It’s a new age for consumer rights and data privacy. While many marketers and brands – especially in the United States – are still struggling when it comes to complying with the EU’s General Data Protection Regulation (“GDPR”) that took effect in 2018, the next milestone in consumer data protection has come into effect: the California Consumer Privacy Act of 2018 (“CCPA”). This legislation represents the most comprehensive data protection regulations in U.S. history. With implications far beyond residents of the state of California, CCPA provides consumers with unprecedented rights to control what happens to their private data.
This blog post will attempt to answer some of the most important CCPA questions facing marketers right now:
What is the California Consumer Privacy Act in a nutshell?
CCPA was drafted in response to a series of breaches and scandals that exposed private information from consumers held by companies to third parties. Under CCPA:
- Consumers have a right to know what information companies collect about them, why this information is being collected, and which parties that information is being shared with.
- Consumers can ask companies not to share their information or to delete it entirely.
- Even when consumers opt out of sharing their data, companies must provide them with the same level of service.
- The law provides especially strict limitations for collecting data on individuals under 16 years of age and prohibits entirely the sale of data for individuals under the age of 13.
- Consumers have a right to sue companies when their personal information is subject to unauthorized usage, theft, or disclosure due to a company's failure “to implement and maintain reasonable security procedures and practices.”
Is CCPA limited to companies in California?
The law applies to any companies that “do business” or serve customers within the State of California. But with California’s economy ranking as fifth largest in the world (by GDP), the implications of CCPA reach across the globe.
Why should you care?
CCPA, like GDPR, forces companies, under penalty of law, to examine and consider their data collection, warehousing, usage, and privacy practices. CCPA is a signal that a larger wave of privacy regulation may be coming the United States. State-specific data protection laws across the country are in the works, and the potential exists for Federal action to follow. With GDPR, and CCPA, the heat is now on for local lawmakers to introduce more consumer-focused privacy laws. The days of casually collecting and keeping personal data “in the cloud” is coming to an end for marketers.
How is CCPA similar to/different than GDPR?
CCPA was closely modeled on GDPR. Like GDPR, it includes 1) specific requirements for provision of notice of rights to consumers; 2) the right for consumers to access a record of their files and personal data in a “readily useable format; and 3) the consumers’ right to be forgotten.
Importantly, while the law took effect on January 1, 2020, consumers can retroactively ask for deletion of their data collected up to twelve months prior to their request. So technically, companies need to reach compliance in their data tracking architectures as early as 2019.
Unlike GDPR, CCPA creates a private right to sue companies over unauthorized usage, theft, or disclosure of personal data owing to a company's failure “to implement and maintain reasonable security procedures and practices.” CCPA’s definition of personal data is even wider than GDPR’s definition and includes biometric and geolocation data, as well as “inferences” drawn from such data for building consumer profiles.
To whom does CCPA apply?
CCPA applies to companies that meet any one of the following criteria:
- Buy, sell, or share the personal information of 50,000 or more consumers or devices.
- Have gross revenues of more than $25,000,000.
- Derive at least 50% of their annual revenue from the sharing of personal information.
Clearly, the companies most impacted by CCPA are companies with massive stores of consumer data records (like data brokers and telecom providers), and also companies dealing in personal data for targeted advertising. However, it is important to understand whether CCPA affects your company, as well.
How will CCPA affect the B2C marketer?
CCPA requires anyone collecting and using consumer data, including marketers, to follow stringent data protection standards designed to prevent data breaches, have protocols in place to respond to deletion requests from the consumers whose data they hold, and to document the opt-in status of those consumers.
The financial penalties for violations under CCPA are significant. CCPA imposes on companies in violation of the law regulatory fines of $7,500 per violation, as well as up to the greater of $750 or actual damages per individual violation.
There is a silver lining for marketers, however: while CCPA prohibits companies from denying service to customers who refuse to share their personal data, it does allow marketers to offer incentives to customers who do. In other words, companies are perfectly free to offer rebates or discounted prices in return for marketing opt-ins and permission to share data with third parties.
As a rule of thumb: If your agency is already complying with the rigid standards of GDPR, you’re likely in the home stretch toward CCPA compliance. If you aren’t, or if you’re not sure, visit Selligent’s Privacy and Security Center for more information on GDPR and CCPA compliance including free eBooks, webinars, white papers, and other helpful resources, like this checklist: 10 Steps to Prepare for Data Privacy Regulations. It was developed by our Selligent team to help marketers work toward compliance with CCPA and GDPR.
Whether it be GDPR, CCPA, or any other data privacy legislation, marketers are definitely at the forefront a wave of new data privacy regulations that no company can afford to ignore.
Selligent encourages marketing professionals to view these measures not as a mandatory burden, but as a chance to build trust with their consumers – by practicing transparency about the data you collect, and by using this data as the foundation for marketing that’s marked by relevance and personalization at every turn.
For the full scope of our future-proof approach to data privacy, download our free whitepaper, Data Privacy for Digital Marketers: the Roadmap for 2020 and Beyond.
Disclaimer: The information provided in this blog post, and any comments made therein, do not, and are not intended to, constitute legal advice. All information, content, and materials made available, provided or discussed are for general informational purposes only. Readers of this blog post should contact their own attorney in order to obtain advice with respect to any particular legal matter.