If you’re even somewhat involved with handling data, you’re probably aware that California Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28th of last year. Dubbed “Mini GDPR,” the law is focused on giving Californians similar privacy rights as EU residents under the GDPR. Since the CCPA doesn’t go into effect until January 2020, your business still has time to adjust its policy accordingly. First, it may be helpful to understand some of the basic points of the CCPA.
What Rights Do Citizens Have Under The CCPA?
Under the CCPA, citizens have the right to:
- know what personal data of theirs is being collected.
- know if their personal data is being disclosed or sold and who is receiving that information.
- say no to any sale or disclosure of their personal information.
- have access to data that has been collected about them.
- receive protection from discrimination of price or service if they chose to exercise their privacy rights.
- companies are also prohibited from selling data on any individual under the age of 16.
Who Does the Legislation Apply To?
- For-profit companies conducting business in the state of California that:
- have annual revenue of $25 million.
- control the data of 50,000 or more people or devices annually.
- collect 50% or more of revenue from selling personal data.
- Businesses that control, are controlled by or have common branding with any business that fits the previous criteria.
*Note that all nonprofits and government entities are exempt from the CCPA
What Are The Penalties Associated With The CCPA?
Under the CCPA, companies that experience data breaches of consumer data will be held more accountable than they have previously been. It allows the California Attorney General to impose fines of up to $2500 for each violation of the bill and up to $7500 for each intentional violation of privacy. Individuals also reserve the right to sue brands for up to $750 per privacy violation.
What’s Our Take?
While the CCPA is important to plan for, it is important to acknowledge there are still proposed changes to the law being debated within the Senate. US marketers are in a fortunate position regarding the CCPA, as we were able to see this play out with GDPR just a year ago. US marketers are in a fortunate position to be able to take what we learned from last year’s GDPR implementation and apply those learnings to how we navigate the CCPA.
Elizabeth Van Kort, Associate Media Director at True Media, shares her perspective on the CCPA and its impact on agencies.
Last year we saw full sites were temporarily taken offline because they had not taken steps needed to become GDPR compliant. Instead of risking the fines, they thought it best to temporarily take down their sites. Although this was a temporary measure, it certainly affected brands advertising on those sites. As we move closer to 2020, media agencies need to work with their key publications to ensure they are prepared for the CCPA and will not disturb their client’s direct buys. You certainly wouldn’t want a digital strategy with a tentpole of a January 1st homepage takeover if you weren’t 100% confident that site was fully geared up for CCPA.
Agencies should be working with their clients to ensure that they have the required updates to their website in place to be CCPA compliant. The CCPA is even broader than GDPR in its definition of personal data, and as such, privacy policies will need to be updated to reflect the CCPA structure and opt-out buttons will also need to be added to sites. This will be a good exercise for US brands, as it’s possible a federal framework for data privacy could follow closely on the heels of CCPA. Not to mention, Washington state, New Jersey, and Massachusetts are all considering similar state privacy laws.
Expect the “Unexpected”
If you are an agency with a client who’s key season is around the new year, it is crucial to pay extra attention to your 2020 strategy. Do you have a weight loss client? A gym chain, healthy food chain, snow blower manufacturer? If Q1 is a key season for your client, it is key to plan for the unexpected. There may be online targeting audiences that shrink in volume – or are no longer available. There may be sites that temporarily go down. Similar to GDPR, we won’t be able to forecast all implications, so it is important to dedicate additional resources during this timeframe to pivot quickly as needed – ensuring at the end of the day to minimize the impact on the brand’s bottom line
So What Can My Company Do To Prepare?
If you deal with consumers in Europe, you’ve probably already had to make policy changes that meet most of the criteria of the CCPA. If not, here a couple of things you can do to prepare:
- Consult your legal team.
- While we do have a couple of suggestions, ultimately, your legal team will be able to better assess your company’s specific needs.
- Review the consumer data your company collects and understand how that data is used.
- Draft an opt-in policy that informs consumers what personal data is collected and how it is used. Be sure to give them the option to either opt-in or opt-out of the data collection.
- Create a process for dealing with consumer requests and deleting data.
For more information on the California Consumer Privacy Act, you can read the full initiative here.