The California Consumer Privacy Act (CCPA) Takes Effect Bringing Sweeping Changes in Compliance

By Anne Goto, Data Products Manager, MDR

Not long ago we communicated that the California Consumer Privacy Act (CCPA) of 2018 was signed, with an effective date of January 1, 2020, on the horizon. Well, the time has come! CCPA took effect on January 1, bringing changes that affect both consumers and businesses, including education marketers, with stricter guidelines than the U.S. has seen previously on the collection and processing of personal information.

MDR Got Ahead of the New Legislation

MDR is deeply committed to complying with all applicable laws and requests, and we moved forward with preparations for CCPA well in advance of January 1. Building on our experience of working through the European Union’s General Data Protection Regulation (GDPR) and China Cyber Security Law compliance, we had an active cross-functional team representing 25 divisions across the business working on CCPA compliance.

With every new privacy law that is passed, we take what we have learned and leverage it to make our compliance efforts better. And, we’re committed to sharing our CCPA knowledge with our customers.

What Happens in California Affects Every State

CCPA will have implications for both California-based businesses and businesses nationwide because what happens in California will serve as a template for other states. Specifically, CCPA gives California consumers these five new rights with respect to the collection of their personal information:

  • Right to Know — Consumers can obtain a copy of their information about collection, disclosure and sale of their personal information over the past 12 months, in a portable format.
  • Right of Access — Upon request, a company must provide a copy of the information collected about the requesting California consumer in the last 12 months.
  • Right of Deletion — California consumers may request the deletion of any information collected from them.
  • Right to Opt-Out of a Sale — California consumers have the right to opt-out of a sale of their personal information to third parties.
  • Right not to be discriminated against based on their privacy choices.

These rights are triggered when a California resident makes a verifiable consumer request. There are also additional requirements on privacy notice disclosures, third parties and additional statutory damages for data breaches. You can get more details here: California Consumer Privacy Act (CCPA) FAQs.

How CCPA Will Affect Businesses

Any business with customers and/or employees in California must prepare to address these areas of potential impact:

  • Data inventory, mapping of personal data, and selling of personal data
  • Individual rights to data access
  • Individual rights to opt-out of data selling
  • Updating third-party service agreements to ensure compliance
  • Resolving system vulnerabilities and information security gaps

In this world of privacy and new regulations, GDPR, and CCPA, customers can rest assured that MDR is compliant and has a big team, backed by Dun & Bradstreet, ensuring that all guidelines are met. With data privacy regulation poised to impact all U.S. businesses, including education marketers, we’ve got customers covered with the important tools they need every step of the way.

We provide the right data, curated the right way, every day and we enable customers to ingest this data with a variety of tools to make sure they also have data they can trust.

MDR has watched CCPA closely with our customers’ interests foremost in mind. As a division of Dun & Bradstreet, we operate with higher-than-industry standards for data collection, data management, and fulfillment. We offer industry-leading data security tools and processes.

Our current data policies include:

  • Not processing data in a manner that is incompatible with the way it was collected.
  • Taking steps to ensure our data is accurate and up to date.
  • Storing it only for as long as necessary.
  • Ensuring we have appropriate technical and organizational measures in place to keep data secure.

And, based on our people-first philosophy, we have decided to take one step beyond the current guidelines. Regardless of the state and regulations or how the data was acquired and verified, if we get a request to remove someone from our database, we will—no questions asked. Keeping their name on the file is wasteful to customer dollars and time, plus it would decrease campaign performance.

We will also remove or suppress individuals who request to be removed from our customers’ marketing lists. Simply provide us with a suppression file and we can ensure your compliance. (NOTE: It is important to have a process in place for documenting any requests you get directly from CA residents).

While CCPA regulations are now in effect, enforcement has been delayed until six months after the issuance of the final regulations from the California Attorney General, or until July 1, 2020. During this gap, companies impacted by the law have an opportunity to implement an internal compliance program. And, there’s no time like the beginning of a new year to get started on it. MDR can help you every step of the way.

Do you need to address your own data compliance program, but don’t know how to start? We can help! Contact us to talk about data hygiene and enhancement, faster delivery of updates, and more. You can reach us at 800-333-8802 or email at

Anne Goto is the Data Products Manager at MDR. Anne has been at MDR for almost 30 years in a variety of roles, including leading the development of the highest quality, comprehensive education database, quality advocacy, data analytics, and her current role where she helps customers make effective use of their data. Before joining MDR, Anne was a media analyst, computer programmer, and occupational therapist.