#Privacy: Guidance appears on CCPA compliance in the US

Leading warranty marketing, analytics and programme management firm, After, Inc. has cited the California Consumer Privacy Act (CCPA), which comes into being on the 1st January 2020, as a regulation that businesses need to take seriously.

The CCPA, passed on June 28, 2019, provides California residents with the rights to: know what personal information is being collected about them; to access that information; to know if their personal information is disclosed and to whom; to know if their personal information is sold and to opt out of the sale; and to receive equal service and price whether or not they exercise their privacy rights.

A company is subject to the law if it is a for-profit business that collects personal data, does business in California, and satisfies one of the following: a) has gross revenues over $25 million, b) has information on over 50,000 customers, households or devices, or c) earns more than 50% of its revenue from selling personal information.

While this law pertains only to California residents, other states are considering similar versions, meaning that businesses must take the steps necessary to ensure that their data systems and processes are updated for compliance.

To help manufacturers prepare for CCPA, After, Inc. put together a checklist of eight key work-streams. Each of these work-streams requires cross-functional communication and coordination across operations, marketing, finance, legal and customer service. The guidance is as follows:

  1. Provide a “Do Not Sell Mr Personal Information” button on the homepage of your website
  2. Designate methods for CA customers to request their data – toll-free number should be included, plus web form or email
  3. Update privacy policies with new CCPA obligations including a description of California resident rights
  4. When requested, disclose the categories and specific pieces of personal data the business has collected
  5. At or before data collection, inform consumers what data will be collected and how it will be used
  6. Deliver free of charge personal information as requested – but not required to provide more than 2X in 12 months
  7. Avoid requesting opt-in consent for 12 months after California resident opts out
  8. If applicable, obtain consent for minors between the ages of 13-16 years old for data sharing

In light of the potential complexity of fulfilling CCPA requirements, companies dealing with the data of California residents are advised to start preparing now for the incoming laws, if preparations are not already underway.

On the bright side, if companies have already satisfied the GDPR requirements for their European customers, they have a significant head start.

After, Inc.’s research also covers the requirements for third party service providers that have access to California resident data on their clients’ behalves, for “advertising or marketing, analytics and similar services.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/