California Consumer Privacy Act Compliance

What’s on this page?

Introduction

California Consumer Privacy Act of 2018 (CCPA) has been designed to protect the data privacy rights of California residents. It forces companies to provide more information to consumers about what’s being done with their data and gives consumers more control over the sharing of their data. The underlying problem that the law addresses is that most consumers don’t realize that their personal information is being shared or sold to others. This act ensures that consumers are given a chance to opt out of having their information used in a way that they disapprove of.

When Does CCPA Take Effect?

California Consumer Privacy Act (CCPA) went into full effect on January 1, 2020.

What are the Rights of Consumers under this Act?

The Act enables all California consumers with the right to:

  • Know what personal data is being collected about them.

  • Know whether their personal data is sold or disclosed and to whom.

  • Say no to the sale of their personal data.

  • Access their personal data.

  • Request that a business delete any personal information about a consumer collected from that consumer.

  • Not be discriminated against for exercising their privacy rights.

What is Considered Personal Information?

Personal data is information that relates to an identified or identifiable individual. This could be a name, an address, or a phone number, but it could also be an IP address or a system identifier. If it’s possible to identify an individual directly from the information, then that information may be personal data.

Under the CCPA,

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Who does the CCPA Affect?

The CCPA applies to any company that does business in California and meets at least one of the following criteria:

  • Has annual gross revenues in excess of US $25 million;

  • Holds data containing personal information of 50,000 or more California consumers, households or devices; or

  • Earns 50% or more of its annual revenue from selling consumers' personal information.

An entity meeting any of the above three criteria and buying and selling goods or services in California will be subject to the CCPA even if it does not have a physical presence in California.

New Business Obligations under CCPA

The CCPA imposes additional obligations on businesses with respect to personal information such as:

  • Providing notice to consumers at or before data collection.

  • Providing notice to consumers of their right and a mechanism to opt-out of the sale of personal information. This would include providing the consumer a “Do not sell my info” link on their website or mobile app.

  • Responding to requests from consumers to know, delete, and opt-out within specific timeframes.

  • As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.

  • Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.

  • As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.

  • Taking appropriate security measures when handling personal information and when a security breach occurs.

Accessing Personal Data in Tulip

Under the CCPA, retailers have up to 45 days from when a request is made to respond to the consumer requests.

In order to assist retailers comply with this CCPA requirement, Tulip’s Customer Success Division can provide extracts of the consumer data in a CSV file format on the retailer’s request.

The CCPA gives consumers the right to request (either verbally or in writing) that their data be deleted. On receiving such a request, the retailer must comply within 45 days.

Tulip provides out of the box functionality to support customer information deletion requests.

Retailers can work with Tulip to configure their preferred data subject request fulfilment method as one of the following:

  • Delete - Removes a customer record entirely from Tulip’s data storage, as well as any reference to its customer ID.

  • Mask - Blanks out personally identifiable information fields (where possible) and deletes any data not needed for metrics or transactional information.

  • Hash - One-way encryption of personally identifiable information that cannot be decrypted to recover the original information. Any data that is not needed for metrics or transactional information is deleted. The one-way encryption uses a consistent salt for the entire deletion to ensure that data is encrypted in a way that preserves relational data integrity.

Manage Deletion Requests using Tulip Self-Serve Tools 

Retailers can use a web-based tool provided by Tulip to fulfil data subject requests to delete customer data. These self-serve tools provide corporate offices with the ability to select customer records and initiate the fulfilment method specified by and configured for the retailer.

Beyond the customer’s profile information, additional referential data is also affected including (but not limited to): associated analytic data, past order data, Client Book associations, relevant customer follow-up tasks, all customer communication history, customer activity logs, and customer notes.

Tulip’s Commitment to Protecting Consumer Data

Tulip is committed to protecting consumer data and providing our retail partners transparency and the tools to control their customer data to help them in complying with regulations like the California Consumer Privacy Act.

Disclaimer

The information presented here is for informational purposes only and should not be relied upon as legal advice. Clients should consult with their legal counsel to understand their specific obligations under the CCPA. It is the client’s responsibility to review Tulip’s functionality and tools and assess whether the client’s use of the Tulip solution is compliant with laws and regulations applicable to the client.

Contact Us

For more information on Tulip’s commitment, contact us! If you are a Tulip customer, please contact your Customer Success Team representative for more information.

Available Configurations

Retailers can configure this feature in the following ways:

FieldConfigurable Elements
Customer DeleteConfigure the customer deletion method (Delete, Mask, or Hash)