1, 2020. This will give your organization a little breathing room for things like access and deletion-request mechanisms, as well as for updating of all privacy documentation. The critical first steps to finalize ASAP are audit and information-gathering activities, which will then inform all the remaining activities. Follow the path laid out above and rest easy knowing that your digital assets are compliant under the CCPA.
Still feel overwhelmed? Reach out to the Tag Inspector team at InfoTrust to discuss your current situation.