California Consumer Privacy Act
By now, most marketers have heard of the California Consumer Privacy Act (CCPA). This Act, slated to go into effect January 1, 2020, provides California residents with new rights as to how covered companies collect, use and distribute their personal data. At this time, there are also 13 pending state privacy bills and several initiatives at the federal level. While the state bills vary slightly among themselves, the trends are common including core consumer rights such as access, deletion, and opt-out from sale of data to third parties as well as strong AG enforcement provisions. While a federal law is not expected anytime soon, we are certain to see new state-level activity at the start of 2020.
Path2Response has developed this paper to help our clients and industry navigate the waters swirling around CCPA, particularly in regards to plans for compliance and “future-proofing” for other state laws. Each company must institute their own compliance plans, policies, and practices. While we hope this can be a useful guide, it is not legal advice. As such, please work with your legal team as you put compliance plans in place.
What Path2Response is Doing
The implementation of CCPA is roughly two weeks away. While Path2Response has always had measures in place to responsibly process consumer data consistent with applicable laws, industry guidelines, and best practices, we have been been working to enhance several existing processes to meet the new CCPA requirements. While we have historically been transparent with our data practices and provided individuals with the opportunity to opt-out, the CCPA requires that we implement additional practices to enhance a California customers right to manage their data. Namely, we are focused on the CCPA provisions regarding Notice and an individual’s Right to Delete Data, Right to Opt-Out of Data Sale, and Right to Access Data via a minimum of two methods (one method must be a toll free phone number). Path2Response will also add the required logo and language regarding sale of personal data to our website homepage.
Right to Notice – Under the CCPA, businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purposes for which these categories will be used. The CCPA also sets forth specific disclosures that businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them. Path2Response is currently updating its Privacy Notice and Data Use Guidelines to conform to these requirements.
Right to Delete Data – When a request to delete data is received, it will be treated as an opt-out. Path2Response has this process currently in place on our website. We will add the option of a toll-free number to be in full compliance. Additionally, Path2Response will retain only the data we need to apply the opt-out in the future.
Right to Opt-Out of Data Sales – Path2Response has always given consumers notice of how their data is used and provided opt-out choice consistent with applicable law and industry best practices. We enable individuals to opt-out of Path2Response’s Master Database ensuring that their contact information will not be provided to third parties for marketing purposes. We will add the option of a toll-free number to be in full compliance. Any opt-out received from a client will be applied to the appropriate processes to ensure it is not mailed for that client.
Right to Access Data – This is the most complex of the new requirements under CCPA. It adds a significant wrinkle to the industry best practice of disclosing data collected and processed overall by including a customer’s right to request access to “specific data” collected about them and to let them know the categories of companies for which the data has been shared.
Expand Your Direct Mail Marketing Universe
Starting to test your strategies now will allow you time to expand your mailing universe exponentially. Working with Path2Response, you don’t just get more data and more names for your universe, you get better, more valuable data that’s different from your traditional sources of data. Each name you acquire comes from the specific demographic, psychographic, and behavioral criteria that you provide to us, so you’ll get far more qualified prospects who are interested in you and your product. You’ll soon find yourself creating huge lists of people you never thought you’d be able to reach.
Path2Response is modifying its public disclosures (Privacy Notice page and Data Use Guidelines) and updating our internal processes required to comply with CCPA’s Right to Access Data.
In a strange twist, this provision of the Act creates its own privacy risk and one that we are taking seriously. What if an individual contacts Path2Response and asks for access to an individual’s data, posing as someone else? For example, John Smith contacts us and requests Tom Jones’s data. If Path2Response provides the data as requested we’ve created a privacy leak. To address this, we are working with experienced identity verification firms to ensure, to the best of our ability, that we can validate the person requesting access to data is who they say they are. Path2Response collects no Sensitive Personally Identifiable Information. As such, an individual, perpetrating this fraud would come away with little of value. However, we believe it is important to go “over the line” to protect our clients and their customer’s information.
There are several other items to be addressed, but these are the critical items that Path2Response will have in place to be compliant by January 1, 2020. It’s our position that our clients who prepare to be compliant with CCPA will still be able to leverage Path2Response services to market effectively to California residents.
While the regulations seem onerous at first, we’ve learned that compliance is achievable at a reasonable expense with a focused approach on the key requirements. There are good partners available to help with Data Subject Requests and record keeping (let us know if you want introductions). It’s likely that laws similar to CCPA will be passed, hopefully on a national level. Use this time to become compliant as it will be necessary for the future health of your business.
● There are approximately 40mm California residents fueling a $2.7Tn economy. If California were a country, it’s economy would rank fifth in the world. Simply said, the market is too large to ignore. Path2Response will work with you in a compliant manner to continue to drive marketing performance in all states.
● The data we manage for our client partners was collected in a compliant manner. Going forward, so long as our partners are compliant, the data Path2Response utilizes is available for marketing audiences in California and all other states
● Path2Response believes that we all must be good shepherds of customer data. That’s why we’ve gone beyond what the CCPA regulations mandate in regards to Data Subject Request and data security. Our client partners can be comfortable with the fact that their customer data is secure.
What Should Our Clients Consider?
The law was passed quickly and lacks clarity and specificity in many areas. The regulations, which define how the law will be enforced, have not been published and may not be published until after the CCPA takes effect. Many clients are asking what they should do, to come into compliance.
Confirm that you are obligated to comply with CCPA.
Companies are obligated to comply if they are for profit (Nonprofits are exempt) and meet any ONE of the following Criteria:
● they have annual gross revenues in excess of $25 million,
● they buy, receive for their own commercial purposes, sell, or share for another business’s
commercial purposes, in the aggregate, the personal information of 50,000 or more California consumers, households, or devices,
● they derive fifty percent or more of their annual revenues from selling consumers’ personal information.
Assuming that your company qualifies, here are some items client might consider as a start:
1. Gather your team. You will need resources from IT, Marketing, Legal, and Operations at a minimum to address the compliance issues. Your executive team will want to review customer facing scripts, privacy language, and other market facing changes to be sure they are brand consistent.
2. Reach out to other companies in a similar compliance situation and form a working group to address common issues and bounce ideas off. This can be very helpful in speeding up compliance and avoiding the “recreate the wheel” situation.
3. Produce a Record of Processing Activities (ROPA) evaluation that will help to identify the categories of data you have, how you use it, and how you store it. It will identify if the type of data is addressed under CCPA and how it maps to CCPA requirements. ROPA will help point out gaps that you may have. Be sure to consider both first-party data and data you receive from other parties in your evaluation.
5. Document your data security actions. The CCPA says that the business implements and maintains reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information. If you maintain Sensitive Personally Identifiable information (SPII) such as credit card, social security, health data, etc. you will be held to a higher standard of security than if you handle non-sensitive Personally Identifiable Information (PII). Security is a critical component of CCPA as the Act enables California consumers to bring individual lawsuits, and allows for class action suits, that can be brought against you for noncompliance with security requirements. For further information on security standards, the California State AG released its opinion on reasonable security in its 2016 California Data Breach Report and referenced the CIS Top 20 Critical Security Controls. There is a good chance they will use this as a baseline.
6. Work with your vendors. Have processes in place to deliver Opt-Out, and Deletion requests. Understand the data the service provider holds for you as you may need their help from them to comply. Also, be sure that your service provider has protocols in place to protect data in line with the nature of the data they hold (SPII, PII, etc.).
7. Build internal processes and communications. Develop how you will handle Opt-Out, Deletion, and Access Rights requests that come in by phone or website. Develop phone scripts and a response timelines. The CCPA requires that you respond to an Access Rights request within 45 days. Have the appropriate steps in place to document response activities.
8. Act Now. The law goes into effect soon.
Support National Privacy Legislation
Path2Response supports one set of national privacy regulations. We urge you to support this goal as well. Speak with you legislators and support groups like ACMA, the ANA, The Nonprofit Alliance, IAB, and Privacy for America who are lobbying on behalf of a national privacy legislation. Imagine having to deal with 50 separate sets of state based privacy regulations!