The California Consumer Privacy Act (CCPA) will give Californians full control of their personal data when it comes into effect in January. This new act may lead to a plethora of other data privacy laws being passed across other U.S. states.
Data is already the central component of modern business. When harnessed and analyzed correctly it leads to breakthroughs in artificial intelligence (AI), innovative new products and services and of course a truly personalized customer experience.
However, as the amount of available data continues to grow, so do consumers’ concerns about how much companies know about them and how responsible they’re being with that knowledge.
In our most recent study, “Preventing Fraud & Preserving CX with AI” conducted with CallMiner in October, we found 86% of American adults think companies aren’t doing enough to protect their personal information and 18% don’t trust the brands they do business with to handle their data securely.
Over the past two years, governments around the world have started passing laws and regulations aimed at bringing clarity to the act of data collection, storage and privacy. The biggest and most far-reaching in terms of restrictions and potential punitive damages being the European Union-wide General Data Protection Regulation (GDPR), which became law in May 2018 and covers 28 countries.
Additionally, several other countries, including Australia, New Zealand, Colombia, India, Mexico, Brazil, the Philippines and Canada have adopted similar legislation.
And as a truly global organization committed to partnership and transparency, in each case we have ensured complete compliance and in the case of the GDPR have also vetted every vendor and third party we work with to ensure they have the same data protection and transparency structures in place.
Yet in the U.S., there is currently no comparable nationwide data protection and privacy law. In fact there are more than 3,000 separate laws at the state and federal level covering everything from insurance and healthcare to banking. As such, we (our group’s global privacy team including myself) have chosen to create our own unified organization-wide standard, inspired by GDPR, that goes beyond what any of these individual acts requests. But this could all be about to change. A unified law regarding customer data could be less than two years away and it will begin in January when the California Consumer Privacy Act becomes law.
Passed into law on June 28, 2018 and also referred to as AB 375, the California Consumer Privacy Act (CCPA) is designed to put California residents firmly in control of their personal information and to establish strict rules as to how organizations collect and use their customers’ data.
The law, which comes into effect in January and will be actively enforced from July 1 2020, isn’t simply aimed at organizations based in or with their head offices within the state.
It affects any for-profit company based anywhere in the world that does business with Californian residents if it has an annual gross revenue of $25 million or more; if it deals in the data (i.e., buys, sells, collects or shares) of over 50,000 consumers a year; or if 50% or more of its revenues come from selling consumers’ personal information.
As previously mentioned, the CCPA is about protecting the commercial misuse of consumer data. However, what makes this law stand out, even when compared with Europe’s GDPR, is what is defined as sensitive data. As well as obvious identifiers such as a customer’s full name, address, physical and digital contact details or IP address, it also covers internet browsing history, biometrics and anything that could be used to build a profile of a person based on preferences, order history or physical and psychological characteristics. Information relating to educational and employment history is also covered as is anything relating to property ownership, geolocation. Even audio, visual, thermal and olfactory data that could give a clue to a person’s identity is also listed in the Act. In short, potentially any information your company is processing relating to an individual that couldn’t be sourced from freely available government records.
The CCPA doesn’t outlaw data collection. Instead it is designed to give the consumer complete transparency in regards to what is being collected and who it is being shared with. In order to comply, a business must clearly communicate which types of data are being gathered and must offer to consumers – whether they are repeat customers or first-time visitors to your website – the option to opt out of certain types of data collection if it’s of the type outlined in the law’s definition of personal information.
Alongside transparency, comes access. Your consumers will have the right to access their records to see what data has been collected. If your organization receives a request it has a 45-day time limit to comply. This means creating a report that as well as listing data also highlights if any of that data has been shared or sold and to whom.
The final direct consumer right is the right to deletion. A customer can request that their data be deleted from your systems and while the law as it currently stands features provisions for organizations to as it were barter for more information – offering enhanced services based on the amount of data a customer is willing to share – a business is not allowed to actively discriminate against a consumer in terms of service levels or pricing on the basis that he or she chooses to opt out of data sharing.
If an organization is found guilty of violating the law, there is a fine of up to $7,500 per record. There is no upper limit on financial penalties and as the law currently stands, individual consumers will also have the right to sue a company that is in breach. Likewise, if a customer’s data is accessed unlawfully, for example via a data breach, there are penalties of between $100 and $750 and that fine is per customer per incident.
Alongside CCPA, a number of other U.S. states are also in the process of passing equally strong data privacy laws, including Maine, Nevada, Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Texas and Washington. All of which means that for all companies doing business with customers anywhere in the U.S. it is time to make data privacy a top priority.
Customers have never placed a greater premium on trust when it comes to doing business with brands and soon your company’s approach to data collection and protection will be as intrinsic to your brand promise as its products, services or levels of CX.
Embracing data transparency and actively communicating with customers how and why you are using their information will actually help not hinder your organization. It’s a conversation that will enable your brand to get even closer to its customers, and to build new levels of loyalty founded on trust.