All You Need to Know About the California Consumer Privacy Act (CCPA)

As of January 2020 a new consumer privacy act is in place, affecting all California consumers and companies that do business or provide services to them. The California Consumer Privacy Act (CCPA) has a broader understanding of what falls under the “private data” category and sets out stricter and more elaborate restrictions in regards to that compared to the TCPA regulations.

If you send text messages or do any other type of business with California-based customers, continue reading to understand how this law may affect you. We recommend you advise with your lawyer on the necessary changes needed in your Privacy Policy and Terms of Service so you abide by those regulations.

What is the CCPA?

According to CCPA, it’s every California user’s right to demand a report of all the personal information a company has collected on them, and a list of all third parties this data is shared with (if any). If customers deem this as a violation of their privacy, the CCPA allows them to file a class action suit against the violator, even if an actual breach is not reported.

How Does the CCPA Define “private data”

In many aspects, CCPA is similar to GDPR, the data protection regulation in Europe. Some say that if a company is compliant with the GDPR, then it's basically just a couple of steps away from fully abiding by the CCPA.

Here is a full list of what is considered private data by the CCPA, as per Section 9, subsections O(1) and O(2) of the Senate Bill-1121:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers

• Characteristics of protected classifications under California or federal law

• Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies

• Biometric information

• Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement

• Geolocation data

• Audio, electronic, visual, thermal, olfactory or similar information

• Professional or employment-related information

• Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)

• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

Now that we’ve given you a complete overview of what constitutes “private data”, let’s take a look at two other areas of the CCPA that are of particular interest to businesses: how does it define “selling” of personal information and how to stay compliant with both TCPA and CCPA in the event of data deletion.

Definition of “Selling” Under the CCPA

CCPA has a rather broad definition of “selling” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

What this means is that even if there is no exchange of personal data where parties might benefit financially, “selling” could occur even when companies are sharing private information with third parties for any reason at all.
 

Keeping Records of Personal Information

According to the TCPA, the main act which is the main act which restricts telemarketing communications via voice calls, SMS texts, and fax, no company can contact US-based customers unless they have their prior written consent to do so, and a record of such data. In the case where customers request their information be deleted but haven’t opted out from receiving text marketing, the two acts could come in clash.

For those who have given their consent to receive text messages but then opted out to have their data “sold”, businesses could deny to delete the records in order to abide by the legal TCPA obligation to maintain an internal “Do Not Contact” list, citing the “comply with legal obligations” provision in the CCPA (Section 2, d(8)).

What Can Companies Do to Be Compliant with the CCPA

The CCPA gives complete guidelines on what businesses can do to respect the CCPA and all users who fall under it under Section 8.

Among those guidelines are to give customers an explicit opt-out option on the company website and in the Privacy Policy, where they can deny companies to “sell” their personal data. The opt-out should not, however, require users to make an account.

In the event where companies use third parties for text marketing purposes (or any other marketing reasons), they should explicitly say so in their privacy policy, and give complete information on who their vendor is. This again coincides with the requirements of GDPR so you can refer to our proposed GDPR texts.

If a customer does choose to opt out, according to the CCPA companies should refrain for at least 12 months from requesting that they authorize the sale of the consumer’s personal information.

How Does it Affect You?

All in all, the CCPA ensures that all California users’ private information is treated with extra care, and aims to limit any occasions where their privacy might be breached or their data - tampered with.

As such, the CCPA affects all businesses which, in any way, communicate with California customers, including text marketing, and will give customers more ways to have control over who has access to their personal data.

This post is purely informational for SMSBump users. Nevertheless, California consumers may make a request pursuant to their rights under the CCPA, by contacting us at support@smsbump.com or use this request form. We will verify your request using the information associated with your account, which might be your email and phone number. Government identification may be required. SMSBump customers can also designate an authorized agent to exercise these rights on their behalf. For more information regarding the way SMSBump handles your private information, see our Privacy Policy.