Driven by the continued rise in consumer data breaches and growing privacy concerns, the State of California has passed the California Consumer Privacy Act (CCPA). The law will significantly strengthen privacy in the U.S. when it goes into effect on Jan. 1, 2020.
The law is part of a global trend toward stronger privacy protections and greater data transparency, of which the Canadian Anti-Spam Law (CASL) and the General Data Protection Regulation (GDPR) are a part. However, the CCPA makes little mention of email and doesn’t mention permission at all.
A separate bill still under consideration in California, AB-2546, would address strengthening anti-spam laws and moving California—and in effect the rest of America—off the opt-out marketing permission standard established by CAN-SPAM and putting it more in sync with international anti-spam laws.
The CCPA focuses exclusively on data collection and privacy, and is roughly in line with the provisions of GDPR on those issues. The law explicitly mentions that it’s in response to the misappropriation of Facebook data of at least 87 million people by Cambridge Analytica.
Key Components of CCPA
According to the text of the consumer privacy act, which is also known as AB-375, the law gives Californians the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
Companies that fit the following descriptions have to honor those rights granted to Californians:
- Businesses with annual gross revenues of at least $25 million
- Data brokers and other businesses that buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices
- Business that get the majority of their annual revenue from selling consumers’ personal information.
The CCPA gives citizens the right to bring a civil action against companies that violate the law and stipulates that damages will be between $100 and $750—or higher, if more damage can be proven. Plus, the state can bring charges against a company directly, levying a $7,500 fine for each alleged violation that isn’t addressed within 30 days.
How the CCPA Affects Marketers
Like CASL and GDPR, CCPA will affect companies outside of the jurisdiction of the law. That’s because it’s often easier to comply with the higher standard than try to address some of your audience differently.
Nearly 40 million people live in California, which is about 12% of the U.S. population and more people than live in Canada. California’s economy is also outsized, at $2.7 trillion. If California were a country, it would be the fifth largest economy in the world, beating out the U.K.
So California is a marketplace that many brands inside and outside the U.S. just can’t ignore. They will have no choice but to comply with the consumer privacy act. That said, compliance should be relatively easy for brands that are already in compliance with GDPR.
It’s worth pointing out for the record: We are not lawyers and nothing in this post should be considered legal advice. Please consult an attorney to address the individual needs of your business.
With those disclaimers out of the way, we’d like to point out some best practices for data collection that are informed by the consumer privacy act:
- Reconsider whether you want to use third-party data. The CCPA gives consumers the right to know “the categories of sources from which the personal information is collected.” If your company is buying third-party data beyond what is publicly available about your customers or prospects, it will eventually come to light via a CCPA request. If your company would be uncomfortable explaining that to customers, then you might want to halt the practice.
- Reevaluate the data fields on your forms and profiles. The CCPA is part of a clear shift toward data transparency that spurs businesses to make greater use of data that is collected directly from their customers. Is there information that you’re currently getting via third-parties that you could ask customers and prospects for directly? Longer forms increase abandonment rates, but smart progressive profiling at the right moments can maximize completion rates.
- Only collect data that you have a clear immediate use for. Data is power, but it’s also increasingly a liability. Limit that liability by being selective about what data you save, particularly when it comes to personally identifiable information (PII).
- Create a mechanism that can delete a consumer’s information, when requested. Both CCPA and the GDPR stipulate that consumers have the right to be forgotten and request that any data your company has on them be deleted. There are some caveats on what data a business can retain for legal, compliance, and business reasons, but a mechanism must exist to quickly delete all other information about a consumer.
- Don’t sell information about your customers or users. If you’re going to sell user information to other companies, the CCPA requires you to keep a record of all sales for 12 months and provide a “clear and conspicuous” link on your website with the call-to-action “Do Not Sell My Personal Information” so people can opt-out of that practice. Selling the data of children 16-years-old and younger has even more requirements. Such a button and other permission requests would surely raise privacy and security concerns for would-be customers. Your company can avoid the need for such a button by not selling customer information.
How the CCPA Might Evolve
The consumer privacy act was written and passed very quickly, and many questions have already been brought up about various loopholes and how certain provisions will be enforced. For instance, serious concerns have been raised about the provision that allows a business to “offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.” That provision seems in direct contradiction to the right to equal service and price.
You can expect that the State of California will issue revisions and amendments before the consumer privacy act goes into effect in 2020.
So long as the Republican Party controls the presidency and both houses of Congress, the likelihood of national privacy and anti-spam laws changing is nil. However, if the balance of power is different after the elections in 2020, the CCPA could be a catalyst for national changes.
Learn about Other Laws that Affect Marketers
For more on regulations that affect email marketers in the U.S. and around the world, check out:
- What CAN-SPAM Requires & How that Low Bar Harms U.S. Businesses
- GDPR: What Europe’s New Privacy Law Means for Email Marketers
- 5 Things You Must Know about Email Consent under GDPR
- GDPR Re-permission Campaigns: 6 Tips for Making Them a Success
- CASL Debunked: Everything You Need to Know About Canada’s Anti-Spam Law
- The Ultimate Guide to International Email Law