A ripple of fear always reverberates throughout the email industry when new legislation is passed that could limit the distribution of commercial email and the use of data. The California Consumer Privacy Act of 2018 (CCPA) is no different. Originally proposed as a statewide ballot by real estate developer Alastair MacTaggart, the core focus of the CCPA is to provide additional control over consumer’s data and how it can be collected, stored, and used by corporations. At the final hour, the state of California put forth a similar piece of legislation and MacTaggart’s bill was replaced. This legislation passed by unanimous vote in both the state’s House and Senate, and signed by Governor Jerry Brown on June 28, 2018.
This new legislation brings together several pieces of privacy law previously missing in the United States, but present in other countries. Companies will now need additional transparency regarding how they utilize the personal information of their clients. This includes things like the categories of information collected, its source, its purpose, any third parties accessing it and specific pieces of information the business collected about the consumer. The CCPA will come into effect on January 1, 2020, so businesses requiring time to update their processes and policies will have the next 18 months to identify the changes required to comply with this new law.
Does this all sound familiar? It should, thanks to all the recent news coverage of the General Data Protection Regulation (GDPR), which went into effect in the European Union 30 days prior to this law being passed. It’s even similar to parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
This legislation targets five key concerns when personal information is collected:
While this legislation has several similarities to GDPR, it’s not exactly the same. Here are some important differences:
California is a driving force in the world of digital, and the potential impact of this legislation would cement many ideals of GDPR, the OECD privacy framework, and digital rights for consumers in America. With the fifth largest economy in the world, California gets to carry a big stick and drive changes forward in America.
“Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information”
THE CALIFORNIA CONSUMER PRIVACY ACT OF 2018 – Sec 2 (1)
The CCPA also requires businesses to include an easy-to-find way for consumers to “opt-out” of data-sharing, and a link on a company’s homepage to a page titled “Do Not Sell My Personal Information.” If a consumer navigates there and requests his or her information is kept private, the business must suspend any selling of that consumer’s information for 12 months and obtain clear consent authorizing the sale of their data in the future (after the year is over).
The CCPA mandates a series of penalties for businesses, starting with referring intentional violations not resolved in a satisfactory time frame to the Attorney General ($7,500/per violation). The legislation also allows for limited class settlements in the case of data breach ranging from $100-750 per incident, following a grace period in which the Attorney General could take action first.
What does this mean for digital marketers?
It is time to evaluate your business’s data collection and usage needs, especially if you’re reselling data or buying data from a third party. Consider what you need to disclose, how should it be disclosed, and how to manage consumer requests spurred by CCPA.
Hopefully your GDPR preparations answered many of these questions for you already. For example, during 250ok’s GDPR preparations we built self-service tools for our clients to manage requests to delete, export, and ignore future tracking of specific individuals by request into our systems. These tools are available in your account, and if you require help accessing or using these, please contact your account manager. These tools should help you manage the requests you could receive under CCPA, so get comfortable with them, as you’ll want to be in compliance here just as much as you want to be GDPR-compliant.
*Editor’s note: This is an opinion and should not be construed or understood as legal advice. Contact your legal representation for guidance on this matter.*