Business Intelligence Analyst, Tailwind
What is the California Consumer Privacy Act?
The California Consumer Privacy Act of 2018 (CCPA) was passed in June by the California state legislature. Effective January 1, 2020, it outlines new protections for California residents regarding the collection and sale of personal information. As the first law of its kind to enact such strict regulations on the sale of consumer data within the U.S., especially by a large state like California, it sets the pace for what may become the future of data driven marketing–and that’s exciting.
Who does this apply to?
The new legislation applies to businesses that do business with residents in the state of California and satisfy at least one of the following thresholds:
What’s in the act?
CCPA provides a few key rights and protections to California consumers. These are explicitly outlined at the beginning of the text and fall into five key categories:
1. Right to disclosure:
2. Right to access their information, including:
3. Right to delete their information:
4. Right to say no to the sale of their personal information:
5. Right to equal service and price, even if they exercise their privacy rights.
You can read the full text of the law here.
Is GDPR finally coming to the United States?
Not yet. Europe’s GDPR and the California Consumer Privacy Act share share some of the same features, and the same underlying motives, but at its core, GDPR’s scope and reach far outclass that of the new California legislation, reaching further into the realm of data processing, storage, and communication regardless of intended use. CCPA is all about the authorized sale of personal data and the disclosure of where and how it was collected and who it was shared with. It does not focus as much on the internal use of personal information by companies.
On the technical implementation side, tracking compliance with CCPA may conflict with existing standards set by GDPR. In particular, GDPR and CCPA have fundamentally differing assumptions as to the default status of consumers at the time of data collection. GDPR assumes that all users are by default opted-out of data collection without explicit opt-in consent given. The CCPA assumes by default that users are opted-in to data collection and are allowed to opt-out at their request. This fundamental difference may lead to conflicts in how companies need to structure their data collection methods if they seek to comply with both laws.
If my company doesn’t buy, sell, or share personal data, why should we care?
CCPA itself may not be the devastating blow to digital marketing that people feared, but it sends a strong signal about the future. As marketers, we have lost a lot of credibility in the last few years, and personal information is no longer something legislatures are willing to ignore. The public backlash around the Equifax breach, Cambridge Analytica and the Facebook data breach in September are becoming more and more apparent.
Though agreement is hard to come by at the national level, there is a growing trend of states taking matters into their own hands and introducing their own data privacy laws. States like Vermont and Georgia have already introduced their own data protection legislation. With the interconnectedness of the internet, and the impracticability of implementing custom systems for each state, we are now in a race to GDPR–and possibly beyond in the United States–where the strictest implementation becomes the standard. States like California hold the power to dictate what exactly is the new standard for personal data. Where we eventually land will depend on whether we can restore consumers’ faith in our ability to responsibly and ethically handle their personal information.
So… what can we do to prepare for the future?
Though we don’t have a crystal ball, we can recognize that at its core, the new regulations being proposed focus on a few key themes surrounding data protection, data collection and disclosure. It’s about being responsible with consumer data and understanding the risk consumers face when they put their trust in our companies. To prepare for what may come, it’s easier to do the legwork now and build good systems that hold up to scrutiny, rather than scrambling as so many did at the dawn of GDPR last May. Here are a few tips:
Find Your Tailwind.
With us behind you, you'll reach your destination faster.