If you’re tired of hearing about GDPR, just wait until you start dealing with CCPA.
The California Consumer Privacy Act is coming… and, marketers beware, it will change everything. If you collect consumer data in California, you need to prepare for a slew of new data management obligations. And, considering that one in eight Americans resides in the Golden State, it’s highly likely the CCPA applies directly to your organization.
Think of it as GDPR for Americans (albeit with some important differences).
Effective January 2020, consumers in California will, for the first time, own the personal data that you collect about them. Although it is theoretically possible to apply CCPA only to California—one data standard for Californians, and one for everyone else—it would be extremely cumbersome and inefficient in practice. More realistically, many companies will find it easier and cheaper to simply apply their California data management policies across the board—for all US customers.
The new law also comes with teeth. To ensure compliance, companies face the prospect of both civil litigation and fines issued by the state attorney general that can potentially add up to millions of dollars in penalties.
All of that has serious implications for a wide range of companies—including technology, services, online media, and many others.
How to Know Whether the Law Applies to You
Although the law applies specifically to residents of California, and only when they happen to be within the boundaries of the state, an estimated half a million companies in the US will be affected, according to the International Association of Privacy Professionals.
Data providers, technology companies, marketing and online media businesses, and many other organizations that collect personal data on Californians will have to comply if they meet any one of the following criteria:
- Earn at least $25 million in revenue
- Buy data about 50,000 households, individuals, or devices
- Earn 50% or more of their annual revenue from consumer personal data
However, a specific exemptions apply, including for healthcare providers and others.
New Obligations for Marketers
Under the CCPA, consumers have new rights pertaining to their personal data. Upon customer demand, you must be prepared to…
- Share what information you collect on them
- Disclose to whom you have sold or shared their information
- Cease the sale of their personal information (“the right to opt out”)
- Delete their personal information
- Provide equal service and/or price even when they invoke their rights
One key difference between CCPA and GDPR is that the California regulation does not explicitly require you to opt in consumers in order to collect their data. If you are a marketer, this is good news because it frees you from the complex (and low-yield) customer opt-in process.
10 Ways for Marketers to Prepare for CCPA
Despite that important difference, organizations that already comply with GDPR will be better prepared for CCPA compliance in January 2020. The California law is general in some respects, but it also includes highly specific requirements in others. (For example, you must operate an 800-number for opting out and also provide an option on your website labeled “Do Not Sell My Personal Information.”)
It took over two years for GDPR to come into effect from the date it was passed into law. Yet, only about 40% of companies were ready for full GDPR compliance only a few months before the law became enforceable. If there is one lesson to be learned, it is to not be caught off guard.
Marketers can prepare for CCPA by following these 10 steps:
- Talk to your legal counsel to get started today.
- Determine whether CCPA applies to you.
- Audit data-collection practices to identify the personal data you collect and where you store it.
- Conduct an infosec audit. Ensure that personal data is either encrypted or redacted.
- Thoroughly study CCPA to understand its specific requirements and your new obligations.
- Review (or define) your policies, roles, and responsibilities for data management.
- Update your privacy policies (again).
- Consider whether and where explicit opt-in requests make sense for your organization.
- Decide whether to proactively communicate your position on CCPA to customers.
- Hire a chief data protection officer.
How Marketing Can Embrace CCPA for Competitive Advantage
Consider whether your organization can apply CCPA for competitive advantage. Does it make sense to proactively communicate your position on CCPA and what customers can expect from you? In a highly competitive market with little obvious product difference, transparency and communication can differentiate your brand. After all, research indicates that, all else being equal, 83% of consumers are likely to choose the more trusted brand.
Regulators and consumers are increasingly focusing on companies’ data management practices. In this new environment, proactive marketing leaders can build customer goodwill, and perhaps build brand loyalty, by putting consumers first. By embracing a “transparent and simple” philosophy, you can take the first step toward successful CCPA readiness.
The preceding represents my best understanding of the California Consumer Privacy Act at the time of this writing. It should not be construed as legal advice. Please refer to the original text of the law and consult a qualified legal counsel for legal advice.