As most of you will already know, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. What you might not know, however, is what exactly this means for you as a Community Manager, and the impacts it will have on your community and your practices.
Before I jump in, I just want to make it clear that we are not lawyers, and that this post is not legal advice. Make sure that you look beyond this blog and actually consult with a lawyer if you are seeking legal advice.
That being said, I want to take the time to discuss what exactly the CCPA is, and what it means for those in the community space.
Firstly, the CCPA is a major privacy law that, although enacted in the state of California, will have global implications. Essentially, any organization either doing business in California, or collecting personal information of Californian consumers, will be subjected to this law. That being said, this law will be difficult for organizations to ignore since California is the most populous state in the USA and would be considered the 5th largest global economy, if California were a country. Many businesses have a stake in the Californian market, which means that this is a law that businesses across the globe have to consider.
The effects, however, will likely go beyond this. As Niki Vecsei Harrold, the Director of Communities Strategy at Transamerica says, “a lot of American companies will be adhering to this legislation, even though it’s only protecting Californian consumers today, because companies know that this is the beginning of the federal legislation.” Ultimately it is predicted that the CCPA will set the standard for any future privacy legislation to come.
What Does the CCPA Do?
The CCPA is essentially a spin-off of the European GDPR. It legally applies to any “business” that does more than $USD 25M in revenue, holds more than 50,000 consumer records or derives 50% of its income from selling consumer information. The CCPA gives consumers to several privacy rights, including:
The right to request the specific categories of information a business collects upon verifiable request
The right to say “no” to the sale of personal information
The right to delete their personal information
The right to equal service and price, even if they exercise their privacy rights
The right to request a read-out of what personal data the company has and how they acquired that information
With more and more jurisdiction adopting data privacy laws, compliance is a must. With that being said, community managers should proceed carefully when dealing with personal data of community members.
What Should I Do To Ensure Compliance?
Now, there are a number of compliance steps that we recommend you take, although again, I want to make it clear that this isn’t legal advice. That being said, here are some things that you can do to help ensure that you’re adhering to the CCPA:
Make sure that community members have at least two ways of contacting you about privacy related requests.
Make sure that you have agreements with vendors (such as Vanilla) that cover data privacy and make sure your vendors are taking appropriate measures to ensure data security. On that note, I’d like to let you all know that Vanilla has already taken the necessary measures and we are CCPA compliant.
Make sure that all community managers and other staff that might receive a privacy inquiry are trained to know how to handle it.
Ultimately, community managers that went through a compliance exercise for GDPR should find that they are well prepared CCPA, but will still want to review the legislation. I would recommend taking a look at this chart created by Baker Law, which outlines the differences and similarities between the CCPA and the GDPR. This chat may help dispel any questions or concerns regarding the CCPA, especially if you have already been working towards being GDPR compliant. More specifically, the “comparison” section of the chart will indicate how similar the tenants of these two laws are, which will provide valuable pointers on what you need to do next.