How to Respond to the California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act provides users additional rights around three categories: transparency, control, and accountability. Here’s what you need to know:

1) Transparency

Your organization must be able to provide clear information regarding the categories of information you collect. Users have the right to know whether their personal information is sold or released to other companies and details surrounding the transfer of information.

Your Next Steps: Sit down with your team and create a list of your data inventory. It doesn’t have to be complicated, but should reflect what data you receive, how you collect it, and who has access to it. It should be a live document that can be updated whenever changes are made to how your data is impacted.

Need help getting started? Download our data inventory template.

Your organization should also provide users the option to opt out of the transfer of their data. On your website, create a link titled “Do Not Sell My Personal Information” that gives users the option to make the request. The link should be clearly accessible and can live in the footer of the website on all pages.

2) Control

Users have the right to access their personal information and receive a copy of their personal data without incurring a cost. The CCPA allows for this information to be provided electronically. Users must have a clear way to opt-out and opt-down of communication. The user can also request to have their data deleted from your organization’s records.

Your Next Steps: Review your customer relationship management (CRM) platform processes and nomenclature with your team. The CRM is the brain of your organization and all data should feed back into it. Your team should be well versed in how to update and remove records if requested.

We’ve got a few favorite CRMs. Find one to fit your needs.

3) Accountability

Organizations have 45 days to respond to the user’s request. If your organization expects to go beyond 45 days, you must notify the user and can expand the timeframe up to an additional 45 days.

Your Next Steps: Assign a person on your team who will be responsible for managing data requests. This is best suited for the person who has the most interaction with your donors and can be leveraged as an opportunity to develop relationships further. Records should be maintained of when the request was received and the date action was taken to respond to it.

CCPA does not restrict the ability to comply with federal, state, or local laws. While there are exemptions, it’s important to align with the sentiment of the act, giving users the ability to manage how their data is used. Respect the rights of users who no longer want to engage and build stronger relations with users who do.

Learn to build engaging omnichannel campaigns at a High Impact Workshop.


More Insights from Dunham+Company: “The Most Important Messenger Bot Feature”

Ready to take the next step? Dunham+Company is here to help your organization have more impact and establish deeper relationships with your donors and supporters.