Welcome to 2020; the California Consumer Privacy Act (CCPA), the state's new comprehensive data privacy law, is now in effect, and impacts companies far beyond the Golden State's borders.
As the California Attorney General intimated last month, his office might not immediately punish companies that "demonstrate an effort to comply," so if your marketing research and data analytics company is not up to speed, it is time to hit the gas pedal on compliance. While not every insights company is covered, most are, and even if not, your partners, vendors and clients likely will be.
The Insights Association's CCPA portal is the place to start.
CCPA requires extensive disclosure about data collection, use and sharing, and consumer rights to data access, deletion and opt out (from data sharing/sale). It also further expands penalties for data security breaches, punishable by private lawsuits. The Attorney General has wide latitude to enforce the law. The AG will issue final regulations (hopefully incorporating responses to some of IA's concerns) by the time CCPA becomes enforceable on July 1, but he will also not exempt compliance failures during the first six months of 2020, so the insights industry cannot sit on its laurels.
Consumer Reports is already out with an article encouraging Californians to flex their new CCPA rights by requesting a copy of their personal information, requesting that their data be deleted, and filing a second request for their personal information to verify what was deleted. The magazine recommends consulting the existing data broker registry in Vermont -- which applies to some marketing research and data analytics companies -- to find companies to target for requests since they "may also be operating in California," to start exercising their "Do Not Sell" rights, and to take advantage of their web browsers' "Do Not Track" settings, which may ultimately be required by regulations to be honored as a universal opt-out from sales of their personal information.
Via the CCPA Portal, you'll find a variety of compliance resources, such as our Model Unilateral CCPA Contract Provision for Vendors/Suppliers (a benefit exclusive to IA company members), a CCPA compliance webinar, some checklists and roadmaps, and deep dives on the law and changes made to it by various bills in 2019. Some of the technical aspects of compliance were further covered in our most recent General Counsel and Privacy Officer Forum and it may come up for more discussion in our next one on February 20.
The Insights Association is also exploring more webinars, model contracts and forms, and futher compliance information this year, while we will also remain engaged in California's legislative session as they consider more CCPA changes and perhaps even in the election cycle, as the voters consider a new ballot initiative to dramatically expand CCPA.
UPDATE: The AG put out a consumer advisory, reminding Californian's of their new CCPA rights.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.