CCPA in a nutshell: A Marketer’s Guide to the California Consumer Privacy Act

CCPA in a nutshell: A Marketer’s Guide to the California Consumer Privacy Act

What Is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act of 2018, also known as CCPA or AB-375, is the most comprehensive data privacy legislation passed in the US so far. In a nutshell, it affords consumers protections in terms of how their personal information can be used by business entities.

On January 1, 2020, companies or organisations that do business in California will be required to comply with the state's strict new privacy legislation. The new regulations are not just for businesses based in California; they apply to all companies that do business in the state.

The intentions of the Act are to provide residents of California the rights to:

·         Know what personal data is being collected about them.

·         Know whether their personal data is sold or disclosed and to whom.

·         Say no to the sale of personal data.

·         Access their personal data.

·         Request a business to delete any personal information about a consumer collected from that consumer (the right to be forgotten)

·         Not be discriminated against for exercising their privacy rights.


How does CCPA define personal information?

CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. (Wikipedia , Clarip)

It does not consider Publicly Available Information as personal.

Does the CCPA Affect Me?

Your company doesn’t need to be located in California for the CCPA to apply to you—in fact, the International Association for Privacy Professionals estimates that more than half a million US companies will be directly affected.

Any business that does business in California has requirements under the law if it meets any of the following criteria:

·         Your business’ annual revenue is over $25 million.

·         Your business receives information of over 50,000 consumers, households, or devices annually.

·         At least half of your business’ annual revenue comes from selling personal information.


How does the CCPA compare with the GDPR?

While CCPA is somewhat different in scope from GDPR, it grants consumers comparable rights of controlling and vetoing the use of their data. Both regulations require companies to store data securely, be transparent about the types of personal data collected, and manage consumer requests for deletion of personal data (the "right to be forgotten"), which means being able to delete personal data from all systems throughout your organization. CCPA differs from GDPR in that it requires the ability for users to opt-out versus requiring explicit consent prior to collecting personally identifiable information (PII).  In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

PwC provides a more detailed comparison of the two laws’ requirements.


Why Should Marketers Care About the CCPA?

Marketers will feel the immediate effects of the CCPA in two ways. First, wherever personal information is collected, companies must disclose what information they are collecting and how they will use it. Second, companies must grant consumers the ability to opt out of having their information sold to third parties, and they must allow consumers to view and delete the information that has been collected about them.

That said, the CCPA’s potential ripple effects will go beyond compliance obligations, because it takes direct aim at data brokers and targeted adtech solutions. As these business models come under strain, marketers who rely on these services may need to explore alternate avenues for gathering consumer data and delivering targeted, relevant offers.


What Are the Penalties for Noncompliance with the CCPA?

The penalty for each individual violation is $2500 if unintentional and $7500 if intentional. Businesses have 30 days to fix alleged violations after they have been notified of their noncompliance.

What might be even more costly for businesses is the potential for class-action lawsuits in the event of a data breach—between $100 and $750 per incident, or greater if the actual damages exceed $750.


When does the CCPA go into effect?

Technically, the CCPA went into effect when it was signed into law on June 28, 2018. However, the requirements went into effect on January 1, 2020.

That said, January 1 is not the end of the line. The California Attorney General has until July 2, 2020 to publish regulations. (Legislation is what the legislative body passes. Regulations are the standards for enforcing the law.) Also, the Attorney General cannot bring legal action against violators of the CCPA until either July 1, 2020 or six months after the final regulations are published, whichever comes first.

Marketers will likely need to prepare in two parts—preparing to meet the requirements as set forward in the legislation by January 1, then monitoring changes to regulation and making adjustments as quickly as possible thereafter.


How does e-shot ensure you are ready?

Having prepared for the impact of GDPR across Europe e-shot is already well placed for the introduction of CCPA. With easy to create granular opt in forms and preferences centre creation already a part of the platform, along with sophisticated reporting and auditing features to ensure that your data management it optimum. The engagement feature also enables you to quickly identify and reengage any contacts that are slipping away, to give them ample opportunity to re-engage or opt-out as they see fit, which also helps keep your data in good health.

If you would like more information on the benefits of managing your email marketing through e-shot, one of our highly-skilled team will be more than happy to talk to you about how it can help your business.

Free email marketing healthcheck - icon

Email marketing healthcheck

We are confident that we can help you, which is why we offer a free healthcheck to identify potential issues with your current programme and free advice on things that could be done to improve it.

Get started