Please note: This article is not intended to be a definitive CCPA information source. We recommend that you consult your IT services vendor or in-house IT leadership for full response data management planning.
What is CCPA?
Remember GDPR? Instituted by the EU in 2018 to help protect European Union consumers’ personal data, the General Data Protection Regulation rears its head every time a website tells you, “By using this site, you agree that we may store and access cookies on your device.”
The idea behind CCPA is the same: to comprehensively strengthen the privacy rights of California residents and bring greater transparency to customer data usage by companies.
“My B2B company isn’t based in California. What does CCPA have to do with us?”
Quite a lot. Your B2B company, no matter where it’s based, must comply with CCPA if it collects consumers’ personal data (which you do just by having a website), does business in California (ditto), and meets one of these three criteria:
- You company’s annual gross revenues exceed $25 million.
- Your company buys or sells the personal information of 50,000 or more consumers, households, or devices.
- Your company earns more than 50% of its annual revenue from selling your customers’ personal information.
What specific personal information does CCPA govern?
As defined in the law, personal information, or personally identifiable information (PII), includes all the data that we’ve all come to understand as personal, private, and necessary to protect. That includes household and individual names; physical, email, and IP addresses; phone, passport, social security, credit card, and bank account numbers.
CCPA goes even deeper, also encompassing “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” So CCPA protects practically all information about your customers, including (but not limited to):
- Property records
- Internet activity related to your company’s website, apps, or ads
- Geolocation data
- Biometric information
- Employment and education information
- Behavioral or psychographic profiles based on your activity
- A wide-ranging category of “audio, electronic, visual, thermal, olfactory, or similar information”
Apart from medical records (which another statute covers), CCPA covers pretty much any type of personal consumer information you can think of.
What are my B2B company’s responsibilities under CCPA?
Unlike GDPR, CCPA does not require companies to report data breaches. Companies are nonetheless liable for damages in the event of data security lapses.
Additionally, CCPA governs only data that a consumer provides to businesses directly. Data from a third-party email list, for instance, is not within CCPA jurisdiction. This provision introduces a whole set of data governance challenges around data origin and sharing.
While GDPR largely concerns itself with consumer protection, CCPA gives more focus to consumer empowerment over personal data and privacy. CCPA ensures these five general rights for California residents:
- The right to know what personal information your business is collecting
- The right to know if that information sold or disclosed, and to whom
- The right to opt out of the sale of personal information
- The right to access and obtain personal information
- The right to receive equal service and price, even if these privacy rights are exercised.
Again, more data governance requirements for companies—plus the need for front-end mechanisms by which consumers exercise their new rights.
What should my B2B company do to comply with CCPA?
There are numerous customer-facing and internal IT initiatives involved in attaining CCPA compliance.
Consumer-facing actions include (but are not limited to) updating your privacy policies, including a “Do Not Sell My Personal Information” link and opt-out form, and creating methods for consumers to request access to their data.
Internal IT initiatives, in addition to the ongoing work of data protection, should include strengthened governance and record-keeping around data storage, data use, file management, and data sharing.
At StitchDX, we’ve helped clients with their customer-facing requirements around GDPR compliance and we’re geared up for CCPA. For back-end data management concerns, we encourage you to consult with your company’s IT service provider or IT leadership team to determine the necessary course of action for your B2B company.
Finally, is CCPA compliance worth it for B2B SMBs?
Let’s suppose you know confidently that at least for now, you’re off the hook for CCPA. Keep in mind that California is often a bellwether, and that numerous other states are considering similar legislation as of writing this.
(And on the national level, “There is bipartisan support for this sort of thing in Congress,” according to Michael Nadeau, Senior Editor at CSO online.)
My answer to “is it worth it?” is, “if not now, then soon.”
The drumbeat for greater consumer protections is only getting louder. We’re guessing that individual states will avoid “reinventing the wheel” as much as possible, using CCPA as their test case. The sooner you make and execute your CCPA compliance plan, the sooner you’ll position your B2B company to respond to new privacy legislation as it happens.