The California Consumer Privacy Act (CCPA) is set to take effect on January 1, 2020, and enforcement begins a few months later, on July 1, 2020. The act was passed to give consumers who have been affected by a data breach, or are afraid of one, more control over their personal information. You may be affected if you do business there, or have customers, or even potential customers there, and it is likely that the effect will reach other states too.
Why was this necessary? The obvious answer is the number and scope of recent data breaches: Facebook’s 2018 breach of 50 million accounts, and again in 2019 when 540 million user records were exposed on Amazon cloud servers. A Capital One breach exposed 106 million customer records, and the Equifax breach compromised personal information on 147 million accounts.
How Do Companies Collect Consumer Data?
Let’s start with the acknowledgement that almost every enterprise uses some kind of Customer Relationship Management (CRM) system for customers and prospects. You might think that CRM is used primarily by the salespeople, but it can also be used by customer service, vendor and supply-chain management, recruiting, marketing, and repair and warranty service. The CRM allows the enterprise to build a profile of the customer, most likely to find ways to sell even more products or services to them.
You could even enhance this profile by collecting data from a customer’s website (news about the company’s activity), email, telephone, and social media activity (personal details about likes and dislikes, or what they are saying about you and your competitors) across multiple sources and channels.
In theory, CRM should lead to a common platform for customer interaction, so you can respond promptly and accurately to the customer, and offer the right support at the right time. It can even be used to coordinate accounting and billing, and perhaps even document signing. CRM is a powerful tool if used correctly, but obviously the data has to be properly safeguarded. CRM used to be just for very large enterprises, but increasingly independent software vendors (ISV) and software providers are building CRM into their general ledger software to run a business, along with time and attendance, inventory management, scheduling, and other components of running a business.
Fortunately, it is easy to figure out if you will be affected. If you meet just one of these criteria, you are affected:
- Your organization or company earns 50% or more of your annual revenue from selling personal information about your consumers.
- Your annual gross revenue is greater than $25 million.
- Your organization receives, shares, or sells personal information of more than 50,000 individuals.
Now you might be thinking that this does not apply to you, so you should know the consumer rights as defined by the act fall into five high-level categories:
- Consumers have the right to prevent a business from selling their personal information to a third party.
- Consumers can request a business to remove the personal information that the business has collected about them.
- Your business must inform your consumers if you intend to collect personal information about them.
- Your consumers have the right to know what personal information a company has collected. This includes how they got the data, how it might be used, and the other parties who might get access to it.
- A business cannot charge the consumer a different price or refuse service if the consumer exercises their privacy rights.
What should you be doing now to protect yourself under this act?
First, look at what your company is doing now to collect personal data, and what you do with it. Next, understand your current privacy controls. Then, understand your ability to manage and safeguard the data going forward, to meet CCPA privacy requirements. Finally, put in place some kind of ongoing monitoring to inspect and ensure that you are compliant.
At CrossCheck, one of our primary merchant sources is supporting new car dealers and helping them sell more cars. Our dealers know they need to comply with the Gramm-Leach-Bliley Act (GLB) and the Federal Trade Commission’s (FTC) privacy rule, which obligates the dealer to disclose to their finance, lease, and insurance customers how they use and share consumer information. Dealers are required to comply because of their financing activities.
The FTC requires dealers’ retail businesses to assess data and information controls and take steps to protect customer information from misappropriation alteration, and tampering.
In addition, the FTC has issued a “Red Flag” rule that must provide for the identification, detection, and response to patterns, practices, or specific activities, known as “red flags” that could indicate customer identity theft. Dealers must also ensure that their third party service providers can maintain appropriate safeguards for the customer information that dealers share with them, such as call center services and firms that link dealers with their internet-based customers.
Final Words on the California Consumer Privacy Act
It’s just a matter of time before the California Consumer Privacy Act will affect your business. We see that this is a very serious subject, and consumers and the regulators and lawmakers are taking it seriously. At CrossCheck, we have always taken our responsibility to safeguard customer data seriously. Today, because we are a licensed, registered, and bonded collection agency in all 50 states, we are subject to extremely strict regulatory and compliance standards for safeguarding customer information, and we have never had a compromise or breach in our entire 37 year history!