CCPA

CCPA & CPRA – A Consumer Privacy Primer

John Clauss — Wed, 08 Feb 2023 23:40:23 +0000

CCPA & CPRA – A Consumer Privacy Primer John Clauss Wed, 02/08/2023 - 18:40

A Pew Research Study found that 79% of Americans were “Very” or "Somewhat" concerned about how their personal data is being used by companies. And 81% felt they have "Very little" or "No" control over the data that companies collect about them.

This growing consumer concern combined with a string of high profile data breaches in the late 20-teens led the California legislature in 2018 to pass the California Consumer Privacy Act (CCPA), a suite of consumer privacy rights that regulates the collection and sale of personal information. In November of 2020, less than a year after the CCPA went into full effect, California voters passed Prop 24, the California Privacy Rights Act (CPRA) that significantly expands and clarifies the CCPA. This amendment has now just gone into full effect as of January 1, 2023.

Marker Seven advises all our clients, and anyone who is affected by this legislation to check with their legal teams and, in particular, to make sure to evaluate your public facing websites both for compliance, and for ways your website can help meet CPRA requirements.

Here is a brief summary of the changes and additions to be aware of in the CPRA:

Under the CPRA, businesses affected are those that:

Do business in California and meets any of the following:
- Have a gross annual revenue of over $25 million;
- Buy or sell, or share the personal information of 100,000 or more consumers or households; OR
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

This slightly revised definition tightens up the language to close a loophole used by businesses who claimed that they were not bound by the law because they only shared, not sold, their gathered data with vendors. (See subdivision 1798.140(d) for complete definition)

The CCPA created six specific rights for consumers who are California residents:

The right to know
The right to delete
The right to opt-out of the sale of personal information
The right to opt-in to the sale of personal information if consumer is under 16
The right to hold businesses accountable in the case of a data breach

The CPRA added two additional rights:

The right to correct inaccurate information
The right to limit use and disclosure of sensitive personal information

(See Section 3(a) for list of Consumer Rights)

Sensitive information is also newly defined in the CPRA and includes data such as:

Legal or governmental ID (Social Security numbers, Passport numbers, etc.)
Financial account information
Location information
Racial, political and Religious affiliations
Personal contact information (address, email, text# etc.)
Genetic data

The CPRA also includes several items meant to close loopholes and remedy confusions in the CCPA. The CPRA:

Defines the compliance requirements of contractors who use personal information
Closed a loophole and clearly states that targeted advertising is not included in the “business purpose” exception laid down by the CCPA
Allows businesses to offer perks to shoppers signed up for loyalty clubs or rewards programs
Allows businesses to charge people different prices based on their privacy choices IF and only if “that difference is reasonably related to the value provided to the business by the consumer’s data.”

Is your website ready? Marker Seven has extensive experience helping businesses understand and implement website updates and features that resolve legal compliance issues. We are experienced engineers and UX designers and have worked with companies and legal teams of all sizes. Contact us today to learn how we can help you.

Thumbnail Image

privacy2_thumb2.jpg

CCPA

CPRA

Privacy

The Rules Have Changed - Consumer Privacy in 2023

John Clauss — Mon, 06 Feb 2023 23:35:14 +0000

The Rules Have Changed - Consumer Privacy in 2023 John Clauss Mon, 02/06/2023 - 18:35

On January 1, 2023 the California Privacy Rights Act (CPRA) went into full effect. Known as Prop 24 on the November 2020 California ballot, the CPRA is best described as an amendment that significantly expands and clarifies the 2018 California Consumer Privacy Act (CCPA ), a suite of consumer privacy rights that regulates the collection and sale of personal information.

You can view the complete text of the CPRA here.

Marker Seven serves clients from all kinds of businesses whose websites serve customers in California and are impacted by this landmark legislation. If you are concerned that your business and your website are also affected, here are several questions that you should have your own legal team answer. Now is the time to make sure your website is ready.

Who does this law apply to? According to the CPRA, a liable business is any for-profit entity that collects, shares or sells California consumers’ personal information and meets at least one of the following criteria:

Has a gross annual revenue of over $25 million;
Buys or sells, or shares the personal information of 100,000 or more consumers or households; OR
Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

(See subdivision 1798.140(d) for complete definition)

This leads to an obvious follow up question: What data counts as personal information? In a nutshell, “personal information” is any piece of data that identifies, describes or could be reasonably linked to a particular consumer or household. (See subdivision 1798.140(o)(1) for complete definition)

So, what does the CPRA (in combination with the CCPA) mean for businesses that gather customer data?

The CPRA describes The Responsibilities of Businesses here. Several center around an “easily accessible means” for consumers to exercise their privacy rights. For many businesses, the most easily accessible means of reaching their consumers is through their website.

Here are some questions to ask when evaluating your website:

Are you collecting more information than you need? Web forms and customer registration forms cannot simply gather information for the sake of gathering it. You can’t ask a customer to report their shoe size if you sell hair color products, for a silly example. Review your forms and make sure that every field has a clear, customer-oriented reason for being filled in. More detail is provided in the Responsibilities of Businesses.

Do you have an up to date Privacy Policy? Transparency and trust are a key goal in the legislation’s intent. To that end, the CPRA specifies several notification requirements including, but not limited to, content that:

Informs consumers of their rights
Informs consumers of the kinds of personal information you have collected, or disclosed or sold to others
Discloses how long you keep personal information or explains the criteria by which you use to determine how long it is kept
Tells consumers how to contact you for privacy requests such as deleting or correcting information

A very common method for communicating this type of notification is in a Privacy Policy that is published prominently on your website. Once you and your legal team create the content that meets CPRA requirements, Marker Seven can implement the content in the best way for your customers.

How will your customers control their information? The CPRA grants consumers the right to control their personal information, including limiting its use and preventing its disclosure to others. Meeting these requirements will look different for every business and will depend largely on internal business practices and the kind of information needed, gathered, and used.

If you gather information on your website, you may need to build “opt-out” functionality into your workflows, or include additional links to information about how to do so, for example. Marker Seven can work with you to design a satisfying user experience that meets your compliance requirements and works with your internal processes.

(See Section 3(a) for list of Consumer Rights)

How will your customers make personal data requests? The CPRA requires businesses to respond to consumers who have requested information about, or corrections to, any personal data that you store. Similarly, you must delete consumer data if requested to do so and direct any service providers you use to delete as well. (There are several exceptions to this rule, however, so be sure to seek legal counsel if you do not wish to – or cannot – comply.)

It further specifies that consumers “should be able to exercise these options through easily accessible self-serve tools”. (see Consumer Rights above)

Just like opting out, you will need internal processes and resources to fulfill requests and comply with consumer privacy preferences. But, having your website provide that first point of “easily accessible” contact for making privacy requests can save you customer support hours and prevent customer frustration.

Is the data safe? The CPRA requires businesses to “take reasonable precautions to protect consumers’ personal information”. While this is just good common sense, the California legislation gives consumers and the government additional avenues for holding data holders accountable if personal information is leaked or stolen. So it’s good business sense, too.

Marker Seven has extensive experience helping businesses understand and implement website updates and features that resolve legal compliance issues. We are experienced engineers and UX designers and have worked with companies and legal teams of all sizes.

Resources:

California Consumer Privacy Act of 2018 (CCPA) – Office of the California Attorney General
The California Privacy Rights Act of 2020
Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information – Pew Research Center

The Rules Have Changed- Consumer Privacy in 2023

Happy New Year! Are you CCPA Compliant

Thumbnail Image

Happy New Year! Are you CCPA compliant?

John Clauss — Wed, 08 Jan 2020 18:30:00 +0000

Happy New Year! Are you CCPA compliant? John Clauss Wed, 01/08/2020 - 13:30

Updated information as of January 2023:

The Rules Have Changed - Consumer Privacy in 2023

CCPA & CPRA- A consumer Privacy Primer

January 1, 2020 was the deadline for multimillion-dollar, global companies conducting online business in California to adhere to the California Consumer Privacy Act (CCPA). Due to its similarity to EU’s General Data Protection Regulation act (GDPR,) it has been affectionately termed “America’s GDPR,” and it puts companies at risk of fines/penalties ranging from $100 to $7,500 per violation.

With concern on the rise over data breaches and sellers of personal data hitting record highs in 2019, California is the first state to act on the heels of GDPR to bring an extra layer of privacy protection to its residents data with a potential cost to corporations of approximately $467 million, according to the California Dept. of Justice CCPA fact sheet.

According to the fact sheet, businesses that are targeted by this law will have at least one of the requirements below:

Having gross annual revenues of $25 million or more
Buys, receives, or sells the personal information of 50,000 or more consumers, households, OR
Derives 50 percent or more of annual revenues from selling consumers’ personal information

Pew Research recently conducted a survey to discover how “American’s think about their privacy and the vulnerability of their data,” and they found that seven-in-ten Americans “feel their personal information is less secure than it was five years ago.” There is a general consensus that many more states will follow California’s lead and many companies are getting prepared for this.

What You Should Know

Here at Marker Seven, we have been helping our clients to implement changes to their privacy policies and cookie scripts this past December in preparation for the deadline at their request and per the advice of their counsel. Even though these companies were already GDPR compliant, there were enough differences forcing additional changes to their company policies.

The PwC Network has put out together a brief CCPA “Readiness Roadmap” to help guide companies and give them a basic understanding of the key similarities and differences between the two sets of regulations.

We have included some additional links below that can guide you during this process, but you can also contact us for more information.

Additional Resources:

Thumbnail Image