Let's talk


January 28, 2020 | Authored by: Vindicia Team

What does California's new data privacy law mean for your subscription business?

Today, January 28, is Data Privacy Day, also known in Europe as Data Protection Day. This internationally recognized day is dedicated to creating awareness about the importance of privacy and protecting personal information.

Ever since it went into effect in 2018, the European Union’s General Data Protection Regulation (GDPR) has caused a seismic shift in the way companies around the world manage and protect consumer data. GDPR established several detailed requirements regarding data processing, storage, and management. Those guidelines ranged from giving consumers more control over what data they share with companies to enshrining more specific guidelines on data breach response protocols.

It was only a matter of time before other governments began to follow GDPR’s lead and enact data privacy laws of their own that attempt to tightly control how customer data is gathered and used. The state of California is among the first to pass legislation that echoes GDPR, with the California Consumer Privacy Act (CCPA) sharing many similarities with the EU’s landmark regulation.

CCPA went into effect on Jan. 1, 2020, with enforcement beginning on July 1, 2020, so companies need to update internal processes and systems and comply with these new guidelines as soon as possible. Any subscription business that sells to California-based customers will need to abide by these regulations to avoid any penalties and continue operating in the state, the world’s fifth-largest economy. Here’s what you need to know.

What is the CCPA?

Although not quite as extensive as GDPR, CCPA contains several major changes in the way businesses are allowed to gather and manage consumer data. One of its overarching goals is to give consumers more control over the information they share with businesses. That means consumers will play a more active role in determining how their personal information is used by third parties, and if it’s used at all. A customer could choose to opt-out of any data-sharing agreements, and subscription businesses will have to comply with those requests promptly, including completely removing any customer information from their systems, a requirement known as “the right to be forgotten”.

CCPA’s scope is a bit narrower than GDPR’s, which applies to any organization that processes EU resident data. CCPA, meanwhile, targets any business that meets any of the following criteria and sells to California residents:

  • Brings in $25 million or more in revenue each year
  • Has access to personal data belonging to at least 50,000 people
  • Earns more than half of its revenue by selling personal data to third parties

Note that it doesn’t matter if a business is located in California or has any kind of physical presence in the state. That means a lot of subscription businesses are going to be affected by the new legislation.

Although CCPA went into effect at the start of this year, enforcement won’t begin until July 1, 2020. That may give a little breathing room for organizations to prepare, but many have already fallen way behind schedule. A PwC survey found that only half (52%) of companies were expected to be ready to comply with CCPA when it goes into effect. One-third (32%) believed they would be CCPA-compliant by the end of 2020, but there’s no guarantee they would make the July enforcement deadline.

What are subscription businesses responsible for under the CCPA?

Broadly speaking, the CCPA will allow customers to dictate what data of theirs can be collected by companies and shared with other organizations. To comply with every guideline listed in the law, subscription businesses will need to build in new controls and processes for managing consumer data, including:

  • Providing explicit notifications when collecting customer data.
  • Telling customers what specific data is going to be collected, how it will be used, and which parties it will be shared with.
  • Giving customers the ability to prevent personal data from being shared at all.
  • Offering customers the aforementioned “right to be forgotten.” Customers can choose to have their personal data completely removed from business databases and systems.
  • Treating all customers equally, regardless if they choose to opt-out of data collection programs differently. For instance, subscription businesses would not be able to offer financial incentives in return for data sharing, which would effectively charge nonparticipants more money for the same service.

Subscription businesses that sell to EU markets will likely have already checked many of these boxes since there is much overlap with GDPR. However, there are differences between GDPR and CCPA, so subscription businesses must be careful. The devil is in the details.

For example, under GDPR, businesses are not allowed to use pre-checked boxes for gated content to obtain consent. Consent must be opt-in rather than opt-out. But with CCPA, implied consent is still allowed, meaning that a pre-checked box is still compliant. Such differences in regulations can make it difficult for global businesses to comply with a single user interface.

How will CCPA affect subscription businesses?

Noncompliance is not a viable option for subscription businesses that sell to California consumers. Although CCPA’s penalties are far lower than GDPR’s punitive fines, they can add up fast. Companies that violate CCPA could be fined as much as $7,500 for each affected record.

That’s just the beginning of the financial cost of noncompliance. Because businesses that violate CCPA guidelines could also see their brand reputation tarnished, eroding customer trust.

And it’s not just about California. In the near future, companies that do not comply with forthcoming data security regulations may find themselves unable to work in other areas that pass similar laws in the near future. Other state governments are already working on data privacy laws of their own, and many will likely follow CCPA and GDPR’s example when carving out specific guidelines.

CCPA compliance prepares your business for new data privacy laws and regulations that may well be regulating in the future. You don’t want to fall behind with data privacy performance. The gap to close will only get larger. A “wait and see” approach is too risky. In addition, it opens up the possibility of expanding into new markets with robust data privacy regulations.

Finalize CCPA preparations without delay

CCPA is here, and affected subscription businesses are ideally nearing the finish line with their preparations. That being said, given how much work is required to comply with the latest data privacy laws, including updating existing business platforms and creating new data management controls, it’s perfectly understandable if compliance efforts are ongoing.

Not all organizations have the core competencies to tackle data privacy and regulatory compliance demands on their own. Working with a vendor that has extensive experience with both the subscription industry and data management regulations can help make compliance much easier, not to mention quicker to implement.

Vindicia’s team of subscription billing experts can help your subscription business comply with CCPA, GDPR, PCI, and other data privacy and security guidelines that you face. Don’t put off compliance any longer. Contact Vindicia today and take advantage of our expert guidance.

About Author

Vindicia Team

Vindicia Team

We value our subject matter experts and the insights each of them brings to the table. We want to encourage more thought leaders to come together and share their industry knowledge through our blog. Think you have something interesting to contribute as a guest blogger? Contact us at info@vindicia.com