The most comprehensive consumer data privacy law in the United States – the California Consumer Privacy Act (CCPA) – will go into effect on Jan. 1, 2020.
But marketers in every state, and in other countries as well, must get up to speed now so they understand how the law affects them and whether and how they need to change, how they store, protect and share data.
At Trendline Interactive, we’ve been tracking CCPA since 2017, when deliberations began in the California Assembly and Senate. The two houses approved the bill, and outgoing Governor Jerry Brown signed it on June 28, 2018.
CCPA background: For U.S. marketers, CCPA is the first of what’s likely to be a series of strict state laws governing consumer data privacy and transparency, and provisions on storage, security and access.
California has recognized an individual right to privacy since 1972. The law’s introduction notes that the Cambridge Analytica scandal of 2017, which revealed the misuse of Facebook users’ data in 2016, spurred the move to codify consumer data and privacy rights into state law.
Data covered under CCPA
- Real names or aliases
- Postal addresses
- Account names
- Social Security, driver’s license and passport numbers
- Product or service purchasing, browsing or consumption records or history
- Biometric information such as height, weight, fingerprints or speech
- Geolocation data
- Professional or employment information
- Education information that isn’t public
- Metadata or inferences drawn from personal information or behavior.
What does CCPA mandate?
CCPA focuses on individual consumer rights and how data is to be shared, stored and accessed. Under the law, California residents will have the following rights:
- Know what personal information marketers like you collect about them: how you got it, how you use it, whether you sell or share it and who can access their data.
- Say no to selling their information. Anyone 16 or older can opt out. Businesses can’t sell or share data of residents under age 16 without a parent’s written consent.
- Delete the personal information you have on them, also known as the right to be forgotten. The law allows companies to maintain data in some circumstances, such as transactions, past relationships, research, exercising free speech or complying with other state laws.
- Access their personal information by requesting it via phone, email or letter.
- Receive equal service and price even if they opt out of sharing data or exercise their “right to be forgotten.” This means you can’t refuse services, charge more or otherwise treat customers differently if they opt out of sharing or selling their data or want it all deleted.
Who must comply?
You do, if your company is for-profit and it meets at least one of the following conditions:
- Your business’ annual revenue is over $25 million.
- Your business receives information of over 50,000 consumers, households, or devices annually.
- At least half of your business’ annual revenue comes from selling personal information.
So, if your company is based in New York but you have customers or employees who are California residents, they are covered by the law. You don’t need to have a physical footprint in the state.
Also, the law applies whether you paid for the data through buying or renting email lists, paying a data broker or any other form of data purchase or acquired it for free.
10 Steps to Prepare for CCPA
Don’t panic at the prospect of being held accountable for the consumer data you collect, manage, store or share. But, don’t ignore the law, either. It’s the leading edge of the data privacy and transparency movement that is spreading across the United States and might someday lead to federal legislation. (More on that later in this post.)
Here are 10 steps you should take so you’re ready for the law when it goes into effect next January.
- Treat every consumer as if she/he is a California resident.
We hear from many marketers that they don’t have location data on their customers, so they don’t know who’s covered by the law. Our response: Treat all of the people you hold data on as if they’re from California, especially because many other states are passing similar laws.
You probably have more information than you realize, too. Look for information such as when, where and how they opted in, IP addresses, web form locations, and other data that their behavior generates, as well as any preference data showing location.
- Add an opt-in form that can serve up different versions to accommodate local requirements.
For example, your form could request each subscriber to indicate country of residence. The form could present a request for an explicit opt-in from residents who say they live in EU countries, Canada or other places where data laws require a positive action.
Or, revise your opt-in form to require an explicit opt-in from every subscriber (like an unchecked checkbox that says “Yes, please send me email messages from your company”).
- Map your data.
When we work with clients, we look at how they map their data. A marketer might use a WordPress site to collect data, or an ESP web form. It will synchronize from the CRM system over to their ESP or marketing automation program.
We will then analyze and map the data from the CRM to a billing system. Knowing how information is mapped and where it goes will help you comply with the law’s “right to be forgotten.”
- Create a Privacy Impact Assessment.
A PIA helps you understand where your data is flowing and how it is mapped. We work with companies, clients and prospects on data mapping and PIAs. They reveal vulnerabilities and compliance gaps with CCPA.
As part of this process, we look at multiple databases, products, and applications, and how they collect, share, sell and grant access to consumer or customer data.
- Review third-party contracts and vendors.
This is an often-overlooked area in data and privacy compliance. Lots of marketers have third-party contracts with vendors to store data in their data centers or share their data for surveys or analytics.
We look at those contracts to see what your vendors are doing with your data. Review all contracts now to see if your third-party vendor is up to date with CCPA’s provisions. That will help you see whether you could be in trouble if you turn your data over to that vendor.
- Create an in-house privacy/compliance roundtable.
The marketing department isn’t the only one that has to comply with CCPA, GDPR, CASL and other data laws. Take the lead in your company and bring reps from Marketing, Sales, Legal, Privacy and IT to the table so everyone can learn about the law, share information and understand how other departments collect, store and share data.
Make each member of the roundtable responsible for one part of the process, such as locking down the database, updating data-collection forms or changing data acquisition processes. All participants should be assigned certain responsibilities and what they need to recommend for compliance.
- Seek allies in IT to help you get out in front of a data breach.
For many companies today, data breaches aren’t a matter of “if they happen” but “when they happen.” No matter how carefully your company safeguards data, prepare for the worst.
Marketing and IT often have a contentious relationship. But, if a breach happens, your two departments will be the company’s first line of defense in complying with legal notification requirements.
Know how your data is being watched. Monitor log files and watch third-party systems for breaches, and be sure everyone on your privacy roundtable knows the procedure and whom to contact if the unthinkable occurs.
- Find out where the information you need is located.
This can be a function you assign to members of your privacy/compliance roundtable. Functions can include tracking down and listing locations and people responsible for policy and procedural manuals and for databases of consumer information, whether they’re on-site or stored in cloud-based systems.
- Prepare for the “right to be forgotten.”
This section of the law allows California residents to request that you delete certain categories of their personal data and requires you to notify residents that they have that right. A similar provision is also a key element of GDPR.
But, as noted earlier, you can retain some personal data that falls into protected categories. Know what data you are entitled to retain, and how deleting data that is eligible for removal could interfere with your business processes or databases.
Then, create a process to handle these requests.
Adopt a multiple-channel approach. Allow consumers to contact you by phone, in person, via email or through a web form. You’ll need to create a guide in both print and digital formats to explain the law, the consumer’s rights and how to request removal.
Don’t forget your customer-facing teams, either, including your customer-support and in-store personnel. Write and test scripts to handle questions, concerns and complaints.
If you want to be transparent – and, yes, you do want to be transparent – you can use your guides and scripts to explain your procedures and how long it will take to remove the data. Run everything past your legal, compliance, sales and IT reps on your privacy roundtable to make sure everything is accurate.
- Stay tuned for changes, updates and new legislation.
We’re keeping our eyes on CCPA and other laws, including amendments that could change the law’s definitions, requirements and scope. See the next section on potential changes, and sign up for blog updates to get the latest news.
Also, contact us to see how we can help you audit your data gathering and management practices to reduce your exposure to violations. Our experts can create a Privacy Impact Assessment report and assist in an overall gap analysis.
CCPA amendments being considered
Although the CCPA is a done deal, several bills could narrow the focus and define more terms in this broad law.
Here are some potential amendments:
- Expanding the private right of action, which allows individuals, not just government agencies, to sue under the law.
- Expand the law’s three-day notification requirement after a data breach to 45.
- Narrow the law’s definition of “consumers,” “personal information” or “agents.”
- Allow consumers to request removal of their data by calling a toll-free number, sending an email to a dedicated address or writing to a physical location.
We’ll stay on top of the changes and update you periodically on what you need to know to stay on the right side of the law.
Third-party data in the crosshairs
If you buy or rent lists and use extensive third-party data, the law will hit you harder than a marketer who relies only on first-party data (the data you collect yourself).
We already know that list-buying can hurt your email marketing program through lower deliverability, higher spam complaints and lower open rates. Using out-of-date data can create a major deliverability challenge. You could get blocked or kicked off your ESP because you’re sending to bad lists. Learn more about Deliverability Challenges.
Transparency is the name of the game. Being transparent with your customers, explaining how you collect, share, store, use and protect data and how you protect their privacy and confidentiality will give you a major trust advantage. If you have good database integrity and transparency, you’ll be golden.
Is CCPA the new GDPR or CASL?
Some privacy experts and commentators have compared CCPA to GDPR, the European Union’s General Data Privacy Regulation (2018) and Canada’s Anti-Spam Law (2014)
They share some common characteristics:
- They focus on data privacy, security, and consumer rights to know, access and delete data.
- The laws apply to individual residents or citizens no matter where they live. So, companies in other states, in non-EU countries and outside Canada have to comply with the laws, even if they differ from their own local laws.
- All levy fines for violations, although the CCPA fines are the least punitive. GDPR allows fines of up to 20 million Euro or 4% of annual global turnover (whichever is higher) for violations. CCPA provides for fines of $2,500 to $7,500 and allows 30 days to correct violations.
But they differ on some key issues:
- Specifically for email marketers, CCPA doesn’t mandate an explicit opt-in to collect email addresses or other data, as GDPR and CASL do.
- The scope of companies who must comply with the law is narrower than under GDPR and CASL.
- CCPA currently does not include a private right of action, which allows individuals to sue a company for an alleged violation. CASL’s private right of action has been suspended for the time being.
CCPA may pave the way for a federal law
Many of the data privacy and security laws on the books now or being considered have conflicting provisions, such as the age of consent for using or selling data on minors.
Washington and Massachusetts are just two of the other states that are actively pursuing legislation. Industry leaders like Apple CEO Tim Cook have been pushing for a federal data privacy law that would supersede the patchwork of data laws now developing across the U.S.
Wrapping up: Data transparency is good for business
You might see this new wave of data privacy and protection as an incursion on your business processes, but your efforts to comply could end up benefiting your business more than hurting it.
Consumers are tired of data breaches and having their data shared far and wide beyond their control. Being a brand or company that can secure their data will make you more trustworthy.
Becoming known for keeping data safe and secure and being transparent about how you use it can become a selling point in your favor. It can make you the consumers’ choice over companies tainted by breaches or shoddy regard for privacy.
That will benefit your marketing program and your company in the long run and make it a viable participant in the new world of data transparency, safety and security.