Are you ready for CCPA?

October 4 , 2019

What is it? How does it impact your business? What do you need to do?

If you're not sure what CCPA is, you're not alone. Well it stands for California Consumer Privacy Act and its California's version of Europe's GDPR. So if you figured you were out of the woods last year with GDPR because you don't have users in Europe, you need to rethink things again this year in light of California's new laws, even if you're not headquartered in California, because you may have California users.

The new law goes into effect in January 2020 so there's less than 3 months left to act! Now, if you don't even know what GDPR is, it's possible you need not worry about privacy laws at all, but you may just want to learn a little bit about what's required from a privacy perspective to see if you need to make some changes.

Once upon a time you used to be able to capture as much data on your users as possible and never tell anyone just how much info you have on these people. And you never needed to delete that data either. Those days are over. And for companies required to comply with the new laws, there will need to be an audit on all the data that you hold about your customers or users. Because if you've been in business for at least a few years, your head is starting to explode as it slowly sinks in that you have so much customer data in so many places and the thought of going through that activity gives you the chills.

So what does the CCPA require of companies? I think the best way to investigate this is to look at how it's actually been implemented at a company. This morning I received an email about an update to the privacy policy of one of my subscriptions, Pandora (that's right, I don't use Spotify!).

This is what their email looked like:

It looks like the second, third and fourth items in the highlights list are due to CCPR. Now, let's take a look at how each of these are extrapolated in Pandora's Privacy Policy.

The Privacy Policy is very in depth and a lot of work has gone on to capture all the type of information captured and the usage of each. As someone who implements Customer Data Architectures, it's not the Privacy Policy so much that interests me, rather the implications on effort and systems as a result of the Privacy Policy.

So here's the work behind the privacy policy, as I see it:

  • Sections 1 & 2 - Information we receive or collect from you or third parties. Some significant analysis has gone on here to understand all the types of data.
  • Section 3 - Information Collection Technologies - cookies, beacons pixels etc - this needs to be analyzed and spelled out for your company.
  • Section 4 - How this information is used. Again this requires going down the rabbit hole of your data stack to see how each of your data is used internally.
  • Section 5 - How we share your information with others and what for.
  • Section 6 - Advertising and Measurement Settings - this discusses opt out functionality which must be built into the Customer Journey so that their opt out is offered, captured and then leveraged to determine whether they are able to be included in certain audience segments.
  • Section 7 - Managing Your Information. Significant work is required here to provision of cancellation and deletion processes that need to remove the user from the systems they are already in or de-identify them accordingly.

One legal requirement in CCPA that I don't see referenced there is the ability to export your personal information in a readable format. I wonder if this will come into play before January and it's just not ready yet. Regardless, the effort here is again non-trivial.

As an aficionado of productivity, I always want to find faster and better ways to do things, so what, you ask are the ways to do this best?

Two toolsets come to mind here.

The first is a Customer Data Platform tool, such as the likes of Segment. In light of the latest privacy regulations and the pending regulations on the way across the country and the world, Segment have recently released their Privacy Portal. It's a nifty tool that allows you to categorized all the data flowing through it to your other systems. And prior to that Segment had release GDPR functionality about enabling suppression and deletion requests. Currently only a handful of Segment's destinations are able to process these, meaning you will still need to have other ways to implement those in non-compliant destinations.

The second tool is a privacy-specific operations tool like, that covers a whole slew of functionality - part workflow, part automation and analysis to cater to all your sprawling privacy needs.

Now before you start banging your head against the wall, your company may not need to implement these requirements just yet. The CCPA applies to you if you meet any one of the following criteria:

  • You have at least $25 Million in gross revenues
  • You buy, share, sell and/or receive the personal information of at least 50,000 California consumers, households or devices, per year
  • You derive at least 50% of your annual revenue from selling California consumers personal information.

Note the collective sigh of relief. Of course, most startups should be off the hook here. But it's important to move forward with an eye on these types of requirements as more states and countries are coming on board with new privacy regulations, so in my humble opinion, even if you're off the hook for January 2020 you should start to put a plan in place to set your company up for privacy regulation compliance.

If you'd like to discuss what this looks like for your company, please contact me here.

Please note: This blog post does not constitute legal advice and it is highly recommended that you receive separate legal advice.