Last fall, California passed the first data privacy legislation in the United States. The California Consumer Privacy Act of 2018 (CCPA) gives California consumers protections in terms of how their personal information is used by for-profit companies.
In some ways, it already has. The CCPA technically went into effect when it was passed in September 2018. But companies have until January 1, 2020 before the law truly goes into effect. And even then, the California Attorney General has until July 2, 2020 to publish regulations that make CCPA enforceable. Additionally, the Attorney General can’t bring legal action against companies that violate CCPA until July 1, 2020 or six months after the final regulations are published.
CCPA applies to any for-profit company that does business in the state of California and meets any of the following criteria:
- The business’ annual revenue is over $25 million
- The business receives the information of over 50,000 consumers, households, or devices annually
- At least half of the business’ annual revenue comes from selling personal information
The CCPA will not restrict a business’ ability to do the following:
- Comply with federal, state, and local laws
- Collect, use, retain, sell, or disclose information that is deidentified or aggregate consumer information
- Collect or sell a consumer’s personal information if every aspect of that conduct takes place completely outside of California.
CCPA protects consumers by covering three important areas in data privacy:
- Transparency – consumers should know who is collecting their data and what happens to that data
- Control – Consumers should be able to exercise control about who has their data
- Accountability – When data breaches occur, the responsibility is on the company
Currently, companies offer services for free in exchange for tracking the movements and activities of consumers. That means that every website you visit, every search you make, every item you buy and every free PDF you download is likely a data point in someone’s database.
Under CCPA, companies must disclose the following information at any point data is collected:
- The consumer’s rights under CCPA
- What information categories are being collected?
- How that information will be used (will it be used internally or shared and sold)
- What categories of information have been shared with or sold in the last year?
Companies will also have to provide mechanisms that allow consumers to:
- Edit data a company holds
- Delete data a company holds
- Opt out of having their information sold via a clear link titled “Do Not Sell My Personal Information”
There’s also a clause that prevents companies from discriminating against customers that opt out of sharing data. Interestingly enough, that doesn’t preclude them from charging different prices or provide a different quality of goods if the difference is reasonably tied to the value of the data.
Personal information under this law is anything that, “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
That means everything from behavioral data from digital interactions to the conclusions that companies draw from those interactions.
Selling data under CCPA means any exchange of data for either money or “other valuable consideration.” This will likely be clarified when the Attorney General establishes its guidelines for 2020.
The penalty for each violation is $2500 if unintentional and $7500 if intentional. Businesses have 30 days to fix alleged violations after they’ve been notified of their noncompliance.
The other concern for businesses is that if there are laws in place protecting consumers, there ‘s also the potential for class-action lawsuits which could cost companies between $100 and $750 per incident.
Marketers need to filter their databases and determine how much of an impact CCPA will make on their brand.
Determine if and how many customers or leads you have in your database that are from California. Maybe you segment this population to maintain compliance, but if the number is sizable, you may just want to retool all your data collection processes to comply with California’s standards. It won’t be easier, but it will help you to ensure you don’t get hit with hefty fines.
After CCPA was passed, it opened the door for similar bills to be introduced in other states. So far, there are 12 states with CCPA-inspired bills in the works. They are:
- New Jersey
- New Mexico
- New York
- North Dakota
- Rhode Island
That means that laws like CCPA are going to become more and more common in the coming years. For marketers, that means starting to apply the concept of CCPA to all your marketing. It’s a better look to think ahead than to just barely comply with increasingly common rules.
Let us know what you think:
- Is a CCPA-inspired law coming to your state?
- Does CCPA affect your business?
- How do you think CCPA will impact marketing?