The purpose of this guide is for general education and not for legal advice. For questions about how your business specifically should comply with the California Consumer Privacy Act, you should seek legal counsel.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a privacy law that went into effect on January 1st, 2020, intended to give consumers control over their personal data. Deemed GDPR Lite by some, the law creates stricter policies on how businesses handle the personal information of California residents.
These data protections give Californians the right to:
- Know what personal information is being collected.
- Access the personal information that is collected.
- Request that their personal information be deleted.
- Know whether their personal information is being shared, and if so, with whom.
- Opt-out of the sale of their personal information.
- Have equal service and price, whether or not they chose to exercise their privacy rights.
Who Does it Apply To?
The California Consumer Privacy Act mostly applies to businesses and service providers who handle California residents’ personal information. The CCPA defines a business as a for-profit entity that collects consumer personal data. If your business meets any of the following requirements, you may need to comply:
- Businesses that earn $25,000,000 or more a year in revenue.
- Businesses that annual buy, receive, sell or share personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- Businesses that derive 50% or more of their annual revenue from selling consumer personal information.
California citizens have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.
The CCPA defines a service provider as a company that processes consumer personal information on behalf of a business.
What Steps Should I Take?
First, talk to your lawyer. Drip cannot provide legal advice to your business about CCPA. Once you've determined how CCPA impacts your business, you may need to communicate what data your business collects, how you use that data and how a consumer can request their data to be deleted. You can do this by sending a transactional Single Email Campaign with Drip. Learn more here.
How Drip Handles Customer Data
Drip doesn’t buy or sell customer data, and we require explicit opt-in for all of our customers’ lists on our platform. You may request that we delete someone’s data from our database if you aren’t able to do so, and we will honor the request within 30 days.
If a customer requests access to all data you have stored on them, which includes data stored in Drip, reach out privacy@drip.com. Exporting data to a CSV file is possible, but will be incomplete without a person's activity feed data, which we can provide.
Please note the following:
- For security purposes, this request must come from the Drip account owner, not an account admin or an account contributor.
- The email address of the person requesting access or deletion must be provided, and that person must be present in your Drip account.
- Drip will respond to data subject rights requests within 30 days.
Reach out to privacy@drip.com for any data deletion or access requests.
The TL;DR
If your business has customers in California, they have the right to know what information you’re collecting about them, why you’re collecting it, and who you’re sharing it with. Consumers in California can request that their data be deleted by any for-profit entity that collects consumer data. They can opt-out from your ToS without losing access to your offerings, and if you sell the data of anyone under the age of 16 you need to get explicit consent.
For you, the business, this means:
- Talk to your lawyer. Find out what this means for your business and what action items you need to take.
- Send a transactional Single Email Campaign to communicate about the CPPA.
- Reach out to privacy@drip.com for any data deletion or access requests.