CCPA/CPRA, U.S. Laws & Regulations
There are several key aspects of the California Consumer Privacy Act (CCPA) that people are largely missing to date. Here, learn why the “Do Not Sell My Personal Information” provision of the CCPA could be a game changer for many companies. And learn how you can get a head start implementing the processes and systems to comply with the provision without hobbling the business.
The California Consumer Privacy Act of 2018 (the CCPA, as it has come to be known) was enacted on June 28, 2018 with 109 ayes and 0 noes and signed by the governor the same day. Based on the premise that “people desire privacy and more control over their information,” the law ensures Californians five rights, including (#3), the right “to say no to the sale of personal information.”
Referred to as the “Do Not Sell My Personal Information” provision, that #3 could be a hidden game-changer for many companies.
Key CCPA Regulation takeaways
- You’re probably required to comply
- The potential impact is huge
- Digital advertising will not die
- You’ll likely have to verify identities, track requests, and prove compliance – across all of your data systems, and your third-party partners’ systems
- Sarbanes-Oxley and PCI DSS requirements didn’t spell doom for companies; CCPA won’t either
- The solution is software that enables workflow automation, data automation, and change automation
The “Do Not Sell My Personal Information” provision of the CCPA could be a hidden game-changer for many companies.
Click to tweet
CCPA Regulations: Are You Required to Comply?
Businesses subject to the CCPA include those with annual revenue above $25 million and those that derive more than 50% of their revenue from selling consumers’ personal information. Also subject are businesses that annually buy, receive, sell, or share the data of 50,000 or more consumers, households, or devices.
That may be far more medium-sized and even small businesses than one might think. An ecommerce business, for example, that places cookies on website visitors’ computers would need only 137 visitors per day to fall under the purview of the CCPA, given that “Internet or other electronic network activity” is personal information as defined by the law.
Think you aren’t subject to the CCPA? If you cookie 137 or more web visitors a day, you might be.
Click to tweet
How Big of a Deal Might This Be?
For all those businesses subject to the law, the potential game changer lies in sections 1798.120 (the right to opt-out), 1798.135 (“Do Not Sell”), and 1798.140 (definitions). In a nutshell, the law requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information” and then to enable consumers to opt-out of the sale of their data to third parties.
The provision begs a lot of questions. How exactly is “sale” defined? What exactly counts as “clear and conspicuous”? Which pages of the website does that link have to be on? Does it have to be on a mobile site or a mobile app?
Those questions will be answered by California’s Attorney General over the course of the next six months or so. (Section 1798.185 of the CCPA stipulates that “On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of this title.”) For now, because the Attorney General has yet to tell businesses what specifically they have to do to comply with the law, interpretations remain open.
Recently a major retailer tested the potential impact of the “Do Not Sell My Personal Information” link by placing a far less aggressive statement – “Learn about our privacy policy” – on the home screen of its mobile app. Of the 30 million users who were served the link, 4% clicked on it. That may sound like a small percentage, but the number – 1.2 million – is big. And it stands to reason that many more users would click a link that said “Do Not Sell My Personal Information.” (Given the utter lack of nuance, who wouldn’t click on such a statement?)
Of the 30 million users who were served the link, 4% clicked on it.
{% module “module_155848058847344″ path=”/Marketplace/HubSpot/Accordion_Toggle/Accordion Toggle” %}
Given the utter lack of nuance, who wouldn’t click on such a statement as “Do Not Sell My Personal Information”?
Click to tweet
Wither Digital Advertising?
Based on the current state of privacy affairs, it’s easy to imagine that a significant percentage of consumers would take advantage of the “Do Not Sell My Personal Information” provision. Yet consumers have demonstrated willingness to share their data – and even have their data reshared – when they understand the business’s rationale for doing so, and the benefit they will see from it.
In one Pew study, for example, 67% of respondents said this scenario might be acceptable: “A grocery store has offered you a free loyalty card that will save you money on your purchases. In exchange, the store will keep track of your shopping habits and sell this data to third parties.” (47% said it would be acceptable, 20% said it depends, and 32% said it would not be acceptable.) Yet just 44% of respondents said this scenario might be acceptable: “A thermostat sensor for your house that would learn about your temperature zone and movements around the house and potentially save you on your energy bill.” (27% said it would be acceptable, 17% said it depends, and 55% said it would not be acceptable.)
The key is to educate consumers, transparently. Start by defining for the consumer what data is being collected, with whom it’s being shared, why it’s being shared, and how it’s being used. Explain the implications of opting out of the sale of data (for example, the consumer might miss out on relevant discounts or relevant educational information or opportunities). Enable consumers to selectively opt out of the sale of only certain personal data, rather than all of it. Educate consumers on why you need to share their data in order to better serve them, and you’ll minimize opt-outs.
Consumers have demonstrated willingness to share their data when they understand the business’s rationale, and the benefit to them.
Click to tweet
{% module “module_155848124848995″ path=”/Marketplace/HubSpot/Accordion_Toggle/Accordion Toggle” %}
{{cta(’95e8a705-7056-417b-b864-ad61e437d360′)}}
The Consumer Opts Out. Then What?
Understanding whether you’re required to comply with the “Do Not Sell My Personal Information” provision of the CCPA, assessing how it might impact your organization, and creating a framework for transparently educating consumers about how you use their data and why allowing you to share it is in their best interest is just the beginning. Despite your best efforts in that regard, some consumers will opt out, and you will be required to honor their request and not “sell” their data for a period of 12 months.
That raises two key technical issues: 1) how to ensure all of the personal data you currently have on that consumer doesn’t get sold, and 2) how to ensure any new personal data you gather on that consumer doesn’t get sold. In an online advertising context, as just one example of where this regulation will likely apply, compliance will likely mean erasing existing cookies tied to that consumer and refraining from placing new cookies in the future.
An effective system for managing opt-out requests will necessarily involve three components:
- You have to verify the identity of the person requesting to opt-out – to make sure they are who they say they are. This means you may actually be gathering more information that you’ll have to manage.
- You have to track the person who has opted out to ensure you honor their opt-out request for the requisite 12 months. That could require gathering and managing more personal data than you had in the first place (for example, an email address as a record identifier to ensure that cookie data isn’t sold).
- You should be able to prove to an auditor that you are honoring the consumer’s opt-out request. Because formats like Excel, text, and email aren’t immutable, managing requests in that way can make it difficult to prove compliance.
And, perhaps trickiest of all, you have to figure out how to do all that across all of the data systems consumers’ data pass through – yours, and the third parties you sell data to.
Perhaps trickiest of all, you have to verify identities, track requests, and prove compliance across all of the systems consumers’ data pass through – yours, and the third parties you sell data to.
Click to tweet
Lessons from SOX and PCI
While most companies haven’t confronted the particular challenge of managing “Do Not Sell My Personal Information” requests before, history offers an optimistic view of how they will. “Sarbanes-Oxley was difficult for companies to comply with at first. The law required companies to show credit card information only to people who needed to see it. So systems were built to mask the data,” explained Truyo CPO Rod Forsythe.
“Then the Payment Card Industry Data Security Standard (PCI DSS) required that credit card data not be directly accessible, even if it was masked, and that required new systems to be built or old systems to be retrofitted to, for example, use tokens. Essentially it was about data minimization – individuals’ financial data should only be accessible to people who need it to do their jobs. That’s what we will see happen with personal data as it’s being defined under GDPR and CCPA. Personal data will be treated like credit card data came to be treated.”
SOX and PCI were essentially about data minimization. That’s what we will see happen with personal data as it’s being defined under GDPR and CCPA. It will be treated like credit card data came to be treated.
Click to tweet
The Solution: Automation
As was the case with SOX and PCI, the answer to the challenges posed by the CCPA “Do Not Sell My Personal Information” requirement is software built with the business need in mind. In this case, software that provides attribution around personal data records – is there a “do not sell” flag on the record? From when?
Whether you might have to manage 1.2 million opt-out requests, or more, or far fewer, navigating that on an ad-hoc basis without pre-organization – and, for most companies, automation – will likely be a nightmare. What can help is software-enabled workflow automation (communicating with consumers, validating identities), data automation (keeping track of opt-out requests across your entire data environment), and change automation (for when that opt-out request comes in, and when it expires).
Whether you might have to manage 1.2 million opt-out requests, or more, or far fewer, navigating that without pre-organization – and, for most companies, automation – will likely be a nightmare.
Click to tweet
The “Do Not Sell My Personal Information” component of the CCPA will be tough to manage through, no doubt. But there’s a silver lining: for those companies that take the steps to put individual privacy rights management systems in place that enable consumers to have control over their personal data, it will not only be a compliance win, but a competitive differentiator as well. (Yes, it’s a competitive differentiator to be a good steward of customers’ data.)
{{cta(‘2ccc56a6-17f1-463e-b39a-e1ca02b0a934’)}}
Questions? Reach out anytime. We’re at Hello@Truyo.com
This publication informs our clients and friends about recent legal developments and is for informational purposes only. It does not constitute legal advice or reflect any opinions on any particular law or regulation. The information contained herein is subject to change and may become inaccurate or outdated over time. Do not rely on this publication without seeking legal guidance.