CCPA: A Marketer’s Guide to the California Consumer Protection Act
California’s Consumer Protection Act (CCPA), the state’s newest data privacy legislation, went into effect at the beginning of this year, and it’s already sending shockwaves throughout the digital marketing world.
As a marketer, you must understand what it is, how it applies to you, and which business systems you’ll need to overhaul to comply. It’s also crucial that you gain a thorough understanding of how this legislation will impact your overall job description.
The CCPA is just one of many consumer protection laws recently enacted. Others include the European Union’s General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados (LGDP) or General Data Protection Law.
Compliance with any of these laws will help streamline the process of preparing for others. Nonetheless, they all come with unique aspects. With that in mind, let’s deep dive into what the CCPA is and how it will impact your marketing efforts.
The California Consumer Privacy Act 101
The CCPA of 2018 (a.k.a. AB-375) is the most comprehensive data privacy legislation ever enacted in the United States. Like the GDPR and the LGDP, its main objective remains to protect consumer privacy through the regulation of personal data collection and use.
Does it really matter to you as a marketer? Absolutely!
First, it impacts the type of data your company can collect. In essence, companies must now disclose to consumers what information they’re collecting and when.
Second, companies must provide consumers with access to their data and allow them the right to delete it or “be forgotten.”
The CCPA Ripple Effect
Besides these two prominent areas of impact, the CCPA will also cause many long-term ripple effects. These go well beyond a company’s obligation to its consumers. The legislation will also impact targeted adtech solutions and data brokers.
As business models start to feel the “burn” from these new restrictions, finding alternate means of gathering consumer data will become necessary.
One of the best alternatives? Relying on zero-party data or declared data. These terms both refer to the same type of data. This information gets volunteered by customers to companies through surveys, polls, and other means.
How Will the do CCPA Affect Me?
If you’re still wondering what any of this has to do with you, we get it. After all, your brand most likely isn’t one of the 3,548,449 companies with physical addresses in the Golden State. None of that matters, however.
The California privacy law is extraterritorial. That means that it applies to any company that does business with residents of the state of California. If you’re an American company, I’m guessing you fall within this second parameter.
The CCPA makes no distinctions between online companies and brick-and-mortar ones. In other words, any for-profit company doing business in the state falls under the governance of the CCPA, if they meet any of the criteria that follow:
- At least half of your company’s annual revenue comes from selling personal information
- Your business receives information on more than 50,000 consumers, devices, or households each year
- Your brand’s yearly income surpasses $25 million
What else do you need to know about which enterprises fall under the CCPA’s sway? Because of the newness of the legislation, how narrowly California courts will interpret “doing business” remains to be seen.
We do know, however, that e-commerce transactions will count. Nonetheless, if courts decide to interpret the law more broadly, it may apply to any digital interactions with California residents, regardless of whether or not money changes hands.
What’s the Timeframe for Enforcement?
Although the CCPA was signed into law on June 20, 2018, the requirements did not officially go into effect until January 1, 2020. If you’re shaking in your marketing boots, hold it one moment.
I’ve got good news for you. The California Attorney General has until July 2020 to publish the CCPA’s regulations.
Are you confused yet? Think of legislation as the language passed by a legislative body and regulations as the standards enforced by the law.
The bottom line is this. The Attorney General can’t bring any legal action against companies in violation of the CCPA before July 1, 2020, or six months from the time that the final regulations get published. (Time for a collective sigh of relief.)
When You Need to Be Ready for the CCPA
Like mileage versus months when it comes to an oil change, the CCPA will begin being enforced on whichever of the two dates outlined above occur first.
That said, don’t decide to sit back and procrastinate until the summer. As it stands, marketers will most likely need to prepare in two parts.
What do I mean? You’ll need to meet the requirements as outlined in the legislation enacted on January 1. Then, you’ll need to monitor for any changes to regulation and scramble to make adjustments ASAP when July hits.
Why the CCPA Exists
If you’re like so many digital marketers I’ve talked to about the CCPA in recent months, you’re probably wondering about how we got to this point in the first place. After all, today’s marketers rely on consumer data to make relevant offers. (Or, at least try to do so.)
Isn’t that what consumers want anyway? A little personalization and A LOT of relevancy?
Neither personalization nor relevancy is inherently bad. On the contrary, customers LOVE getting curated playlists on Netflix, personalized recommendations on Amazon, etc.
What don’t they like? How the information gets collected, stored, protected, and treated.
The Consequences of Irresponsible Data Stewardship
Remember, every move you make online gets tracked. That includes every website you’ve visited, every item you’ve purchased, every search you’ve made, and every form you’ve filled out. You already know this, but not all consumers do.
What happens next, however, is highly controversial. This data often gets aggregated, sold, or traded based on a “bargain” that most consumers never agree to or even know about. The data collected represents the consumer’s “price” for free admission to the digital action.
Besides a lack of consumer knowledge about data collection, consumers also have no control over what happens to their data or where it ends up.
As consumer awareness increased concerning online privacy, some decided it was time to act. The CCPA ultimately represents just one manifestation of consumer concern over their right to privacy.
What’s more, countless cases of high-profile data breaches and irresponsible data stewardship have led to consumer backlash.
The Concept Behind the CCPA
How did consumer concern translate into the passage of the CCPA? In 2017, a non-profit group called Californians for Consumer Privacy crafted an initiative. At its heart were the tenets that would become the basis for the CCPA:
- Transparency
- Accountability
- Control
Transparency refers to the concept the consumers should be aware of what information companies collect about them. They should also have the right to know what happens to that data over time.
Accountability refers to the fact that companies should be held accountable for their data storage and handling in the event of a security breach.
Last but not least, Californians for Consumer Privacy and now the CCPA stipulate that consumers should be able to stop companies from selling their data without the fear of retaliation.
The initiative drafted by the Californians for Consumer Privacy was originally slated for the November 2018 statewide ballot. A preemptive move by the legislature, however, allowed for a solution replicating significant portions of the initiative.
The Consumer Rights Outlined by the CCPA
When it’s all said and done, what do California consumers gain through this legislation? Here are the primary rights set forth:
- The right to knowledge
- The right to control who has access to their information
- The right to be forgotten
Fully understanding these guaranteed rights is critical to taking steps to uphold the spirit of the law. With that in mind, let’s explore each of these consumer rights further.
The Right to Knowledge
The right to knowledge refers to a consumer’s right to know what data a company has collected about them. It also establishes the consumer’s right to see how that data gets used and whether or not that information gets sold or disclosed to a third party.
Consumers will be able to request this information twice per year at no charge. That means your company needs to be ready to deliver when it comes to all the information that you have about them, how your company collected that data, and who else has access to it.
The Right to Control
Consumer control refers to the right to opt-out of having one’s data sold to a third party. What’s more, the CCPA places restrictions on information related to minors.
Consumers under the age of 16 must opt-in to the resale of their data. As for consumers under the age of 13? They must get the written permission of a guardian or parent.
If a consumer’s data gets improperly disclosed due to a company’s negligence, the CCPA offers a firm legal basis for litigation. Even if no direct link has been established proving that the data breach caused consumer harm.
The CCPA also provides consumer protections. Companies cannot discriminate against consumers for exercising their right to privacy.
The Right to Be Forgotten
As for the right to be forgotten? This protection refers to the ability of consumers to request their data to be deleted. What if the company has already shared this data with other parties? Those parties must delete the information, too.
CCPA Compliance Obligations
Now that you’ve got a better understanding of the rights the CCPA affords consumers, it’s time to take a look at compliance obligations. There are two main components:
- Information governance
- Disclosure obligations
When does disclosure need to take place? At the point where the personal data is collected. In other words, merely having a disclosure privacy policy won’t cut it.
Instead, this disclosure must be linked to the location where personal information gets collected. What must companies inform consumers about?
- The categories of information being collected
- The intended use of that information (including whether it will be shared or sold to third parties)
- Which types of data have been shared with or sold to third parties within the past year
- Their rights under the CCPA
Companies must put mechanisms in place that allow consumers to exercise their rights to obtain and delete this information. They must also allow consumers to opt-out of the resale of their data.
According to the CCPA, this notice must be in a “clear and conspicuous” link on their homepage. It must be titled “Do Not Sell My Personal Information” and allow consumers to opt-out.
Penalties for Noncompliance
Penalties for individual violations of the CCPA are $2500 each for unintentional infractions. If the court rules, however, that the violation is intentional, the companies will pay $7500 for each violation.
Businesses will receive 30 days to fix alleged infractions after they get notified of their noncompliance. Even more costly than this is the potential for class-action lawsuits.
In the event of a data breach affecting thousands of people, this could incur between $100 and $750 per incident. In some cases, actual damages could exceed $750.
California’s Consumer Privacy Act and Your Company
As you can see, California’s Consumer Protection Act sets forth a robust list of consumer privacy rights. Your company will need to work diligently to comply with these requirements moving forward. When all else fails, it may make more sense to use the delete button rather than risk fines for infractions.
It’s also worth your brand’s while to take a close look at interactive marketing. This strategic approach relies on declared data. As a result, you won’t risk violating the CCPA, and you’ll also end up with a better quality of data.
Ready to find out more? Subscribe now to our mailing list to stay on the cutting edge when it comes to digital marketing.
Or, give us a call to discuss the stellar benefits of interactive marketing and declared data. We’d also love the opportunity to discuss how Ion Interactive can increase your conversion rates.
