What is the California Consumer Privacy Act?

The California Consumer Privacy Act of 2018 (CCPA) was passed in June by the California state legislature. Effective January 1, 2020, it outlines new protections for California residents regarding the collection and sale of personal information. As the first law of its kind to enact such strict regulations on the sale of consumer data within the U.S., especially by a large state like California, it sets the pace for what may become the future of data driven marketing–and that’s exciting.

Who does this apply to?
The new legislation applies to businesses that do business with residents in the state of California and satisfy at least one of the following thresholds:

  • “Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)”
  • “Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices”
  • “Derives 50 percent or more of its annual revenues from selling consumers’ personal information”

What’s in the act?

CCPA provides a few key rights and protections to California consumers. These are explicitly outlined at the beginning of the text and fall into five key categories:

1. Right to disclosure:

  • Companies must disclose what personal data is being collected, who it is being shared with, or sold to, and how it is being used prior to collection.
  • In addition, it dictates that “A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice…

2. Right to access their information, including:

  • The sources from which a business collected the consumer’s personal information
  • The specific pieces of personal information it collected about the consumer
  • The third parties with which it shared that information.

3. Right to delete their information:

  • Upon request, a company may have to delete user information: “A business that receives a verifiable request from a consumer to delete the consumer’s personal information…shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”
  • However, there are limitations. Businesses won’t be required to comply with a request to delete information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to… enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”

4. Right to say no to the sale of their personal information:

  • All applicable companies must provide at least two main methods for Californians to opt-out of the sale of their personal data. At minimum they must provide a toll-free telephone number and a website with a clear opt-out link on the homepage. 
  • Said opt-out link must be titled ‘Do Not Sell My Personal Information
  • Additionally, businesses “shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.” 

5. Right to equal service and price, even if they exercise their privacy rights.

You can read the full text of the law here.

Is GDPR finally coming to the United States?

Not yet. Europe’s GDPR and the California Consumer Privacy Act share share some of the same features, and the same underlying motives, but at its core, GDPR’s scope and reach far outclass that of the new California legislation, reaching further into the realm of data processing, storage, and communication regardless of intended use. CCPA is all about the authorized sale of personal data and the disclosure of where and how it was collected and who it was shared with. It does not focus as much on the internal use of personal information by companies.

On the technical implementation side, tracking compliance with CCPA may conflict with existing standards set by GDPR. In particular, GDPR and CCPA have fundamentally differing assumptions as to the default status of consumers at the time of data collection. GDPR assumes that all users are by default opted-out of data collection without explicit opt-in consent given. The CCPA assumes by default that users are opted-in to data collection and are allowed to opt-out at their request. This fundamental difference may lead to conflicts in how companies need to structure their data collection methods if they seek to comply with both laws.

If my company doesn’t buy, sell, or share personal data, why should we care?

CCPA itself may not be the devastating blow to digital marketing that people feared, but it sends a strong signal about the future. As marketers, we have lost a lot of credibility in the last few years, and personal information is no longer something legislatures are willing to ignore. The public backlash around the Equifax breach, Cambridge Analytica and the Facebook data breach in September are becoming more and more apparent.

Though agreement is hard to come by at the national level, there is a growing trend of states taking matters into their own hands and introducing their own data privacy laws. States like Vermont and Georgia have already introduced their own data protection legislation. With the interconnectedness of the internet, and the impracticability of implementing custom systems for each state, we are now in a race to GDPR–and possibly beyond in the United States–where the strictest implementation becomes the standard. States like California hold the power to dictate what exactly is the new standard for personal data. Where we eventually land will depend on whether we can restore consumers’ faith in our ability to responsibly and ethically handle their personal information.

So… what can we do to prepare for the future?

Though we don’t have a crystal ball, we can recognize that at its core, the new regulations being proposed focus on a few key themes surrounding data protection, data collection and disclosure. It’s about being responsible with consumer data and understanding the risk consumers face when they put their trust in our companies. To prepare for what may come, it’s easier to do the legwork now and build good systems that hold up to scrutiny, rather than scrambling as so many did at the dawn of GDPR last May. Here are a few tips:

  • Know what personal data you have collected, how and where it is stored, who has access, and how it is used.
  • Work to understand why you collected personal data and if it is serving a useful function in your organization. Personal information now involves risk.
  • Understand what consent your users have given you to collect and use their data.
  • As always, consult your legal experts and determine what standard of care will best protect you in the future.

About the author

Business Intelligence Analyst, Tailwind


comments powered by Disqus