California Consumer Privacy Act and Nogin
Marketers and brands are just a few short days away from dealing with the new California Consumer Privacy Act that will go into effect January 1. The law itself is the most comprehensive data privacy law in the United States, which essentially enumerates new consumer rights regarding the collection and use of personal information along with obligations for companies that trade in such information.
The general intent of the law allows consumers to easily opt out of data collection services. For instance, the law will require an “opt out button” on every page of a website which will allow consumers to easily notify companies that they do not wish their data to be collected or sold, and additionally it will allow for them to delete any data that has already been collected. The new law will significantly restrict how brands collect and manage consumer data which has fueled digital advertising for years.
The CCPA includes the following key requirements:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted;
- Consumers have a right to opt out of the sale or sharing of their personal information; and
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
One of the benefits of working with Nogin is that we help ensure all our clients remain compliant with the latest consumer protection laws. Nogin has always taken consumer data seriously, and although we recognize some of the difficulties this may cause for many of our brands, we have been preparing for the change to take effect since the bill’s passage in 2018. We have a complete team of data protection specialists working to ensure our CCPA readiness is established.
For more information regarding the California Consumer Privacy Act please visit https://oag.ca.gov/privacy/ccpa
Quick Fact Sheet:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
This only applies to certain businesses
- Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
- As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete.
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes.
- As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- o In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.