The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. The bill, AB-375, is similar to the GDPR. But the CCPA places more emphasis on what consumer data is protected and focuses slightly less on security.
However, the CCPA is likely to have a greater impact on businesses in the U.S. than the GDPR. And the window for getting compliant will close quickly.
With that in mind, this is what email marketers need to know about the CCPA.
Who must comply with CCPA regulations?
The CCPA was drafted and passed in less than seven days. Amendments are still being made. So, it’s prudent for any company that does business in California to comply with the new regulations.
But, the bill explicitly applies to businesses that meet one of these three criteria:
- Businesses with gross annual revenue of $25,000,000 or more.
- Businesses that commercially buy, sell or receive the personal information of 50,000 or more consumers annually.
- Businesses that derive 50% or more of annual revenue from selling consumer personal information.
Additionally, it’s important to understand that the CCPA applies based on where the consumer is located. Companies that are based outside of California and— and even outside the United States—must comply with the CCPA if they have any customers in California, even if the business has no physical presence in California.
The only exceptions are “insurance institutions, agents, and support organizations.” But these organizations must comply with the California Insurance Information and Privacy Protection Act (IIPPA), which is similar to the CCPA.
But, in short, the CCPA has been drafted to ensure that businesses can’t use geography to dodge the regulations.
What does the CCPA do?
The CCPA is still undergoing amendments. But, the core tenets are in place and unlikely to change. Generally speaking, the CCPA consists of three main sections:
Definition of what personal information is protected
The CCPA casts an even broader net than the GDPR. It’s safe to say that any and all information a business collects about customers is subject to CCPA protections. It’s just not worth the time and money to separate data into protected and non-protected categories.
However, the CCPA has a couple of notable expansions to the definition of “personal information:”
- Audio, visual, olfactory, thermal, electronic, and similar information. The most notable addition is “olfactory.” This language is likely to keep the bill relevant as smartphones and other devices get better at collecting behavioral data from physical interactions.
- Inferences drawn from any protected personal information. So, if you use a database of personal data to generate insights that contain no personal information, those inferred insights are also protected under the CCPA, since they were drawn from protected information.
Again, if you think that something may be considered personal information under the CCPA, it most likely is.
New data privacy rights for California consumers
California consumers have much more control over what companies do with their data under the CCPA. The CCPA creates six key data privacy rights:
- Data access. California consumers can request copies of any pieces of personal information a business has collected about them. Businesses must provide the information in a user-friendly format within 45 days.
- Data deletion. Businesses must delete any personal information they have about a consumer on request from the consumer.
- Opt-out of sale. Consumers can opt-out of the sale of their personal information.
- “Do not sell” links. Businesses must add a link to their home page titled, “Do Not Sell My Personal Information.” Businesses will also need to update their privacy policies to reflect this option for California consumers.
- Consent for minors. If a minor wishes to consent to having their personal information sold, they must get consent from a parent or guardian.
- Right of action. California residents may sue for damages if they believe their rights have been violated.
The CCPA is clearly set up to give consumers as much control as possible over what companies do with their data and give consumers more options if businesses don’t comply with the regulations.
CCPA violation fines
As with any regulation, there are fines for failing to comply. Although the CCPA doesn’t contain such strict guidelines for data security as the GDPR, it still has a framework for punishing businesses that fail to take adequate security measures.
- The fine for data protection violations is set at $7,500 per violation. The CCPA classifies each customer record a separate violation. A business has 30 days to comply with CCPA laws once the business has been notified of a violation.
- Fines for unauthorized access range from $100 to $750 per customer record per incident, or the cost of damages to the consumer, whichever is greater.
“Unauthorized access” is personal information that is exposed through any sort of data breach, including “disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”
Since the framework for penalizing violations are taken on a per-record basis, fines can add up very quickly. So, it’s critical that businesses take quick steps to meet compliance standards.
Why this matters to email marketers
Clearly, email addresses and the associated information are protected under the CCPA. So, there’s going to be an impact on how email marketers do business.
But, on a broader level, this is the first time that an individual state has passed its own privacy legislation. More states will follow.
Additionally, there’s no federal privacy compliance standard. As more states create their own consumer data protection regulations, the list of compliance requirements will grow, and consumer data protection compliance could become a massive undertaking for data-driven marketers.
The good news is that the CCPA is rather stringent. So, it’s unlikely that any new regulations will require significantly more effort to maintain compliance.
How to prepare for the CCPA
If you’re already compliant with the GDPR, you’ve got much of the ground covered. Businesses that are not GDPR compliant have more work to do.
In either case, the most important thing to do right now is to develop a process for handling data access and data deletion requests.
In many businesses, customer data is spread across multiple data storage and processing platforms, which are supplied by multiple vendors. It’s critical that you develop a process for accessing data and removing data from all your data silos, and implement a quality control process to ensure that no data is overlooked.
Ensuring that your customer data is organized and accessible enough to carry out data access and deletion requests is the biggest challenge.
After that, get in touch with your legal team to discuss CCPA compliance and how it will impact your existing privacy policies so that you’re ready to keep doing business in California.
What to do now
We’ll be tracking how the CCPA (and all other privacy legislation) impacts email marketing. Subscribe to stay up to date on privacy legislation compliance with more articles like this one.