Determining your need for compliance
Before all else, a company needs to determine whether or not they actually fall within the scope of the CCPA. When the GDPR was first announced, many non-EU businesses thought they were outside its purview: “We aren’t based in the EU, or have a sales or marketing office there. So we’re exempt.” Which was a mistake that, fortunately for them, hasn’t been reflected in fines or other penalties for non-compliance – yet.
In the case of the CCPA, the stated guidelines about company size and the amount of data they handle make it easier for some enterprises to recognize whether or not they should comply. However, there are finer points of the law that may sting a company that isn’t paying attention to how its marketing team, its outside agencies and vendors, and consumer engagement practices are gathering data.
For instance? As currently drafted, the CCPA protects the information of California residents, and its rules apply even when they’re outside the state line. So despite how you’ve cleverly geofenced a mobile website so it only gathers data from a Los Angeles resident when s/he’s on a junket to Vegas or New York, you’re still in violation.
This means auditing all the campaigns, websites, social channels, or other engagement tools in your company’s inventory to understand if they’re meeting all the requirements of the CCPA. It also means embedding CCPA compliance in your business processes – but more on that in a future post.