Organizations with members or customers in California are subject to the California Consumer Privacy Act (CCPA) which takes effect on January 1, 2020. Similar to the goals of the European Union’s General Data Protection Regulation (GDPR), the aim of this legislation is to secure new privacy rights for California consumers.
Note that this post is not a complete summary of the CCPA, or legal advice to use in complying with the law; it is intended to provide background information to help you understand the law and how it could apply to your organization. Consult your own legal counsel to determine if you are subject to the requirements of CCPA and for a full understanding of your obligations under the law.
Does My Organization Need to Comply with CCPA?
It’s important to note that businesses are only subject to the CCPA if they provide service to California consumers and if one or more of the following is true:
- Has gross annual revenues in excess of $25 million.
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
How Does CCPA Relate to Membership Software?
Among the privacy rights outlined in CCPA that relate to your membership software are:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information.
How Can I Use MembershipWorks to Respect Member Privacy?
MembershipWorks has a number of features that help you move toward compliance with CCPA. Let’s walk you through how to implement these features.
Use the Required Waiver/Terms field to inform members about the data you collect from them and what you do with it.
Businesses subject to the CCPA must provide notice to consumers at or before data collection. This field can be added to both your Member Sign-Up, Member Manage and Admin templates within Customization. Here’s how:
- In Customization > Member Sign-Up, click on “+ Add Field” within the About section.
- In the field type, use New custom field.
- Type a Description.
- Add a 2-letter identifier of your choice.
- Change the Type to “Required waiver/terms.”
- Paste your waiver/terms into the Full text box and click OK.
- Click Save Template.
- Go to Member Manage template.
- Click on “+ Add Field” within the About section.
- In the Field type drop down, find and select the name of the existing field that you just created.
- Click OK.
- Click Save Template.
- Repeat steps 9 through 12 within the Admin Profile template.
Enable the Anonymize/Erase Personal Data feature to allow you to anonymize a member’s personal information at their request.
CCPA indicates that businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes. Head to Customization > Admin Profile template where you can add a “Anonymize/Erase Personal Data” box. You will then see a “Anonymize/Erase Personal Data” button appear under the Profile tab of each member’s account. Clicking on the button will bring up a warning before you can proceed with the anonymization process. Read more about this feature and how it works.
Note that before you comply with a request to delete or a request to know what data is stored, CCPA requires that you verify the identity of the person making the request, even if they do not have an account in the system. The draft regulations propose that if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, organizations must treat a request to delete as a request to opt-out.
Anonymize non-members by creating an account for them.
The best way to handle deletion requests from non-members — such as event registrants who do not have an account — is to create an account for them. This can be easily done from the Event Dashboard.
- Click on the + symbol next to the non-member’s name and create their account into a Folder. You can create a new Folder for this purpose if desired.
- Once the member is created, from the Event Dashboard you can then click on the person icon next to their name.
- Once you have pulled up the account, head to the Profile tab where you can scroll to the Anonymize/Erase Personal Data button to complete the request.
Create a Label to allow members to request that their data not be sold.
CCPA requires businesses to provide a “Do Not Sell My Info” opt-out option on their website. This field can be added to your Member Sign-Up and Member Manage templates within Customization.
- In Labels & Membership, create a new label such as “Do Not Sell My Info.”
- In Customization > Member Sign-Up, scroll to the Profile section.
- Click on “+ Add Box” at the bottom of the Profile section.
- Next to Box type, select “Add/Remove Labels and Folders”.
- Type a Description such as “Select the “Do Not Sell My Info” option below if you want to opt out of solicitations from our business partners.”
- Next to “Selectable folders/labels”, select the label you created in step 1
- Click OK.
- Click Save Template.
- Go to Member Manage template and repeat steps 3 through 8.
Once your Label is in use, you can now restrict members who do not want to have their data sold when you do an export. When performing an export from your Members folder, click on “+ Add Search Criteria” under the Search box. Select the Label you created in step a. Now click the option to “Show accounts NOT matching search criteria instead.” You can now click “Export” knowing that those who have opted out from having their data sold will be excluded.
If you are selling member data, the CCPA draft regulations indicate that you must:
- Disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information,
- Explain how you calculate the value of the personal information, and
- Explain how the incentive is permitted under the CCPA.
The Importance of Documenting Requests
CCPA dictates that organizations must create procedures to respond to requests from consumers to opt-out, know, and delete. According to draft regulations, organizations must also maintain records of requests and their responses for 24 months in order to demonstrate compliance.
Consult Your Attorney
See additional CCPA privacy requirements here. This article is not a complete summary of the CCPA, or legal advice for your company to use in complying with the law; it is intended to provide background information to help you understand the law and how it could apply to your organization. Consult your own legal counsel to determine if you are subject to the requirements of CCPA and for a full understanding of your obligations under the law.