Are You Touched by CCPA?

You might be surprised at how much data is flowing through your company. Accounting data, bank accounts, EDI accounts, names and addresses are all data. In the eyes of the State of California that data is now subject to the California Consumer Privacy Act  (CCPA) and it poses some challenges companies doing business in California, but also companies who do business with constituents in California.

Let’s start with the baseline. CCPA only applies to companies that earn more than $25 million in gross revenue. The other hurdle is that it applies to companies who have data on more than 50,000 people or who earn more than 50 percent of their revenue from selling (or bartering or exchanging for advertising) consumer data. For every company that meets these criteria there are myriad paths to compliance. In fact, because the law is so new, there is some disagreement on who has to comply and how.

It is likely that if the law applies to you the management team has already been working since the law was passed to ensure that the basic compliance requirements are met. As you begin your Self Check-up for the start of 2020, consider these points:

For Printers:

1. Verify with your legal and management teams that you are providing needed opt-in and opt-out paths for your customers.
2. If you monetize your customer lists (selling to a list broker, for instance) or use any type of advertising widgets on your website, review your obligations for opt-in, opt-out and data collection.
3. If you use marketing sites like evite or cvent, or one of the job listing sites like Indeed, take time to understand what data is collected on your behalf, and what data they might be collecting and monetizing in addition to what you use.
4. Keep an eye on the final recommendations and guidelines from Xavier Becerra, the Attorney General of California. He plans to have more information available by mid-2020, which means that there will be a variety of interpretations until then.

For vendors: Most enterprise class vendors have legal teams that are watching data privacy legislation carefully and have been adding opt-in and opt-out options for data collection since the European data protection acts began to emerge. However, many Independent Software Vendors and consultancies may meet the revenue bar for compliance, so take the time to identify what data is being collected, how it is being stored, how it is being used, and if you should be adding options for your customers to limit the data you collect and use.

This year will bring a requirement for data vigilance. Even companies that fall below the financial hurdles and believe that they do not meet the requirements for compliance based on how they use data should be keeping an eye on what happens in California. Other states are watching, as are federal regulators.