What Is CCPA and How Does It Affect Me?

28 May 2019 - Sharon Beilis

In recent years the growing savviness of the everyday modern consumer has brought with it an increase in the number of questions regarding how our consumer data is handled by the organizations we share it with.

Following this, and in light of a number of large data breaches worldwide, 2018 saw changes to worldwide privacy and data laws which were centered around how we as Marketers collect, store and process consumers’ personal data.

This shift brought with it the introduction of the GDPR across Europe, as well as amendments to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and changes to Canada’s Anti-Spam Law (CASL). Then came CCPA.

 

What is CCPA?

The CCPA is the California Consumer Privacy Act. It has been designed to significantly strengthen privacy and data for residents of the state of California state and was passed into law on June 28th 2018, due to take effect from January 1st 2020.

For those companies who don’t make the appropriate changes and therefore remain non-compliant, California citizens are able (under CCPA) to bring a civil action against said company for damages between $100 and $750 or higher. Furthermore, the state itself can bring charges against a company directly, in which it can levy $7,500 fine for each alleged violation that isn’t addressed within 30 days. More from our friends at Litmus, here.

 

How does it compare to the GDPR?

Although there are some similarities within the CCPA’s principles in comparison to the GDPR, there are a few very key differences within:

1. The scope

Where the GDPR applies to all organizations, no matter the type, the CCPA applies to only for-profit companies who either;

  1. Have gross revenues in excess of $25 million.
  2. Buy, receive, sell or share personal information of 50,000 or more consumers, households or devices, or;
  3. Derive 50% or more of their annual revenue from selling consumers’ personal data. More information here.
2. The jurisdiction

The CCPA applies to businesses in and outside of California state, with the exclusion of non-profit organizations and local government bodies.

3. Protection

Whereby the GDPR extends to any consumer within the EU, the CCPA extends only to California state residents.

 

How will the CCPA affect the email marketing industry?

Ahead of the CCPA coming into working practice on January 1st 2020, it would be naive to assume that being complaint to the GDPR automatically makes you compliant to these changes too.

Although both laws are well aligned and have each been designed to provide greater consumer transparency around the handling of personal data, there are some key differences which make the CCPA not one to ignore, especially if you’re selling or buying data for any reason.  

 

How to prepare for the CCPA

 

1. Take time to evaluate the data you’re asking for

In the first instance, you should plan time to analyze the data you’re asking for on all forms and at all data collection points, online and offline.

By only asking for data that you have a clear purpose to collect, you demonstrate data care & responsibility to your audience which creates better trust.

Not only will this help to minimize the length of your data capture forms, but it will also limit your own risk by minimizing the extent of your liability.

 

2. Make sure you can and will delete data, when requested

Both the CCPA and the GDPR discuss the notion of a consumer’s ‘right to be forgotten’. For the organizations storing consumer data, this means at any time you may need to delete the data records you hold on a person, at their request.

By ensuring you have the correct processes and systems in place to action these requests in good time, you’ll cover yourself for the new law coming into play, avoiding any confusion around holding data that you shouldn’t be.  

 

3. Stop buying and selling data!

The CCPA brings into play much stricter conditions for any organization operating with purchased personal data, or operating in the remit of buying or selling data itself.

To avoid having to account for these new stipulations, including the upcoming requirement for companies to keep a record of all data sales for 12 months and provide a ‘clear and conspicuous’ link with the call-to-action “Do Not Sell My Personal Information” for consumers to opt-out of the practice, you should focus your marketing operation around no longer buying or selling any personal information, including email addresses or the likes.

Although more time-taking, allowing your lists to grow organically over time will contribute to a much healthier sender reputation and overall better database health.

 

To summarize

The challenge organizations face amidst this movement towards stricter global data practices, is translating the ever changing legal landscape into every day business activities and systems. When done so correctly, you’ll benefit from tighter data and privacy practices internally and greater consumer trust as a whole.  

 

For more insights like this, visit the Ongage blog feed.