The California Consumer Privacy Act (CCPA) is Coming

It’s time to start thinking about compliance.

By Anne Goto – Data Products Manager, MDR

Here at MDR our thoughts are always turning to…data.

Okay, we talk about data a lot. You could say it’s our thing. So when there is an imminent data privacy regulation poised to impact all US businesses, including education marketers, we’ve got you covered with the important information you need to know every step of the way.

Last June, the California Consumer Privacy Act (CCPA) of 2018 was signed. Similar in scope to Europe’s General Data Protection Regulation (GDPR), it grants California consumers new rights with respect to the collection of their personal information. The CCPA gives California consumers:

  1. Control over what personal information is collected.
  2. The right to know if personal data is being shared or sold.
  3. The right to tell business not to share or sell personal information.

More specifically, businesses must:

  • Disclose their privacy policy around any personal information they collect on the business website.
  • Fulfill consumer requests to know what data is being collected, how it is being gathered, and how it is being used.
  • Delete data upon request from a consumer (exceptions may apply).
  • Offer “equal service and pricing…even if they (consumers) exercise their privacy rights under the Act.”*

The CCPA is scheduled to go into effect July 2020, six months after the issuance of the final regulations from the Attorney General of California so that companies have time to meet compliance. There is ongoing debate – some tech company lobbyists want to water down the law while privacy advocates want to make it even stronger. Every state is watching to see how the CCPA evolves. This law will have implications for not only California-based businesses, but all businesses nationwide. What happens in California will serve as a template for the other states.

At this time, the law pertains to “large businesses,” defined as those with revenue above $25 million and/or those with personal information on 50,000 consumers. However, the CCPA is evolving and those rules may change, so companies of all sizes should take adequate time to review their privacy policies and ensure they are properly communicating them to their customers.

MDR customers can rest assured that we are watching this law closely with your interests foremost in mind. As a division of Dun & Bradstreet, MDR operates with higher than industry standards for data collection, data management, and fulfillment. We offer industry-leading data security tools and processes. Our current policies include:

  • Not processing data in a manner that is incompatible for which it was collected.
  • Taking steps to ensure our data is accurate and up to date.
  • Storing it only for as long as necessary.
  • Ensuring we have appropriate technical and organizational measures in place to keep data secure.

MDR has allocated substantial resources to ensure compliance with all privacy regulations. Building upon our experience of working through GDPR and China Cyber Security Law compliance, we have an active cross-functional team representing 25 divisions across the business working on CCPA compliance.

CCPA FAQs at a Glance

Use this quick reference to understand how CCPA may affect your business and change the data privacy compliance landscape in the United States.

What is the CCPA?

The CCPA is the California Consumer Privacy Act which was passed by the California legislature at the end of June, 2018. The CCPA will give any California consumer (defined as a resident of California) certain rights over their personal information. Due to the complexity of creating different data collection and usage policies for California residents, CCPA may have a national (and multinational) impact on businesses.

When is the CCPA effective?

Originally slated to go into effect January 1, 2020, enforcement has been delayed until six months after the issuance of the final regulations from the California Attorney General, or until July 1, 2020. This gap gives the companies that will be impacted by the law an opportunity to implement an internal compliance program.  There may be additional changes or amendments before the law goes into effect, and there will be opportunities for modifications to the law and regulation over the coming year.

Is this the same thing as GDPR that recently went into effect in the European Union?

While the CCPA has been compared to, and was partially modeled after, the GDPR it is not the same. There are some significant differences in coverage and the nature of the rights created. For example, the CCPA has added the right to opt-out of a sale and the CCPA’s definition of “publicly available” data is far narrower than that of the GDPR, including only information lawfully made available from federal, state, or local government records and used for the same purpose. 

Who is covered?

The CCPA defines “consumer” as a California resident. This includes not only traditional consumers (people purchasing goods and services for personal, household and family use) but also individuals acting in their business capacity (so sole proprietorships, and officers, directors and shareholders) and employees.

Does this law only apply to personal information of California residents?

Yes. However, due to the difficulty of separating out California consumers from those in the rest of the country, the CCPA may have a national impact.  

What kinds of personal information are covered?

The CCPA defines personal information very broadly. Any information that identifies, relates to, describes, is capable of being associated or could be reasonably linked, directly or indirectly, with a particular consumer or household, is covered. It does not include “publicly available” data, but the CCPA has a very narrow definition of “publicly available” information.

How will the CCPA affect businesses?

Any business with customers and/or employees in California must prepare to address these areas of potential impact:

  • Data inventory, mapping of personal data, and selling of personal data
  • Individual rights to data access
  • Individual rights to opt-out of data selling
  • Updating third-party service agreements to ensure compliance
  • Resolving system vulnerabilities and information security gaps

Ready to address your own data compliance program but don’t know how to start? We can help! Contact us to talk about data hygiene and enhancement, faster delivery of updates, and more. You can reach us at 800-333-8802 or email at mdrinfo@dnb.com.

Anne Goto is the Data Products Manager at MDR. Anne has been at MDR for almost 30 years in a variety of roles, including leading the development of the highest quality, comprehensive education database, quality advocacy, data analytics, and her current role where she helps customers make effective use of their data. Before joining MDR, Anne was a media analyst, computer programmer, and occupational therapist.

*https://digitalguardian.com/blog/what-california-data-privacy-protection-act

Have something to add to this article?