What is the CCPA?
We're guilty of putting the cart before the horse. We're not alone: Many others have jumped into analyzing the impact of the California Consumer Protection Act (CCPA) without actually defining what is the CCPA legislation.
We've delivered a glossary of CCPA terms, and provided a list of steps to take to be compliant when the new law goes into effect. Here, though, is a primer that answers what is the CCPA is, what its consequences might be for marketers, and the broader importance of this law – and others coming on its heels.
So, what is the CCPA?
The CCPA was drafted to protect the data privacy rights of California consumers. The initiative that proposed it says that it's meant to "give Californians the 'who, what, where, and when' of how businesses handle consumers' personal information."
The Act requires businesses that have customers who are residents of California be transparent about what data they're collecting about those individuals, who they're sharing it with, and provides Californians the right to deny the sale of their personal data, or even ask it to be deleted. It also gives them the right to sue businesses if their personal data is sold without their consent.
Businesses can't sell the data of consumers age 13-16 unless they opt-in, and they'll need parental or guardian consent to sell data of anyone under 13.
When does it go into effect?
January 1, 2020.
How does the CCPA differ from the GDPR?
There are several key differences. One is in the realm of consent: the CCPA doesn't require consumer consent for businesses to collect or process personal data, unlike the GDPR. Under the CCPA, a business does have to give them the opportunity to opt-out, though.
The CCPA only applies to businesses that are "doing business in California," but isn't (yet) any clearer on what that definition involves. The CCPA applies to California residents, whereas the GDPR encompasses "EU data subjects" without being specific about their residency or citizenship. The CCPA protects data linked to specific households, while the GDPR applies only to individuals.
How do I know if I'm "doing business in California"?
The law applies not just to you as a company, but also to third parties that may be acting on your behalf as "controllers" - i.e., the ones collecting personal data. Here are the factors that define if you're liable:
- A company (or its third parties) has a physical presence in the state; for digital marketers, that may refer to server locations.
- Having employees in California, or holding licenses to conduct business there.
- Whether or not the individual to whom the personal data relates is a resident of California.
The last is an interesting wrinkle: Even if they're outside the state borders, the CCPA still applies to them simply because they're a current resident.
Who needs to comply?
While the GDPR applies to all enterprises, public and private alike, the CCPA limits itself to for-profit firms that meet any one of the following criteria:
- A company must have annual gross revenue in excess of $25 million.
- It must obtain personal information of 500,000 or more California residents, households, or devices annually, or…
- It obtains 50% or more of its annual revenue from selling California residents' personal information.
Is it final?
Not quite. There are multiple amendments now in the California legislature that may affect the final shape of what is the CCPA. That's why it's important for companies to keep track of how the legislation is evolving.
Why should I comply?
California is the fifth-biggest economy in the world and there's a good chance that a large company has customers or prospects there. Moreover, it's important that companies begin to create flexible compliance systems and adopt consent platforms that will let them address not just the CCPA, but the rising tide of privacy protection regulations that are on tap in other states, owing in part to the lapses of the federal government in providing regulation.
In the last year, 13 states have enacted privacy laws or proposed bills modeled after the CCPA. Six more have proposed some CCPA-style privacy protections. Some of those would be far more draconian than the CCPA, like the New York Privacy Act. As WIRED described it,
The New York Privacy Act, introduced last month by state senator Kevin Thomas, would give residents there more control over their data than in any other state. It would also require businesses to put their customers' privacy before their own profits.
The state's NYSDFS regulations requiring data security compliance in the financial services sector are already highly restrictive. So if your company operates in multiple U.S. states, you need the right processes and technology tools to deliver compliance everywhere.
Is there a bottom-line benefit for me?
Trust-based marketing is more than just marketer jargon. It's something that can have tangible returns for you as consumer attitudes about data privacy shift.
A paper in the Standard Technology Legal Review illuminates this point: privacy laws like the CCPA provide opportunities to create trust between consumers, brands, and institutions. A company that demonstrates a proactive approach to privacy is proving it cares about consumer concerns, and that builds loyalty. As the authors note, "trust is necessary for a sustainable digital future, and trust-promoting privacy rules can create [value]."
Some of the most successful brands around have built their bond with consumers on the basis of perceived transparency and privacy protection. Amazon, for instance. In research by Online Nation, Amazon was "trusted" by 66% of consumers, second only to the BBC; Facebook, by comparison, had fallen to 31%.
Amazon has built on that trust to make consumers feel comfortable with sharing personal data with them. There's obviously a value exchange here: Users share personal data while receiving retail personalization that makes shopping seamlessly convenient.
Following through on CCPA compliance – and trumpeting the fact – can do you a lot of short-term and long-term good in terms of reputation-building and customer loyalty, in other words.
What steps should I take?
First off, you need to audit your internal databases and data-gathering processes to see if you're exposed to the CCPA.
- Then you ought to determine if your agencies and technology partners are liable, too. Is your digital ad agency gathering data on your behalf? Are there tags on your website(s) that are collecting data that might put you in CCPA violation?
- Understand how it's collected, confirm if it's being sold to or shared with third parties, and what it's being used for.
- Review your internal data collection policies and procedures and update them to reach compliance.
- Train staff to understand data privacy compliance and how to properly manage customer data.
- Have procedures in place so you can respond to customer requests for access to their personal data, for its deletion, or for information about its sale or sharing.
- Evaluate if your websites and other digital channels require a universal consent platform to help them address privacy regulation, not just in California but elsewhere.
- Determine if you need a tag auditor solution to manage third-party data gathering on your sites.
So should I start worrying?
Not if you're taking the right steps, right now, to get to a state of CCPA compliance, and to install a process framework and tools for dealing with future regulatory hurdles. Because they're on their way.
The silver lining? By demonstrating you're devoted to compliance and the protection of customer data, you'll differentiate yourself in a very good way from other marketers - and build trust and loyalty with those very consumers.