Before California's new data privacy legislation goes into effect in 2020, marketers will need to know what it is, how it applies to them, what they need to do to comply, and how it might change their jobs.
California’s recent data privacy law is the latest in an alphabet soup of legislation governing companies’ use of consumer data. Let’s dive in.
What Rights Do Consumers Have Under the CCPA? | What Are My Compliance Obligations Under the CCPA? | What Counts as Personal Information Under the CCPA? | What Counts as Selling Data Under the CCPA? | What Are the Penalties for Noncompliance with the CCPA? | What Is the Difference Between the CCPA and GDPR?
The California Consumer Privacy Act of 2018, also known as CCPA or AB-375, is the most comprehensive data privacy legislation passed in the US so far. In a nutshell, it affords consumers protections in terms of how their personal information can be used by for-profit entities.
Marketers will feel the immediate effects of the CCPA in two ways. First, wherever personal information is collected, companies must disclose what information they are collecting and how they will use it. Second, companies must grant consumers the ability to opt out of having their information sold to third parties, and they must allow consumers to view and delete the information that has been collected about them.
That said, the CCPA’s potential ripple effects will go beyond compliance obligations, because it takes direct aim at data brokers and targeted adtech solutions. As these business models come under strain, marketers who rely on these services may need to explore alternate avenues for gathering consumer data and delivering targeted, relevant offers.
Your company doesn’t need to be located in California for the CCPA to apply to you—in fact, the International Association for Privacy Professionals estimates that more than half a million US companies will be directly affected.
Any for-profit entity that does business in California has requirements under the law if it meets any of the following criteria:
The CCPA doesn’t distinguish between brick-and-mortar and online companies, meaning that a company with zero physical footprint or employees located in California could still do business in California and therefore have obligations under the CCPA. Exactly how narrowly courts will interpret “doing business” remains to be seen: e-commerce transactions would almost certainly count, but a broader definition might include any kind of digital interaction with a California resident, even if no money is exchanged.
Technically, the CCPA went into effect when it was signed into law on June 28, 2018. However, the requirements will go into effect on January 1, 2020.
That said, January 1 is not the end of the line. The California Attorney General has until July 2, 2020 to publish regulations. (Legislation is what the legislative body passes. Regulations are the standards for enforcing the law.) Also, the Attorney General cannot bring legal action against violators of the CCPA until either July 1, 2020 or six months after the final regulations are published, whichever comes first.
Marketers will likely need to prepare in two parts—preparing to meet the requirements as set forward in the legislation by January 1, then monitoring changes to regulation and making adjustments as quickly as possible thereafter.
Marketers in the digital age rely upon consumer data to make (or try to make) relevant offers to the right consumers at the right time. That’s not inherently problematic—consumers’ love of their personalized recommendations on Amazon or their curated playlists on Netflix demonstrates that consumers are happy for companies to know a great deal about them as long as they see how they benefit from it. What is often problematic is how that information is collected and how it is treated once it has been collected.
Almost every move you make online—every website you visit, every search you make, every item you purchase, every form you fill out—is tracked and the resulting data can be aggregated, traded, and sold according to a tacit bargain: your data is the price you pay for access to free services. Because this “bargain” is rarely out in the open, the vast majority of consumer data is collected without the consumer’s knowledge or consent. What’s more, in most cases the consumer has no control over what happens to that data and whose hands it may end up in.
The data privacy movement, of which the CCPA is only one manifestation, is a direct response to this state of affairs. Recent examples of irresponsible data stewardship—high-profile data breaches, the Cambridge Analytica scandal, etc.—have given that movement steam.
In 2017, the non-profit group Californians for Consumer Privacy drafted an initiative whose central tenets would become the basis of the CCPA:
This initiative would have made it onto the November 2018 statewide ballot had it not been preempted by a legislative solution that replicated the major components of the initiative. The California Consumer Privacy Act passed both houses of the California legislature unanimously and became law on June 28, 2018.
Marketers need to understand what rights consumers have under the CCPA and what obligations companies have in order to respect those rights.
Consumers’ rights under the CCPA fall under three broad buckets:
The right to knowledge. Consumers have the right to know what information a company is collecting about them, how that information will be used, and whether that information will be disclosed or sold to a third party. They will be able to obtain, twice a year at no charge, all the information that a company has about them, how that information was collected, and who else has received that information.
The right to be forgotten. Consumers must be able to request the deletion of all of their personal information. If that information has been shared with other parties, those parties must also delete the information.
The right to control who has access to their information. Consumers must be able to opt out of the resale of their information. Additionally, consumers under the age of 16 must affirmatively opt in to resale, and consumers under the age of 13 must have the written permission of a parent or guardian. Along this same vein, if a consumer’s information is improperly disclosed because of a company’s negligence, the CCPA makes it easier for consumers to sue, even if there is no evidence that the data breach caused the consumer harm.
Importantly, companies cannot discriminate against consumers for exercising their rights under the CCPA.
Broadly speaking, CCPA compliance has two components: disclosure obligations and information governance.
In addition, companies have to put in place mechanisms that allow consumers to exercise their rights to obtain and delete their information, as well as to opt out of the resale of their information. The law specifies that companies must place a “clear and conspicuous link” on their homepage titled “Do Not Sell My Personal Information,” linking to a page that allows consumers to opt out.
The CCPA interprets personal information broadly to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Crucially for marketers, this includes behavioral data from digital interactions between consumers and the brand, as well as any inferences the company draws from that data, such as a consumer’s preferences or buyer persona.
It’s also important to note that personal information does not need to be matched up with a person’s name—as long as that information can be identified as belonging to a unique individual, it doesn’t matter if the company can identify that individual by name or by another unique identifier, such as an IP address.
Under the CCPA, selling encompasses any exchange of personal information “for monetary or other valuable consideration.” The phrase other valuable consideration leaves room for interpretation. Clearly, no money needs to change hands for data to be sold, but what that could mean remains to be seen—so marketers should start preparing with a broad definition in mind.
The California Attorney General will likely clarify what would fall under the category of valuable consideration when they publish guidelines in early 2020.
The penalty for each individual violation is $2500 if unintentional and $7500 if intentional. Businesses have 30 days to fix alleged violations after they have been notified of their noncompliance.
What might be even more costly for businesses is the potential for class-action lawsuits in the event of a data breach—between $100 and $750 per incident, or greater if the actual damages exceed $750.
The EU’s General Data Protection Regulation (GDPR), which went into effect in May 2018, is similar to the CCPA in that its aim is to give consumers greater control over their data. Marketers who have gone through GDPR compliance will have a leg up on CCPA preparations, but the two are not identical. Two differences will most impact marketers:
First, GDPR is considerably stricter about what data processing is legally permissible. It requires affirmative consent for any data processing—not just reselling data but collecting it in the first place. In comparison, the CCPA assumes permission (except for children under the age of 16) and only requires that consumers be able to revoke that permission by opting out.
Second, the CCPA’s disclosure requirements differ from GDPR’s, including notifying consumers of their rights under the CCPA and what categories of information have been shared with or sold to third parties within the last year.
PwC provides a more detailed comparison of the two laws’ requirements.
Legal experts speculate that, although GDPR is the more comprehensive law, the CCPA will be more strictly enforced, because the US generally has more rigorous regulatory oversight than the EU.
California’s data privacy legislation is almost certainly a harbinger of things to come. There is more bipartisan support for a federal data privacy bill than ever before—in part to preempt a patchwork of state-level privacy laws. Marketers would be wise to expect further legislation in the near future.
But focusing only on the changing legislative landscape means missing the forest for the trees. Data privacy regulations are a reflection of consumers’ desire for far greater transparency and control over their personal information. Marketers who follow the letter of data privacy law but not the spirit will always be playing catch-up to changing legislation.
The big picture? Data privacy legislation, and the data privacy movement as a whole, will force marketers to change their relationship with consumer data. The CCPA and other data privacy legislation effectively turn consumer data from a commodity into a privilege that can be revoked.
Third-party data will take the hardest hit if enough consumers exercise their data privacy rights. The data broker business model—collecting data at scale and selling it to third parties—is directly threatened by the CCPA. Companies that sell consumer data as a secondary revenue stream might choose to exit the business as it becomes less profitable in a post-CCPA environment. The result will be less third-party data, from fewer sources, at a higher price.
Third-party data already suffers from inaccuracy (in a 2017 Deloitte survey, more than two-thirds of respondents rated the information a commercial data broker had collected about them as between zero and 50 percent correct). Its one real advantage is scale—and if data brokers can no longer reliably deliver that scale due to widespread opt-outs, marketers will find it harder to justify directly purchasing third-party data, even if they’re willing to overlook the growing consumer sentiment against the practice.
But beyond the direct sale of data is an entire ecosystem of digital advertising that will see the effects of the digital privacy movement. Targeted advertising requires large amounts of consumer data—even if that data is not changing hands between the advertising platform and the advertiser. Should consumers delete their data en masse, that targeting will become less effective.
Tactically speaking, the growing challenges to third- and second-party data give marketers a strong incentive to invest in building up their own first-party data. On a broader level, the growing consumer sentiment that led to the passage of the CCPA means that marketers should be thinking about how they can bring that value exchange between consumer and brand out into the open and rebuild consumer trust.
What might this value exchange look like? Ideally, it is explicit: the brand is open about asking for information, and the consumer is knowingly, actively consenting to that data collection. To make this work, brands have to give consumers a good reason to share that information, both in the moment (through a fun experience or an incentive, like a discount) and over time (through a personalized customer experience based on the information they have collected).
An open value exchange isn’t only good ethics—though at a time when only 56 percent of people trust businesses to “do the right thing,” the value of consumer trust can’t be overstated. Consumer-consented first-party data, or declared data, is also a competitive advantage. Declared data is unique to your business, unlike third-party data that your competitors also have access to. Because it comes directly from the consumer, declared data is much more accurate, preventing wasted marketing spend due to dirty data. And it is also an opportunity to ask the consumer directly about their motivations, intentions, and preferences, which must otherwise be inferred—often erroneously—from other data sources.
There are two ways marketers can approach the CCPA: as an onerous piece of legislation, or as an opportunity to make a needed change. The brands that come out of this data privacy flashpoint with their reputations intact will be those that go beyond the letter of the law and make data transparency a priority.