A marketer’s guide to the California Consumer Privacy Act
Marketers should focus on the toughest privacy frameworks and try to work toward multi-jurisdictional compliance to demonstrate goodwill toward becoming compliant.
In 1972, California voters amended the California Constitution to include an important principle noticeably absent from both the state constitution and, more or less, the Bill of Rights. The 4th Amendment in the United States Constitution’s Bill of Rights states:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Although this amendment never uses the word privacy, nor could it have imagined what privacy would mean in the data-driven economy age which accounts for 6% of GDP in 2016 according to Harvard Business School Professor John Deighton [pdf], it nonetheless is the basis for a slew of other laws dealing with data, wiretapping, telephones, data collection and more.
However, in 1972, California voters decided that it was essential to guarantee the right to privacy during the embryonic stage of the digital age as a fundamental human right. As a matter of fact, it is part of the second sentence of the California Constitution that lays out the basic and fundamental human rights bestowed on all California residents:
“All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
In the decades following this small but important change, California has become the epicenter of the internet, giving birth to companies such as Facebook and Google, and changing the very fabric of our online and offline lives. In 2018, Californians passed the California Consumer Privacy Act (CCPA), a sweeping set of laws to control the collection, storage and sale of California residents’ data. The law is actively being debated and amended in California’s legislature as lawmakers, lobbyists and the private sector hone in on amicable language ahead of the July 1, 2020, start of enforcement or six months after the final regulations are published. If the final regulation is published on January 1, 2020, then enforcement begins on July 1, 2020. It’s important to note that the six-month window is not a grace period; the state can bring enforcement actions involving noncompliance starting January 1, 2020.
Where did the law come from?
Alastair Mactaggart, a real estate developer in California, created the “California Consumer Right to Privacy Act of 2018” ballot initiative. The California legislature passed CCPA as a response to the ballot initiative, in hopes of creating a privacy law that is both strong and adaptive to changing needs. Let’s keep in mind that there are no overarching federal privacy protections in the United States. Data privacy in the United States has been, for many years now, sectoral and largely based on the principle of self-regulation by companies in a particular industry. Federal legislation exists to cover specific privacy uses and concerns, as in the form of the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Rule (COPPA) and other sectors, but there’s no equivalent to the General Data Protection Regulation (GDPR) or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). In the United States that broadly defines the limitations and practices associated with data collection, storage, use, transfer, data subject access, sale, breach notification, etc.
Mactaggart hoped to create a law that would enable Californians to have greater transparency into what information was being collected, control to stop the sale of information collected and accountability to force companies to do everything within their power to keep data safe.
Who does this law affect?
The CCPA was designed to regulate larger businesses with a significant interest in the buying and selling of customer data, or businesses likely to have a significant amount of customer data by way of their size. Unlike the GDPR, which regulates all businesses and covers all persons living within the EU even if they are not EU citizens, CCPA is focused on how businesses use and sell customer data. The businesses that must comply with the CCPA include:
- Businesses with annual gross revenues exceeding $25 million;
- Annually buy or receive for commercial purposes or sell or share for commercial purposes personal information of 50,000 or more California consumers, households or devices;
- Derive 50% or more of their annual revenues from selling California consumers’ personal information.
Even if your company does not derive any profit from the selling of California consumer data, you could be liable under CCPA due to the size of your company and its revenue. This means that you too could be subject to hefty penalties associated with non-compliance.
California consumer rights under CCPA
The rights granted to consumers under CCPA are not dissimilar to the transparency provided to EU residents under the GDPR. The right to know the kinds of data collected by a company about them, the categories of data collected, the right to prevent or opt out of the sale of that data and the right to be forgotten (or deleted) are all new fundamental protections for California citizens. Collectively, you can think of these rights as a set of transparency principles – consumers want to know how their data is not only collected but that they can control what happens down the line in the long food chain of data processing, analysis and transfer.
For companies that have invested in complying with the GDPR because they have a significant European audience, or through sheer future proofing, the CCPA doesn’t present a significant hurdle in terms of adoption. California consumers, on the other hand, will have to familiarize themselves with new opt-out mechanisms, types of notices and disclosures that may give them pause. I’d argue that this pause is a good thing– an informed audience that is savvy and educated in the nuances of data collection may become more protective of their data and not surrender it to anyone asking, especially those with fraud on their mind.
Penalties under the CCPA
Since the law isn’t live yet, there are amendments being hammered out in Sacramento through public forums around the penalties, time to cure and the contentious private right of action that would allow consumers to individually sue a company or mount a class action lawsuit following a violation of the law. Currently, the California Attorney General can impose fines between $2,500 and $7,500 per violation depending on different factors, including intentionality. California consumers can file suit under CCPA for failure to maintain reasonable security to safeguard their data under a private right of action – this could make the law’s penalties a costly affair when you consider that California’s population is roughly 39 million people, or 10% of the U.S. population.
This is only the beginning
California is not the only state with privacy legislation. Bills in New York and other states are making their way through legislatures, all with similar yet nuanced provisions, protections and, in many cases, breach notification requirements. More and more states are taking an active role in protecting their residents’ data is amicable; however, the burden on businesses to comply with 50 different sets of breach notification policies and potentially 50 different privacy laws – not to mention international requirements, data to prove consent, opt-in and verified requests for disclosure – creates a multilayered and complex problem.
One of the principles of good data privacy is data minimization: don’t collect what you don’t need and focus on what you can use rather than vacuuming up as much data as possible. This prevents you and your customers’ exposure in the event of a breach or other security event. The challenge of a patchwork set of laws governing privacy is that companies will be faced with collecting more data than they need or want to comply with the various privacy and breach frameworks. This in effect runs contrary to the spirit of many of these laws. Unfortunately, until there is a universal data privacy law within the United States – one that hopefully mirrors the stringent standards of European law – we will continue to have an evolving challenge on a state by state level.
Preparing marketers for the age of privacy
The best advice for marketers is to focus on the toughest privacy frameworks and work back from there, with the understanding that being compliant with GDPR will not make you CCPA compliant or vice versa. The CCPA has no concept of data processor vs. data controller; those roles are specific to GDPR. However, working toward multi-jurisdictional compliance may help in cases of enforcement by demonstrating goodwill toward becoming compliant. Think about this as you plan for CCPA and other privacy laws:
- Conduct an internal review to determine what personal information your business is collecting.
- How is personal information being used, if it is sold or shared to third parties and what the purpose is of such sharing.
- Internal and online privacy policies should be reviewed to comply with the disclosure requirements when it becomes necessary to do so.
- Delete consumer information you don’t need anymore—apply the principle of data minimization when considering new products and services.
- Ensure your organization can respond to consumer requests for access to or deletion of information related to the sale or disclosure of their personal information.
- Train your staff to understand the concepts and their responsibility related to the handling of consumer personal information.
- Review third-party and service provider contracts to whom consumer personal information is provided by your business.
- Conduct third-party audits on service providers who have access to your consumer personal information to ensure compliance.
- Prepare procedures and documents on how to handle a data breach and the kind of data you will need to provide to regulators, consumers and employees in such an event.
The net of all this regulation is that data is important and so too are the rights of consumers to feel secure about how their data is collected and treated by any company they chose to work with. This is the new normal, and at the heart of that normal is the simple fact that we are all stewards of our customers’ data.