Is it GDPR again? No, it’s time for a different privacy law to have its proverbial moment in the sun – the California Consumer Privacy Act of 2018 (CCPA).
As a marketer though, what does this all have to do with you? The truth is that the collection, use and disclosure of personal information has become an actual big deal only in the last few years. Prior to that, it was kind of a wild west. So why should you care about privacy now?
- Privacy laws are no joke as they impose heavy fines for non-compliance. These fines can range from $2,500 per violation (per person whose privacy rights you have violated) to €20,000,000;
- Consumers care about their privacy. In fact, according to a study performed by Pew Research, 79% of Americans are very or somewhat concerned about how companies use the data they collect. Every good marketer knows that it’s smart to listen to their audience.
If you are based in the US or the EU, the following privacy laws affect your work:
- The General Data Protection Regulation (GDPR) introduced the concept of consent, meaning that marketers need to ensure that their email lists are from people who affirmatively want to receive those emails. EU residents can also opt out of direct marketing or ask you to delete their information altogether. Obviously, Privacy Policies changed and privacy concerns started affecting how marketing is done.
- Nevada’s SB 220 went into effect on October 1st, 2019 and has not really had a chance to make an impact yet. However, it requires certain companies to disclose whether they sell the personal information of residents of Nevada and allows such residents to opt out of sales. This new law affects marketers who buy lists.
And now, a new law has been passed, the CCPA, which, as you will see, will affect your work as well.
We know that all of these updates and changes in privacy law can be overwhelming so we put together this article so that you can quickly understand how the CCPA affects your work and what you can do to get compliant. We will discuss:
- What the CCPA is and what it does;
- Who it applies to;
- How the rights that residents of California receive under the CCPA may affect your work; and
- What other privacy changes are on the horizon and what you can do to prepare for them.
As a marketer, your work will change because of the CCPA. Since this law goes into effect on January 1, 2020, it is imperative that you start your preparations now. So let’s get into it!
CCPA: a brief overview
The CCPA has been referred to as the GDPR of the United States, probably because it is the first fully comprehensive privacy law that we have seen in this country (that does not concern financial data, health data or the data of children). However, there are some big differences between CCPA and GDPR, including how the CCPA came about.
The CCPA was first introduced by a real estate developer for the November 2018 ballot. This ballot gained a lot of attention because it put consumers’ privacy rights at the forefront by being one of the most consumer-friendly privacy bills ever introduced. The proposed bill was widely popular amongst consumers and their advocates and thus got the attention of the California state legislature. In the interest of coming to a compromise, the real estate developer agreed to withdraw his ballot if a similar privacy law was passed. The legislature then introduced, amended and passed their version of the CCPA by June 18, 2018. Since that time, the CCPA has been amended a few more times and California’s Attorney General has issued proposed regulations that are supposed to help businesses have a better understanding of how to comply with this complex privacy law.
According to the law itself, the CCPA was passed because:
- The proliferation of personal information has limited the ability of Californians to safeguard their privacy;
- There is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and their privacy implications;
- Many businesses collect sensitive personal information from California consumers;
- The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals;
- In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of Congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet. As a result, our desire for privacy controls and transparency in data practices is heightened;
- People desire more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level of transparency of their business practices.
In order to provide Californians with the ability to have more control over their personal information online, the CCPA provides them with the following rights:
- The right to know what personal information is being collected about them;
- The right to know whether their personal information is sold or disclosed and to whom;
- The right to say no to the sale of their personal information;
- The right to access their personal information;
- The right to request that you delete their personal information;
- The right to equal service and price, even if they exercise their privacy rights.
Since the time that it takes to implement full compliance can be extensive, you will obviously first want to make sure that you and your clients need to comply with this law. The CCPA applies to businesses. A “business” is defined as a for-profit legal entity that does business in California and meets one of the following criteria:
- Has annual gross revenues in excess of $25,000,000;
- Annually buys, receives, for business commercial purposes, sells or shares the personal information of 50,000 or more Californian consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling the personal information of Californian consumers.
Before you congratulate yourself on being a small business and stop reading though, note that proper management of vendors is a big part of CCPA compliance. This means that if you work with large clients, they may ask you to sign a contract that requires you to be CCPA compliant, even if you do not meet the thresholds above. If your clients act as vendors to large companies, they may be in the same boat as well.
The fines for failing to comply with the CCPA can be steep. Generally, the fines that can be imposed by the Attorney General are $2,500 per violation or $7,500 per intentional violation. “Per violation” means per person whose privacy rights you violated or per website visitor. Even if you have 100 website visitors per month, you can probably see how quickly these fines can add up.
Now that you know what the CCPA is, what rights it affords to Californians and whether it applies to your work, it is time to dive in to how it affects your work as a marketer.
How the CCPA affects marketing
As soon as new laws and regulations are released, there is a flurry of activity and concern. Professionals are quite rightly confused and nervous about what this means for their day to day work. It is important to know that legislators spoke to industry professionals when amending the CCPA and drafting the regulations. The CCPA does not prohibit marketing, it just makes sure that the rights to privacy are respected when marketing is done. In fact, the law itself specifically includes marketing activities such as counting ad impressions and verifying ad quality as legitimate business uses for personal information. Yes, even though it may be a challenge to change your work to comply with a new privacy law, it can certainly be achieved. There are a few main changes that you as a marketer need to be aware of, and we will walk you through those changes right now.
The following is a non-exhaustive list of purposes that may help you in creating your list:
- Auditing transactions that the consumer has entered into;
- Counting ad impressions to unique visitors;
- Verifying position and quality of ad impressions;
- Auditing compliance;
- Detecting security incidents;
- Protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for those activities;
- Debugging to identify and repair errors;
- Creating new feature;
- Short-term transient use;
- Performing services;
- Providing customer service;
- Processing or fulfilling orders or transactions;
- Verifying customer information;
- Processing payments;
- Providing financing;
- Marketing and advertising;
- Undertaking internal research for technological development and demonstration;
- Participation in surveys and contests;
- Enforcing Terms of Service.
- Information submitted by a consumer;
- Social networks;
- Tracking pixels;
- Data resellers.
While a lot of marketers use pixels and cookies to measure the effectiveness of their campaigns, you will notw have to disclose these sources of data. Finally, it is important to note that if you purchase personal information from data resellers, you will have to disclose that as well. Note that some consumers do not take kindly to such practices so you may need to re-evaluate where you get data from to avoid any bad press.
- Email marketing vendors;
- Customer management systems;
- Fraud prevention services vendors;
- Parties that need to operate the website;
- Processors of financial transactions;
- Consumer data resellers;
- Social networks;
- Operating systems and platforms;
- Data analytics providers;
- Government or law enforcement entities;
- Internet Service Providers;
- Advertising networks.
As discussed previously, the CCPA provides Californians with certain privacy rights. One of these rights is the ability of the consumer to request that the business delete the personal information that it has about that consumer. What does this new privacy right mean to marketers?
- You will no longer be able to directly market to that consumer. While there are exceptions that a business can use to deny the request to delete, marketing is not one of those exceptions; and
- You will have to be more careful about the frequency of marketing messages that any given consumer receives. If the consumer feels inundated or overwhelmed by the amount of messaging they receive, they can now just ask you to delete their personal information. This would obviously be a big loss so it’s important to keep frequency in mind.
Californian consumers will also have the right to opt-out or say no to the sale of their personal information. If you buy or sell data, this new right will certainly affect you. If you purchase personal information, the list that you buy will become smaller as consumers opt out of these sales. If you sell the personal information that you collect, be prepared for consumers opting out.
The final right that may be of interest to marketers is the right of consumers not to be discriminated against, even if they exercise their privacy rights. This means that you have to ensure that your marketing messaging or offers to not discriminate against consumers who exercise their rights. The following types of actions would generally be seen as discriminatory:
- Denying goods or services to the consumer;
- Charging different prices or rates for goods or services, including through the use of discounts or imposing penalties;
- Providing a different level or quality of goods or services to the consumer;
- Suggesting that the consumer would receive a different price or rate for goods or services or a different level or quality of goods or services.
It is clear that the CCPA affects marketers by increasing the disclosures that need to be made and by providing consumers with new rights with respect to their personal information. This means that transparency will be increased, and practices that consumers may be against will come to light. All of this does not mean that marketing will need to stop entirely. It only means that you should take this time to re-evaluate and determine whether current data practices should continue.
Why the CCPA is not the end
Now that we discussed the CCPA and you’re feeling some steady ground beneath your feet, let’s talk about the future of marking and privacy. GDPR, while certainly not perfect, applies to the collection, use and disclosure of the personal information of residents of the European Union and is one set of rules that everyone who deals with that information must follow. While some legislators are working on it, there is currently no overarching federal law in the United States that deals with the use of personal information online (not counting health information, financial information, or the information of children). Instead of waiting for a federal law, many states have decided to take matters into their own hands by proposing and even passing privacy laws that protect persons residing in those states and their privacy. This makes the current privacy landscape very complicated and is causing issues for businesses.
Currently, there are six federal privacy bills that are being considered. Some of these bills would apply to large businesses only while others would apply to any business that collects personal information of consumers online. All of the bills would require companies to make very specific disclosures in their Privacy Policies and would impose heavy fines for failing to do so. Here is the really interesting part though, while some of these bills would override any state privacy laws, others would not. If a federal law does not override state laws, that means that businesses would have to comply with both the federal and state privacy laws by following the one that’s the strongest or most prohibitive. We’re sure that you can appreciate just how complex that could become. No one is exactly sure whether or when a federal privacy law would be passed but some legislators have stated that the protection of privacy online is their top priority. It seems like we will just have to wait and see what happens at the federal level.