Just as the dust has settled, along comes a new shift in the data protection landscape.

The California Consumer Privacy Act (CCPA), enacted in June 2018, has been cited by some as a move towards a GDPR-type data privacy law,[1] which not only will provide California residents with a set of comparable rights with respect their personal information but which also places obligations on businesses which collect, use, sell or disclose that information. [2]

The CCPA is not an American GDPR. There are substantial differences between the two regimes; the GDPR restricts the collection of personal information unless certain conditions exist, where no such restriction is found under the CCPA .[3] The definition of personal information is also potentially broader under the CCPA than under the GDPR as it includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

Despite these differences, there are certainly learnings from the work preparing for the GDPR that can applied to  the CCPA. 

The GDPR took four years to negotiate; the CCPA was passed in only 7 days. As such, business communities are calling for changes, as expected.[4] However, the scope and extent of those changes likely to be limited to tidying up some aspects of technical language only; the main principles are expected to remain as they are at present. With that in mind, businesses are well served to start preparing for January 2020, when the act will take effect.

Below are our top recommendations of leveraging GDPR to operationalise CCPA.

Map your information flows!  

The CCPA will introduce the right of information and the right of access. These rights will both oblige businesses to provide consumers with certain information at the time of collecting their personal information, and will permit those eligible under the Act to see what information is being held.

It simply isn’t possible to comply with these obligations unless you know the locations of your information and the extent of the information flow. Today’s interconnectedness means it is unlikely information will stay in one place; it will be moved, replicated, shared with suppliers, vendors and partners. A good place to start is a data map and audit, focusing on the following questions:

  • Who do you hold information about?
  • What information do you hold about them?
  • Who do you share it with?
  • How long do you hold it for?
  • How do you keep it safe?

Be transparent!

Transparency is a key principle under the GDPR; at the end of the day, you don’t own someone else’s personal information and individuals should be able to clearly understand what information is being collected and why. Under the CCPA, businesses will be obligated to inform consumers at the time of collection:

The categories of personal information being collected, and;

The purposes for which the categories of personal information will be used.

Furthermore, businesses will be unable to collect additional categories of personal information or use personal information collected for additional purposes without providing individuals with appropriate information and notice.

In the wake of GDPR, there are now some great examples of clear, unambiguous and intelligible privacy notices, which provide enough guidance without being unnecessarily complicated or complex.

Be accountable!

Similar to the GDPR, contractual obligations flow down under the CCPA. If you use service providers, you want to be sure that you have a written contract in place to ensure that they will comply with your instructions and help you comply with your obligations. For example, if you receive a valid request from a consumer, asking you to delete their information, you need to direct any service providers to delete the same personal information from their records. 

As you collect information on your customers to inform your customer experience programmes, make sure that you’re getting into a practice that protects personal information by design and defaut. We can assist you.  Each month we collect, process and analyse millions of employee and customer experience surveys; manage over 100,000 inbound calls to our contact centres, and complete over 100,000 mystery shops. The new world of GDPR, and soon CCPA, needs to become part of the way you do business.

[1] https://www.foley.com/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018-07-02-2018/

[2] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

[3] https://digiday.com/marketing/californias-consumer-privacy-law-has-digital-ad-industry-searching-for-answers/

[4] https://www.privsecblog.com/2018/08/articles/marketing-and-consumer-privacy/business-community-announces-california-consumer-privacy-act-amendment-wish-list/?utm_campaign=ccpa-wish-list-privsec&utm_medium=social&utm_source=linkedin_socialshare&utm_term=

Get in Touch