The following information is not legal advice. This is only intended to summarise the main points of the CCPA and inform you, our customers, about how Convertr can be used in a compliant manner. We recommend that you work with a trusted legal partner to fully understand your obligations under the CCPA.
What is CCPA?
The California Consumer Privacy Act, also referred to as CCPA, is a privacy-centric law aimed at protecting the privacy of California consumers. Compliance starts on January 1st, 2020 with enforcement expected to begin July 1st, 2020.
Should you care about CCPA?
Today, CCPA only matters to businesses serving California residents. This can mean selling directly, collecting or processing California resident data with the following penalties:
- Up to $7,500 for intentional violations, but this relies on the California's Attorney General to enforce this
- Individual consumers can sue for $100 to $750 in the event a company is careless and gets hacked
- Preset $2,500 maximum fine for unintentional violations
However, we recommend all businesses be educated and consider implementing compliance measures. Privacy regulations are growing with GDPR in place in the EU and growing legislation in the US. Complying with CCPA and/or GDPR should make it easier for you to comply with any new legislation enacted in the future.
CCPA Rights Provided to Consumers
-
Know what personal data is being collected about them.
-
Know whether their personal data is sold or disclosed and to whom.
-
Say no to the sale of personal data.
-
Access their personal data.
-
Request a business to delete any personal information about a consumer collected from that consumer.
-
Not be discriminated against for exercising their privacy rights.
What Does CCPA Mean for Businesses?
-
You must disclose what data is being collected
-
If you sell consumer data, you must provide a way for California consumers to opt-out of their data being sold
-
You must support consumers request for information you have on them within 45 days and delete their data when asked
-
You must provide a way for consumers to request the information you have on them
CCPA vs GDPR
CCPA and GDPR have many similarities and if you’ve already gone through the process of complying with GDPR, you’ve covered most of the requirements for CCPA. However, additional work will be needed for most organisations.
We recommend you work with your legal counsel, internal compliance officer or consulting firm to understand what this means for your business.
Additional resource: The Future of Privacy Forum’s GDPR vs CCPA white paper.
CCPA Compliance
When used in accordance with best practices, the Convertr platform provides businesses with a way to capture and process data in a compliant manner. It does not provide or guarantee compliance.
The First Steps for Compliance
Implementing and managing compliance and data security processes will vary. If you’re not sure where to start, we recommend:
- Document your data processes, platforms and access. Organisations must know where their data comes from, how it is transferred, and how long it is stored or deleted.
- Delegating ownership within your organisation. While this topic goes beyond one person or team, you will want someone to lead the effort.
- Contract with a specialist, consulting firm and/or legal counsel to review, recommend and monitor your processes.
- Once policies and procedures are established, implement training programs across the organisation.
- Review your technology and data processes to ensure they line up with your new data processes and that staff uses them appropriately. Platforms with the most comprehensive compliance features can cause a data breach or privacy issue if used incorrectly.
This should not be considered a full list, and should only be used to begin the process.
How Convertr Helps with Compliance
Convertr addresses several common compliance risk areas and helps to minimise your risk when used properly.
Implementing Reasonable Security Practices to Protect Consumer Data
Convertr is ISO 27001 certified, which means we adhere to the highest data security standards and share best practices with our customers.
We remove many manual data processes that would otherwise put a business at risk.
We help standardise processes to provide more transparency and consistency across the organisation to monitor & mitigate potential risk areas.
Acquiring, Processing And Storing Customer Data With Consent
During customer acquisition, the Convertr platform provides our multiple tools to capture consent including web forms, double opt-in via email and user confirmation. Consent is then securely stored with the user profile and can be delivered to additional platforms.
This process provides a full profile of the consumer’s data with a clear record of consent and routed consumers to the proper channels based on that consent.
Requests for Data Access and Deletion
The Convertr platform marks all data with a unique lead ID to make identifying the individual simple. Our customers can easily find customer profiles, export data for the consumer and erase all data. The platform will also provide a record of where data was routed to improve visibility into additional platforms that will need to be reviewed and addressed.
Questions?
As always, your privacy and that of your users is a high priority for our team. We've built tools to make it easy for you to address requirements with the ever-evolving privacy laws—but if you have any questions with regards to these tools, please contact us at compliance@convertr.io.