Guest post by Jake Fabbri, CMO at Fonteva
The California Consumer Privacy Act (CCPA) is a bill that was passed in California earlier this year with strict data protection provisions akin to the General Data Protection Regulation (GDPR) in the European Union. Taking effect on January 1, 2020, the CCPA will have sweeping regulations for companies with customers or members in California and meeting at least one of the following criteria:
- Over $25 million in annual revenue
- Buy or share personal information about 50,000 or more consumers
- Generate half or more of their total revenue by selling consumer information
Under the law, consumers are entitled to certain rights regarding their personal data. These include consumers’ capacity to:
- Be aware of what data is collected
- Reject the collection of their data and have the ability to opt-out
- Receive a copy of the data collected from them
- Reject the future sale of personal data
- Request the deletion of their data
- Be made aware of what categories of their data are being sold
What is required for compliance with CCPA?
Companies with one or more consumers residing in California can be subject to the penalties associated with the law. These penalties include a $2,500 fine for an unintentional breach of the law and a $7,500 fine for an intentional breach, in addition to up to $750 in compensation for consumers for each incident (or more if the damages can be proven to exceed $750).
To comply, organizations should establish a process for handling any requests associated with the consumer rights established by the law. With this in mind, it is crucial that it is understood which systems consumer data resides in, the nature of the information, and the intended use for the data. If an organization is audited for compliance, it is not only important to demonstrate the ability to quickly access consumer data, but to also show that internal data governance procedures are configured for compliance and scalability.
In addition to potentially transitioning technology from separate systems to one that’s more unified, supporting compliance requires that processes be established (and even standardized across the organization), with training for staff on how to respond to consumer requests.
How CCPA affects associations
For associations, compliance is hinged upon the people, processes, and technology that support how any CCPA requests are handled. Without trained staff, established processes, and supportive technology to enable operations, compliance can be more difficult to achieve.
Associations with any portion of their membership or customers residing in California will be required to comply unless they do not meet one of the three criteria listed above. Personal information about employment, education, and addresses (physical and virtual) are all subject to the law. More important to note, however, is the inclusion of online activity. For engagement tracking, scoring, and other initiatives, it is particularly important for associations to have a clear plan to deliver the full picture of every piece of data collected to facilitate compliance.
Additionally, any member-facing staff must have both the processes and technology that enable them to quickly and easily respond to any requests. If they are not already in place, building data compliance processes is something that all associations should have as part of any future planning initiatives. It is also important that associations prepare to evaluate and understand how their existing technology stack may help or hinder required data compliance efforts.
Associations that have embraced platform solutions such as Fonteva may even find ready-made tools that support data security and compliance efforts. The Salesforce AppExchange features applications like Cloud Compliance, which is designed to provide effective and easy ways to ensure both CCPA and GDPR compliance.
Only Fonteva offers associations access to the full Salesforce AppExchange, including tools for CCPA compliance.
Resources for CCPA compliance:
Californians for Consumer Privacy
CCPA vs. GDPR Requirements from CapGemini
For more information on this important subject, join ReviewMyAMS and Fonteva for a free joint webinar taking place on September 12th at 2:30 pm EST. We will discuss the details of this new legislation and ways associations can best prepare themselves. Register now!