Any new privacy compliance framework can be overwhelming—but one going into place right after the holiday season can seem downright impossible. With the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020, most of our clients have new responsibilities as a business, and Zaius has responsibilities as your service provider to help you remain compliant in your storage and use of customer data.
Just as we did with GDPR in 2018, Zaius has been working with our privacy counsel to ensure that we are ready for the first of the year. This means creating frameworks to manage consumer preference as specified under the law, and the appropriate request, tracking, and storage mechanisms so that they function as intended.
We always recommend that you take advice from your own counsel above anyone else. Only your counsel truly understands all aspects of your business to best guide you towards compliance. But, if you need a hand getting started, here are the top 5 things you should do prior to January 1.
1. Identify where your customer data goes
In the course of running your business, you send customer data to many different places. Customer data might be cookies, names, addresses, emails, or mechanisms of identification, or more, and you could be sending them to social media, ad networks, your CRM, your loyalty program, your ecommerce platform, or a variety of other places. Implementing CCPA requires that you know all of these destinations and determine whether they are “service providers” or “third parties”.
CCPA makes a distinction between companies that help you run your business on your own terms (“service providers”) and companies that may derive additional value from your data as well as providing you value (”third parties”). Realistically, only your legal counsel can help you decide which is which for your business. However, it is important that you make this distinction, as CCPA has a provision requiring you to support allowing customers to opt-out of having their data sent to third parties without requiring you to delete their data entirely.
Identifying all the places that house your data and their status will help you develop the most thorough opt-out, access, and deletion processes. Keep in mind, some service providers may also be sending data to other service providers or third parties at your request, and you’ll need to be aware of those flows.
2. Create appropriate on-site collateral
If you include any third parties in your data ecosystem, include a link on your website footer saying “Do not sell my personal information” or “Do not sell my info” that helps customers opt-out from having data sent to third parties. Don’t be fooled by the word “sell”—even if you aren’t making money from the exchange, when the data goes to a third party, it is considered “sold” under CCPA.
A similar message and link is required to be visible upon page load at the beginning of each customer web session to let customers know what might happen to their browsing data. This floating message is similar to the cookie consent notices that are seen on EU sites.
3. Develop an opt-out process
Under CCPA, customers can opt-out of having their data sold to a third party. As the business, you’ll need to be able to achieve this request for both web browsing data (like cookies on your site) and personal data (such as PII in your ecomm platform, CRM, loyalty program, etc). You might need to develop a form or other collection where a customer can submit their request, and you should have designated colleagues that process these requests regularly. Be prepared for customers to use non-designated channels, though, and train your service teams appropriately. CCPA also requires that some businesses have a toll-free number that can be used for these requests; you’ll want to check with your legal team to see if this is a requirement for you.
The more buttoned-up you are on identifying all third parties in your ecosystem, and how data is transmitted to them, the more replicable these opt-out processes will be. If you use service providers that also send to third parties at your request (like Zaius), you’ll want to be up-to-speed on their processes for indicating opt-out, as well. For example, Zaius will have both manual (a form) and programmatic (an API route) ways of requesting to append a profile with an opted-out indicator.
Finally, note that CCPA requires you to keep records of all opt-out requests against an audit. Be sure you are consistently storing the details of the request, its completion, or why it could not be completed.
4. Develop a deletion and access request process
Under CCPA, customers can also ask to have their data deleted from your records or to understand what data you retain about them in your records, including records housed by your service providers. If you already have a mechanism and a process in place for deletion and access for GDPR, you may be able to scale that process to cover CCPA, but only after careful consideration with your legal counsel.
Again, as with opt-out, it is to your benefit to have a pre-existing understanding of everywhere your customer data goes, and how to enforce a permanent deletion process in all of those places. In Zaius, there are manual and programmatic options for compliance today, which will be extended to cover CCPA. Also, as with opt-out, a toll-free number and record-keeping is required.