If you’re a marketer or business owner in the United States, you’ve probably heard of CCPA by now—the California Consumer Privacy Act. And while you may have been able to avoid previous privacy-related legislation (Canada’s CASL and Europe’s GDPR) in the past, CCPA will affect many businesses that operate and market to those in California. So, lots of businesses.
Legislation can be tricky, and, let’s be honest, reading privacy law can be frustrating, boring, and overwhelming all at the same time. This blog post is an attempt to help digital marketers understand CCPA, which businesses it affects, what the repercussions will be if it’s violated, and how to handle it in general.
First, a disclaimer: I am not a lawyer. I am just a digital marketer trying to interpret legal jargon that will impact my industry. And while I’m confident I have the overarching themes covered well, and deep, nuanced interpretation should be left to the professionals.
What is CCPA?
You’ve probably heard the saying “as California goes, so goes the nation.” Well, the Golden State is moving to hold companies accountable to their user data collection and selling practices. California has rolled out a state law (California Consumer Privacy Act, or CCPA) that forces companies to disclose what data is being collected and who it’s being sold to, while providing consumers the ability to opt out of having their data sold to third parties. Companies must also provide access to any data that’s been collected within the last 45 days upon request.
Even if you don’t live in California, you’ve probably already started to feel its effects. Your inbox is likely flooded with “We’ve updated our privacy policy” emails. And if you’ve been doing any casual internet research you’ll likely have seen this new pop-up that tells you your data is being collected and sold, but that you can opt out. (In many cases, it’s easier for a company to roll out a nationwide practice than to target those in California specifically. Plus, these transparent acts are where marketing is going, anyway).
Is this just American GDPR?
Same same, but different. Both deal with user information, data, and privacy. GDPR is about making sure users have opted into marketing communication, explicitly and completely. CCPA is about users being cool with their data being sold at a profit. Both do cover data breaches—and those can amass in pretty hefty fines. British Airways and Marriott International were fined $221 million and $125 million for data breaches, respectively.
Many people are making those comparisons and saying if you’re GDPR compliant, you’re CCPA compliant. I’m offering a different opinion: you’re not compliant, but you might be close.
Any loopholes?
Not to sound too cynical, but as long as Facebook is headquartered in the United States there will always be loopholes for data collection and storage.
And speaking of Facebook, the company is already saying that CCPA does not impact them because they don’t sell data, they buy it (en masse) and operate as a service company.
First, this law doesn’t stop the collection of data—just the selling of it, sometimes.
Secondly, not every company is included in CCPA. The law only applies to you if your company earns more than $25 million in gross annual revenue, collects data on more than 50,000 users, or makes more than 50% of their revenue from selling user data.
Third, not all data is covered under this law. “Publicly available” data collected by various levels of government is not protected. This means records on property, marriage, death, or birth; court filings; and voter registrations. Additionally, anonymized data that cannot be tied expressly to an individual person is still fair game to be sold.
Ultimately, most of the onus is on the user to make sure they’re protecting themselves. It is the users who have to tell a company, multiple times, that they don’t want their data sold.
Is it enforceable?
Not yet! Enforcement isn’t likely to start until the middle of 2020.
Also, if you read any reviews on the law, you’ll notice that the enforcement piece of it is murky at best.
Individuals can request companies to stop selling their information, but they can’t take legal action if the company doesn’t comply (unless it’s a data breach). All the individual can do is submit a complaint to their state attorney general, who realistically will only be able to hear a handful of cases annually.
What should you be thinking as a marketer?
As we said back in 2018 during the Cambridge Analytica fiasco and in 2017 with CASL, our best advice is to reach out to your legal counsel, have your updated policies linked on your website, and continue being good stewards of your customers’ information. Asking for permission and consent for sending marketing materials is part and parcel of what we all should be doing now—so long as we continue to present customers with privacy policies and only market to those who’ve agreed, we’ll all be in the clear.