The California Consumer Privacy Act (CCPA) is getting a lot of attention, and for good reason. The Act goes into effect January 1, 2020 and will impact a large number of businesses by requiring greater transparency around the collection, use and sharing of personal data from consumers.
At Wyng, our core value is to provide marketing solutions to our customers — and in doing so, we take our customers’ needs for consumer privacy and data security seriously. We are focused on helping our customers connect with consumers in meaningful ways, while protecting consumer privacy, securing consumer data and complying with the latest government regulations.
The following guide is designed to help our users understand and prepare for CCPA — specifically as it relates to their usage of the Wyng platform. For additional background on the role Wyng plays with respect to consumer data, see our Privacy and Data Security Hub and our Data and Security Primer.
Disclaimer: The information provided here is not intended as legal advice and should not be used to interpret CCPA regulations or determine their applicability to your business. Companies should assess their own data collection, storage and processing practices (including their use of Wyng), and seek legal advice to prepare for, and ensure compliance with, CCPA.
What is CCPA and Who Does it Affect?
The California Consumer Privacy Act (or AB-375) requires companies to be transparent about how they collect and use personal information, and grants new privacy rights to consumers.
CCPA applies to all companies that collect personal information from any California resident (even if the company has no physical presence in California) and meets at least one of the following criteria:
- Company’s annual revenue exceeds $25M
- Company buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices
- Company derives 50% or more of its annual revenue from selling consumers’ personal information.
Personal information is broadly defined as information that identifies, relates to, is capable of being associated with, or could be linked to a particular consumer or household. Among other things, this includes:
- Name, postal address, email address, account names, IP address, and similar identifiers
- Internet or other electronic network activity data, including browsing/search history, and information regarding a consumer’s interaction with a website, application, or advertisement
- Audio or visual information
- Information used to create a profile about a consumer, reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, abilities, and aptitudes.
CCPA grants new rights for the consumer whose personal information is being collected, giving them more control over who has their data and how it is used. These new individual rights include:
- Right to know what personal information about a consumer that a business collects, shares and/or sells
- Right to know the commercial purpose for collecting a consumer’s personal information
- Right to be informed of any changes to the personal information that a business collects
- Right to know the categories of third parties with whom personal information is shared
- Right to delete personal information
- Right to say no (right to opt-out) to the sale of personal information.
How Does CCPA Compare to GDPR?
CCPA is sometimes referred to as “America’s GDPR,” and the good news is that companies that are already GDPR compliant have a head start when it comes to preparing for CCPA. However, there are important differences between the two.
As it relates to usage of the Wyng platform, key differences between CCPA and GDPR are summarized below:
- CCPA targets the sale of personal information. Unlike GDPR which covers all types of data processing, CCPA is primarily concerned with companies selling and profiting off of personal information. As such, CCPA is bad news for the second- and third-party data marketplace, and good news for brands that prioritize first-party and zero-party data.While CCPA is primarily concerned with the sale of personal information, it does include provisions related to first-party and zero-party data that is not sold — specifically, the right for consumers to know the commercial purpose of collecting their information, and right to view and delete their personal data that has been collected.
- CCPA is based on an opt-out consent model. Unlike GDPR which requires businesses to obtain opt-in consent from consumers in order to collect their personal information, CCPA assumes consent is given when consumers (with the exception of children under the age of 16) engage and share their information directly with a brand.While the majority of Wyng users do not sell personal information (nor does Wyng), CCPA requires companies that do sell personal information to provide a clear and conspicuous link on their homepage, titled “Do Not Sell My Personal Information,” to another page that enables consumers to opt-out of the sale of their personal information.
- CCPA has some unique disclosure requirements. Like GDPR, CCPA requires businesses to disclose the personal information being collected and the purpose of collecting it. CCPA also requires businesses to notify consumers of their rights under CCPA in their online privacy policy. In addition, CCPA requires businesses to notify consumers of what categories of information are collected and shared with, or sold to, third parties. Unlike GDPR, businesses may not collect additional categories of data without providing consumers with an update notice.
- CCPA does not distinguish between Data Controllers or Data Processors. While GDPR differentiates between Data Controllers (i.e. brands using Wyng) and Data Processors (i.e. Wyng itself) and the obligations imposed on each, CCPA makes no such distinction and places all obligations on the brand.
There are other differences that extend beyond Wyng-related use cases and may be relevant to your business, especially if your business sells data. For a detailed comparison, see this comparative analysis from The Future of Privacy Forum.
As a User of Wyng, What are My Obligations Under CCPA?
Wyng specializes in providing technology to help brands collect and activate zero-party data at scale. Using the Wyng platform, non-technical users at brands and agencies can create mobile-first digital experiences, called “microexperiences”, designed to engage consumers and ask them questions via interactive visual elements and forms. The zero-party data that consumers self-report and freely share with a brand while participating in microexperiences is securely collected by the Wyng platform on behalf of the brand.
If your business uses Wyng to collect zero-party data, the following obligations may apply under CCPA:
- Disclose what personal information your business collects, and the commercial purpose for collecting personal information
- Provide a way for consumers to see what personal information has been collected about them, and request that it be deleted.
If your business shares or sells personal information with other parties, additional obligations apply, including:
- Disclose the categories of third parties with whom personal information is shared
- Provide a way for consumers to opt-out of the sale of personal information.
How Will Wyng Help My Business Comply with CCPA?
The zero-party data formula enabled by the Wyng platform is based on transparency, consent and trust, and is fully-aligned with CCPA and GDPR.
The Wyng platform makes it easy to disclose what personal information is being collected, how the information will be used, and any other terms relevant to the consumer — all at the point of data collection.
Wyng also supports multiple consent models at the point of data collection, including implied consent upon form submission, and explicit opt-out and opt-in checkboxes for consent. CCPA assumes consent is implied when consumers (over 16 years) participate in a microexperience, while GDPR regulations in Europe require explicit opt-in.
Here are two common examples of how Wyng can help your business comply with CCPA:
- For microexperiences that use forms to collect personal information from consumers, you can include information about the personal data being collected and how the data will be used. This information can be included directly within the microexperience itself, or by linking to a separate privacy policy. If your company mandates that your privacy policy be included as part of all digital experiences, you can configure the Wyng platform to enforce the mandate by automatically including a link to your privacy policy in all microexperiences. Similarly, you can include checkboxes on your forms to enable consumers to provide consent in accordance with your preferred consent model — opt-out or opt-in.
- For microexperiences that encourage consumers to share user-generated content (UGC) with your brand through social media, where you would like to display or distribute the UGC on other channels, it is a best practice to obtain opt-in consent from the consumer. You may obtain consent by commenting on the original post (and optionally including a link to detailed terms & conditions), and requesting that the consumer reply with opt-in consent. For example, commenting “Great photo! We’d love to share it on our site. Reply @yourbrand #YES if that’s OK.” gives the consumer an opportunity to provide consent as part of their reply.
In addition, to help keep your microexperiences secure and compliant, the Wyng Platform includes comprehensive privacy and security features and periodic audits to ensure the safe handling of personal consumer data globally, including automatic encryption of data in transit and data at rest, separation of data, OWASP compliance audits, and anti-malware scans.
Other Considerations for Businesses
Businesses will need to update their operational procedures to support the rights of consumers under CCPA — for example, by implementing a framework to accept, track, process and respond to requests from consumers to access and/or delete their personal information.
Businesses that sell personal information must also provide a way for consumers to opt-out of the sale of their personal information. Personal information will also need to be categorized to ensure no information on a resident of California is sold after their opt-out request.
The regulatory penalty for non-compliance with CCPA can be up to $7,500 per violation, while liability to an individual consumer is $750 per incident or actual damages, whichever is greater.
What Are the Benefits of CCPA for My Business?
With CCPA regulation primarily targeting third-party data, brands have an opportunity to leverage and benefit from zero-party data. Forrester agrees, noting in a recent report that in 2019, the industry will “say goodbye to third-party data” and shift toward data that consumers are sharing directly with the brands they interact with.
Benefits include:
- More Trusting Relationships with Consumers. By clearly communicating what personal information you brand collects and how it will use the information, and by getting informed consent, your brand is facilitating direct, open, honest engagement with consumers — building deeper, more trusting relationships. Moreover, giving consumers a way to see what information has been collected about them, and giving them the option of deleting information, helps to assuage any concerns about your brand and its relationship with them as consumers.
- Higher Quality and More Actionable Data. With CCPA on the horizon, many companies are lessening their reliance on third-party data, and shifting their focus to zero-party data instead. By focusing on zero-party data, you grow the size of your owned database by converting unknown audience members to known contacts, and you enrich the profile of each individual consumer with their unique preferences, needs, interests and other data points you seek.
- Improved Return on Advertising and Marketing Spend. By integrating and activating zero-party data across marketing, advertising and e-commerce touch points, brands can improve targeting, deliver more relevant content and offers, and personalize experiences and product recommendations — all proven techniques to boost return on advertising and marketing spend.
What Should I Do Now?
A good starting point in preparing for CCPA is to gather the current status of your company’s capabilities and compare that to the changes required by CCPA. Once you know what changes are required within your organization, you can map them to the months leading up to January 1, 2020. With careful planning and deadline-driven goals, you can make compliance a reality with time to spare.
Some things to consider while updating your processes:
- Familiarize yourself and your team with your responsibilities under CCPA, and determine who will be managing the data. Train employees on compliance issues and limit access to data.
- Identify where your current data has come from and ensure it has all gone through the proper consent channels. Seek zero-party data sources if your current sources are third-party.
- Create a plan to obtain consent and set up processes for those who wish to no longer give consent, and implement these processes as soon as possible.
- Stay up-to-date on the legislation as it evolves, and seek expert advice if needed.
