How California’s Consumer Privacy Act Affects Marketers
When the European Union’s General Data Protection Regulation (GDPR) was passed and enacted, American ad tech companies at least had the comfort of the Atlantic Ocean separating them from the stringent new consumer protections. That is, until now. The California Consumer Privacy Act of 2018 (CCPA), a bill signed by Governor Jerry Brown on June 28, 2018, is the product of legislators concerned over the growing threats to consumer privacy online. Read on as we detail how the new law will affect marketing efforts in the state moving forward and what it means for the future.
As of January 1, 2020, the bill would, in theory, grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared. The bill would also require a business to make disclosures about the information it gathers and the purposes for which that data is used.
What Is “Personal Information?”
According to Lexology, personal information is broadly defined as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
To Whom Does the Law Apply?
According to CMSWire, businesses that meet the following thresholds are liable for compliance with the state’s new consumer privacy law:
Has annual gross revenues in excess of $25 million
Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
Derives 50 percent or more of its annual revenues from selling consumers’ personal information
What New Rights Do California Citizens Have?
The intent of the new law is to provide new data protections for Californians, who now have the right to:
Know what personal information is being collected about them.
Know whether their personal information is sold or disclosed and to whom.
Say no to the sale of personal information.
Access their personal information.
The CCPA contains a rather long list of requirements that will likely take organizations some time to fully digest, analyze and apply to their unique services and operations. Some will probably be familiar to companies who have already put in place GDPR compliance processes, especially when it comes to adhering to requests from individuals to access their data and to request deletion. Simply put, if you’ve already solved these challenges in your GDPR compliance efforts, you’re already well on your way to CCPA compliance.
What’s the ultimate lesson for marketers? Be prepared. With other states looking to implement similar legislation, it’s essential that marketers understand the ins and outs of each regulation in the states they operate in and adjust their tactics and strategies to be compliant.