The California Consumer Privacy Act (CCPA) comes into effect on January 1st, 2020. If you do business in California or with any California residents, this law may apply to you and your business. The official website for information about CCPA is https://www.oag.ca.gov/privacy/ccpa.
You'll find that there are a lot of similarities between CCPA and GDPR, so if you have already reached compliance with GDPR, it will go a long way toward being compliant with CCPA.
Below, we use the terms "contacts" and "consumers" to include every individual person whose data you are storing. We use this as a general term, meaning that customers, leads, vendors, and any individuals whose data you are storing have the rights outlined in CCPA and you must abide by those rights granted to them.
There are three tests to see if CCPA applies to you:
- Your business exceeds $25 Million annual revenues
- Your business handles the personal information of 50,000 or more California consumers, households, or devices annually, or
- Your business derives more than 50% of its annual revenue from selling consumers' personal information
If any of the above apply to you, you must adhere to the CCPA.
Consumers are granted certain rights as they pertain to the storage and usage of their data. Some (or all) of this data may be stored in GreenRope.
A consumer has the right to know the information collected, stored, and shared by any business that is using their information. If a consumer requests, upon verification of the validity of the request, you must provide all of the information collected about that consumer to the consumer.
A consumer has the right to delete information that has been collected about them. Like GDPR, there are some exceptions, such as if this information is needed to fulfill a contract or complete a transaction. To be compliant with CANSPAM and the Canadian Anti-Spam Law (CASL), laws in place regarding email delivery and permission, GreenRope will still support the ability to maintain an unsubscribe record for any contact.
A consumer has the right to opt out of having their information sold. If the consumer does opt out, it is illegal to discriminate against the consumer because of that decision to opt out.
You cannot ask any of your contacts to sign any contracts or documents that waive the rights granted to them by CCPA.
Your privacy policy must include language that informs consumers that they have the right to know what information you are storing about them and that they can have you delete their information. Your privacy policy also must describe how you will use your contacts' data. If you sell your contacts' data, there are certain other laws and regulations that will apply, so please become familiar with those.
If a consumer makes a verified request to ask for all of the information you have about them, you must be able to provide dates relating to the information gathered (e.g., if someone filled out a form, you must provide the date and time that form gathered the data).
You must provide at least a toll-free phone number or a website as a place where consumers can go to request to know the information collected about them or request to have their data deleted. If a request for either is made, you must comply with that request within 45 days from when the request was made.
If you sell your contacts' data, you must disclose that you sell their data and must also include a "Do Not Sell My Personal Information" link that gives consumers the ability to opt out of the sale of their data. This link must exist in the privacy policy and on your website homepage. If a consumer does opt-out, you must honor the request and cannot discriminate against the consumer as a result of that opt-out.
CCPA is enforced by the State of California Attorney General.
If you are notified by the California Attorney General that you are not in compliance with CCPA, you will have 30 days to bring your organization into compliance.
Penalties are $2,500 per incident, or $7,500 per incident if the Attorney General deems your lack of compliance to be intentional.
CCPA provides for the ability of consumers to take private legal action against a business for lack of compliance with CCPA.
Like GDPR, CCPA has some requirements for the management of your contacts' data that are easily managed with the use of GreenRope. Every piece of information gathered by GreenRope is automatically connected to each contact and date and time-stamped.
If someone requests to know the information you have stored, simply click the "Contact Detail Export" button when looking at a contact record. Everything we have stored about the contact will be available in an easy copy-and-paste format.
If someone exercises the right to be deleted, you can remove the contact record, unless an email has been sent to that contact in the previous 60 days, to maintain compliance with CANSPAM and CASL. If you must maintain the contact record for transactional or contractual purposes, you can claim an exception to this request.