How the California Consumer Privacy Act (CCPA) Will Impact Your Business

Marketers, developers, and businesses everywhere that rely on consumer data are about to be hit with one of the most substantial challenges we’ve yet seen to the collection and use of an individual’s information.

In this guide, we’ll explain everything you need to know about the California Consumer Privacy Act, why organizations everywhere (Yes, even outside of California and the U.S.!) need to sit up and take notice, and why a headless CMS is the best place to start when it comes to gaining CCPA compliance with this and future privacy protection measures.

What Is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018 (often shortened to “CCPA”) is a bill that was approved by the governor of California in 2018 and is slated to take effect January 1, 2020.

The CCPA aims to help private California citizens control the personal information that businesses collect about them online. In much-abbreviated terms, it gives Californians the right to:

• Know exactly what personal data a business has collected about them
• Know if this personal information is being sold or disclosed—and to whom
• Deny the sale of their information
• Access any of their personal information that the business has stored
• Receive the same pricing and level of service that individuals who haven’t acted on these privacy rights enjoy

Legal, for-profit entities that do business in the state of California and collect consumers’ personal information will be required to abide by the CCPA if they meet one or more of the following criteria:

• Have annual gross revenues totaling at least $25 million
• Buy, receive, sell, or share personal information from 50,000 or more consumers, households, or devices
• Make the majority of their annual revenues from selling personal information

The CCPA gives California citizens the right to sue companies that violate their rights for damages and also allows the state itself to bring charges. Businesses may be hit with $7,500 fines for each violation that hasn’t been addressed after 30 days.

Businesses All Over the World Will be Impacted by CCPA

Why should organizations outside of California care about this legislation? Because just like the GDPR before it, the CCPA will impact companies well outside the area where it originated.

Over 39 million people live in California. That’s 12 percent of the entire population of the United States. Thanks to the technology and entertainment industries, California’s economy generates $2.7 trillion—making it the fifth largest economy in the world.

Like it or not, there’s almost no business on the planet that can be sure it isn’t going to collect data from California-based consumers. And thanks to the wording of the law, that could easily hold them accountable to the rules (and fines) outlined in the CCPA.

Why Data-Reliant Marketers and Businesses Can’t Afford to Ignore the CCPA

The vast majority of marketers rely on consumer information to power their campaigns, their digital experiences, and ultimately, the growth of their entire organizations. That’s why the CCPA is going to put a significant cramp in their style if they aren’t ready for it to take effect in 2020.

The substantial obligations imposed by the CCPA may prove quite challenging for marketers and organizations that collect and leverage personal consumer data for everything from analytics to segmentation, advertising, email marketing, and beyond.

Aside from the creative reimagining of marketing practices that it’s sure to precipitate, the CCPA is also a signal to data-driven organizations, websites, and marketers everywhere. It’s a signal that more and more governments are starting to take their constituents’ online privacy quite seriously.

California won’t be the last public institution to crack down digitally—especially if more scandals like Cambridge Analytica (which prompted the creation of the CCPA) surface.

Businesses must tighten their practices when it comes to gathering personal information so they can achieve compliance, mitigate risk, and minimize disruption; paying particular attention to getting permission to collect this data, informing consumers what their information will be used for, and making sure it’s secure yet accessible.

Addressing the challenges that the CCPA presents will require innovative and advanced solutions that start at the center of your digital experience.

Where to Start on the Road to CCPA Compliance: Content Management

Getting compliant with the CCPA may eventually call for a complete overhaul of your tech stack, so a great place to start is at the core of that stack and the heart of the digital experience—the content management system (CMS).

Here are some essential functions your CMS should be prepared to handle to keep your business on track when CCPA, and similar data privacy laws, go into full effect:

Unique Consent Management and Careful Validation

Bundled consent no longer cuts it. Under the CCPA, your CMS must be able to deliver consent forms that are unique to each data-gathering instance—and able to automatically recognize when consent for a specific data-gathering activity has not yet been completed.

Ideally, the CMS will offer double opt-in in which a consumer must respond to a link sent via email to fully validate their consent to information collection.

Portable Consumer Profiles—Complete with Consent Records

Under the CCPA, a fine of $7,500 can be leveraged for every privacy violation claim that isn’t addressed within 30 days. That means you want your CMS to be able to integrate with a best-in-class customer relationship management (CRM) platform to store all of a consumer’s important personal information in one easy-to-access spot.

Should a consumer want to access, remove, or have you share the personal information you have on them, you want a CMS that makes it easy to find and port their info—including a complete history of the data-collection consents they’ve provided.

A Thorough “Right to be Forgotten” Process

“Right to be forgotten” refers to a consumer’s right to ask that you remove all of their applicable information from your system. And given the complexities of collecting and storing consent—that sensitive data may live in a lot of different places.

You want your CMS to be able to track and remove all pertinent data while still recognizing which information is exempt from a request to be forgotten. Furthermore, you should strive to alert third parties with whom you’ve shared this information that the consumer has asked for it to be removed from the internet.

Detailed Permission Levels

With data privacy being the overarching goal when it comes to the CCPA and similar consumer information protections, permission settings that keep a tight lid on who within your business can access and manipulate consumer info are paramount.

Flexible Architecture

Because no two businesses operate the same way, there is a vast array of approaches to handling compliance with CCPA and other data privacy laws.

This is why a flexible, customizable architecture is the most important feature to look for in a CMS.

It’s time to decide. You can either invest in a development team that’s able to work around the clock to build out a completely custom CMS—which would be taking a step backward in the evolution of content—or you can adopt a highly-extensible, headless CMS that’s capable of flexing to incorporate all the compliance-enabling software you need.

When it comes to keeping up with GDPR, CCPA, and all the personal data privacy laws that are sure to crop up as we live more of our lives online; building your consumer experience upon the flexible architecture of a headless CMS will be the only way to stay legal and fine-free without starting from scratch each time.

Ready to learn more about headless CMS? You’re in the right place. Brush up on the history of content management before diving into the complete guide to headless CMS and how to choose one for your organization.