The California Consumer Privacy Act shares a common goal with GDPR, but it's not identical. Here's what marketers need to know.
The California Consumer Privacy Act of 2018 is often referred to as America’s GDPR. Although the CCPA has a lot in common with Europe’s General Data Protection Regulation, it’s a mistake to think that compliance with GDPR means your company is all set for when the CCPA goes into effect on January 1, 2020.
Despite the common goals where GDPR and the CCPA overlap, there are unique provisions to each regulation that require special attention and planning from brands. If you’re a marketer at a company that is already GDPR compliant, the good news is that it will make the process of becoming CCPA compliant much smoother.
On the other hand, if your company is one of the nearly 50 percent of companies still lagging behind in GDPR compliance, you have a lot of work ahead of you. Either way, it’s worth understanding the similarities and differences between CCPA and GDPR.
GDPR regulations apply to any company that collects private information from European residents, even if that company doesn’t maintain a physical presence in Europe. Similarly, the CCPA applies to the personal data of any California resident, even when the company collecting that data has no presence in California.
Your data collection practices will be covered by the CCPA if you collect the information of Californian consumers and your company meets one of the following criteria:
All told, roughly half a million companies in the United States will be obligated to meet CCPA regulations.
Some smaller US-based companies with minimal business in the EU have managed to avoid liability under GDPR by refusing web traffic from European IP addresses. But the CCPA will be even tougher for American companies to avoid, in part because California itself ranks as the fifth-largest economy in the world.
The scope of GDPR is broad, encompassing all EU resident data that is collected and/or processed, whether the data is sold to other companies or not. This includes first-party data collected through business websites and other data acquisition channels. While the CCPA does include provisions for first-party data (namely disclosure requirements at the point of data collection and the ability to view and delete personal data), its main concern is the sale of personal data, which allows companies to profit off of private user data without offering anything of value back to those users.
The CCPA will affect the market for second- and third-party data, specifically hurting third-party data brokers and platforms for targeted ads. For marketers who depend heavily on second- and third-party data, the CCPA could force a reprioritization of marketing activities. This facet of the CCPA creates a stronger incentive to build channels for first-party data acquisition, ultimately benefiting businesses since this data is more reliable and valuable to your marketing campaigns.
GDPR requires affirmative opt-in consent from EU residents for any type of data processing. The CCPA, on the other hand, assumes consent for users 16 years of age and older, but requires businesses to offer an opt-out link on their website to allow consumers to restrict a company from selling their information to a third party.
The CCPA also features more specific provisions to address scenarios affecting how consumers want their information to be handled. Businesses will be required to provide access to all personal data collected in the past 12 months, while distinguishing which information was either transferred or sold. Consumers must also be given the right to opt out of consent if a merger or acquisition “materially alters” how that consumer information is used. This ensures businesses can’t receive consent under one set of conditions, only to change how that data is being managed in the future.
In addition to making sure business websites offer a clear opt-out link, marketers should have a plan for how to receive and fulfill various requests made in relation to these provisions.
Like GDPR, the CCPA features a “right to deletion” provision, which is also informally known as the right to be forgotten. This protection gives consumers a right to request the deletion of their personal information in certain conditions.
Both the CCPA and GDPR allow businesses to refuse the deletion of personal information when that data is required to complete a transaction, or when it is required information to perform a contract. Businesses can also reject a deletion request if they can make an argument that keeping the information serves a purpose that is in the public’s interest.
In general, these reasons for deletion aren’t applicable to many of the marketing-related reasons why businesses would be keeping and using data. The good news is that when it comes to managing these deletion requests, an existing GDPR compliance program can be extended to cover the CCPA’s requirements with only some minor adjustments to how the specific rules are applied.
Once the CCPA goes into effect, businesses could see an uptick in litigation related to consumer data privacy laws. Unlike GDPR, which has a ceiling of four percent of global revenue for regulatory penalties, the CCPA effectively has no limit to the number of fines that can be brought against a company by the California Attorney General, raising the possibility of huge financial implications for companies that ignore CCPA guidelines.
Meanwhile, it’s worth noting that the United States has a much more active regulatory oversight mechanism than the European Union. For that reason, legal experts anticipate the CCPA triggering much more legal action against non-compliant businesses than what has been seen thus far with GDPR.
GDPR and CCPA have a lot of overlap, but it’s a mistake to assume that these pieces of legislation cover the exact same issues. Having gone through GDPR compliance will give marketers a leg up on their CCPA compliance efforts, both operationally and in terms of how they adapt their marketing strategy for a new, data-privacy-focused world. Still, there’s work ahead, even for GDPR-compliant marketers, before the CCPA requirements take effect on January 1, 2020.