On January 1st of this year, it became official: enforcement of the California Consumer Privacy Act (CCPA) had arrived.
Similar to the GDPR in the EU, the CCPA grants nearly 40 million California consumers “new rights with respect to the collection of their personal information.”
Great for consumers, a little confusing and concerning for businesses who aren’t sure if they’re required to comply.
So what does CCPA mean for marketers and consumers? There are still a lot of questions being raised about the newly-enforceable regulation. We asked email industry expert and Kickbox Data Privacy Officer Dennis Dayman some questions to help break it down for us.
Who is required to comply with the CCPA?
Any for-profit entity that does business in California or collects data from those in California has requirements under the law if it meets any of the following criteria:
- Your business’ annual revenue is over $25 million.
- Your business receives information on over 50,000 consumers, households, or devices annually.
- At least half of your business’ annual revenue comes from selling personal information.
Does CCPA affect marketers outside of California? If so, how?
The CCPA doesn’t distinguish between brick-and-mortar and online companies, meaning that a company with zero physical footprint or employees located in California could still do business in California and therefore have obligations under the CCPA.
Here are just some of the rights the CCPA grants consumers
- The right to request a business to disclose what personal data was collected about them
- The right to be provided information on where that information was collected
- The right to be told why their personal data was collected
- The right to understand how their personal data will be used
- The right to know if their personal data was sold to a third party and which third parties it was sold to
- The right to be told upfront, before the data is collected, that their data may be collected and why
Marketers themselves will feel the immediate effects of the CCPA in some ways too
- Wherever personal information is collected, companies must disclose what information they are collecting and how they will use it.
- Companies must grant consumers the ability to opt-out of having their information sold to third parties, and they must allow consumers to view and delete the information that has been collected about them.
CCPA’s potential ripple effects will go beyond compliance obligations because it takes direct aim at data brokers and targeted adtech solutions. As these business models come under strain, marketers who rely on these services may need to explore alternate avenues for gathering consumer data and delivering targeted, relevant offers.
Marketers use lots of consumer data and technologies that harness it, and if you’re in the U.S., you probably also do business in California.
Data privacy regulations will only continue to expand and once the dust settles and people start dissecting the impact of these regulations, industry experts are predicting that there will be either new regulations or modifications to CCPA and GDPR to fill the gaps.
This means that assuring compliance will no longer just be a checkbox to be quickly ticked off, but a business requirement for every piece of technology that you use. And there are steep fines and potential PR disasters awaiting those who fail to meet the requirements, just in case you needed some more motivation.
Now, CCPA doesn’t just impact companies and how they handle the data of their customers, but their technology providers as well. In many cases, technology providers and vendors are responsible for handling consumer data for companies, which means that they must not only be compliant but be prepared to walk their customers through the CCPA compliance process when it comes to using an email service provider or other marketing platforms to help engage clients and or prospects.
You can use platforms like Osano which is an easy-to-use data privacy platform that instantly helps your website become compliant with laws such as GDPR and CCPA.
What are the primary overlaps between the CCPA and GDPR?
The CCPA is often compared to the GDPR – both laws give individuals the right to access and delete their personal information, require transparency about information use and necessitate contracts between businesses and their service providers.
In some respects, however, the CCPA does not go as far as GDPR.
- CCPA does not require businesses to have a “legal basis” (a justification set forth in GDPR) for the collection and use of personal information.
- CCPA also does not restrict the transfer of personal information outside the US or require that businesses appoint a data protection officer and conduct impact assessments.
- California residents’ right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.
CCPA also differs or goes beyond the scope of GDPR:
- CCPA’s definition of personal information specifically includes household information.
- Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt-out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
- Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
Marketers should be prepared to comply with the law but go above and beyond at times to continue the trust granted to them by their clients and prospects.
- Implemented a Data Processing Addendum with active customers that mandates provider follow the requirements and standards set forth by your clients of collecting, storing and retrieving data on their behalf
- Ensured all third-party vendors you utilize for data collection and storage are CCPA compliant
- Implemented process and mechanisms to allow for data modification or deletion when a customer or your customers submit a request
- Ensuring a notification to clients within 72 hours of a data breach
- Offering transparent communication around data access, storage, transmittance, and modification
- Providing regular training to all your employees on CCPA requirements
How can marketers stay ahead of regulatory requirements like CCPA that may appear in other states?
- Hiring law firms with large privacy practices
- Joining coalition groups like
After the California legislature passed CCPA, several major tech companies told federal lawmakers they would like to see one privacy law that covers the whole country.
Legislators have submitted several different bills since then, and the Senate Commerce Committee held a hearing on two competing ones in December.
Several aspects of a federal bill are up for debate, including whether consumers should be able to sue companies directly for violations, and how much authority to give regulators who would enforce the law.
Nevada and Maine have already passed privacy laws, and at least 11 more states considered privacy bills. While they didn’t pass in 2019, advocates have plans to submit more legislation in the coming year.
In addition, five other states have tabled new privacy rules and instead created task forces that will study how to regulate data privacy.
December’s Senate hearing was only the latest of several that have focused on data privacy since the Cambridge Analytica scandal brought Facebook and other tech companies under scrutiny in Congress.
Unless federal lawmakers can move a bill to a vote, state laws will remain the law of the land.
What’s more, there’s a chance that a federal law could supersede state privacy laws, which could mean any higher standards created by CCPA would be unenforceable.
For the time being, however, CCPA is the law to really look out for.
Keep your list healthy and boost campaign performance by regularly cleaning your email list. We’ll let you know which email addresses are good, bad and risky, before you hit send.
Your first 100 verifications are on us. Verify for Free