Just when you settled into a post-GDPR routine, there’s a new consumer privacy law that should be on your radar. CCPA, which stands for the California Consumer Privacy Act, goes into effect on January 1, 2020, and will have massive implications for marketing in the US. Lucky for you, there’s plenty of time to get ahead of the game.
According to the CCPA website, the act protects these consumer rights:
- The right to know all data collected by a business on you
- The right to say no to the sale of your information
- The right to delete your data
- The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection
- Mandated opt-in before the sale of children’s information (under the age of 16)
- The right to know the categories of third parties with whom your data is shared
- The right to know the categories of sources of information from whom your data was acquired
- The right to know the business or commercial purpose of collecting your information
- Enforcement by the Attorney General of the State of California
- Private right of action when companies breach your data, to make sure these companies keep your information safe
CCPA will hold brands accountable for any data breaches, allowing consumers to sue them up to $750 for each violation. And under it, the state’s attorney general can sue for up to $7500 for each intentional privacy violation.
With a few exceptions, data providers, technology companies, marketing and online media businesses, and other organizations that collect personal data on Californians will have to comply if they meet any of the following criteria:
- Earn at least $25 million in revenue
- Buy data about 50,000 households, individuals, or devices
- Earn 50% or more of their annual revenue from consumer personal data
More than 500,000 U.S. businesses likely meet one or more those criteria.
Implications beyond California
“California is a marketplace that many brands inside and outside the U.S. just can’t ignore,” writes Chad White, on the Litmus blog. “They will have no choice but to comply with the consumer privacy act.” He calls the law “part of a global trend toward stronger privacy protections and greater data transparency, of which the Canadian Anti-Spam Law (CASL) and the General Data Protection Regulation (GDPR) are a part.” He notes that law makes “little mention” of email and he adds that it should be “relatively easy” for brands already in compliance with GDPR to comply with the new California law.
“Although it is theoretically possible to apply CCPA only to California — one data standard for Californians and one for everyone else — it would be extremely cumbersome and inefficient in practice,” writes Abdul Rastagar at MarketingProfs. “More realistically, many companies will find it easier and cheaper to simply apply their California data management policies across the board—for all US customers.”
Rastagar notes one important difference between GDPR and CCPA: “The California regulation does not explicitly require you to opt-in consumers in order to collect their data. If you are a marketer, this is good news because it frees you from the complex (and low-yield) customer opt-in process.”
Getting ready for CCPA implementation
Marketers who have already taken the steps needed to comply with the GDPR are likely already in compliance with many CCPA provisions. But, Rastagar suggests taking the following steps in advance of the law going to into effect.
- Talk to your legal counsel
- Determine whether CCPA applies to you
- Audit data-collection practices to identify how you collect and store personal data
- Ensure that personal data is either encrypted or redacted
- Study CCPA to understand its specific requirements and your new obligations
- Review (or define) your policies, roles, and responsibilities for data management.
- Update your privacy policies (again)
- Consider whether and where explicit opt-in requests make sense for your organization
- Decide whether to proactively communicate your position on CCPA to customers
- Hire a chief data protection officer
And keep an eye on the news: “A separate bill still under consideration in California, AB-2546, would address strengthening anti-spam laws and moving California – and in effect the rest of America – off the opt-out marketing permission standard established by CAN-SPAM and putting it more in sync with international anti-spam laws,” White writes.