What is the California Consumer Privacy Act?
The California Consumer Privacy Act will be effective January 1st 2020. The CCPA is similar to the GDPR, so it’s pretty big news.
Like with the GDPR, a business has to disclose what personal information it is collecting and how the information will be used. Companies also have to provide a way for consumers to “opt-out” or information collecting. Furthermore, users now have the right to ask an companies to reveal any personal data that the company has on the user, and what the company uses it for. Lastly, consumers now have the right to ask a company to delete any personal data the company has on the individual
So what is personal information?
CCPA Personal Information Definition
The ACA’s FAQ article on the law explains what personal information means a little bit better than the actual document:
Personal information is defined as any “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This expansive definition goes beyond obvious data (e.g., names, addresses, credit card numbers, social security numbers) to include device geolocation data (e.g., IP addresses), biometric information (e.g., fingerprints, retina scans, height, weight, medical data), or even gender or zip code. It applies to any household, including those of consumers or employees.
The document provides general categories of information that can be considered “personal”:
- Their name, alias, postal address, email address, and similar information
- Commercial information (records of personal property, products or services purchased, etc.)
- Biometric information
- Professional or employment-related information
- Education information that isn’t publicly available
- Inferences made about the consumer based on the data (like that they belong to an interest or behavior category)
- Internet activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement
CCPA Major Components
- The law requires businesses to disclose what personal information they are collecting on any Californian before or during collection, and also why they are collecting it
- Companies will also have to provide these facts when they are asked by any Californian.
- The company must disclose how it obtained the personal information, what the business purpose of the information is, and which third parties the information is shared with.
- If an individual wants his or her data deleted, the business must comply within 30 days, and will be fined if they don’t.
- Individuals can sue companies in the event of a preventable breach.
- Data aggregators will also have to provide at least two ways to make these requests.
- Websites must have a page where California users can submit these requests, and a link on the home page labeled “Do Not Sell My Personal Information”.
- Companies will also be forbidden from collecting data on Californians under the age of 16 unless they’re authorized to do so.
Who Must Comply With CCPA?
Any business that collects and sells personal information or discloses personal data of Californians for a “monetary or similar considerations” and:
- Earns more than $25 million per year
- Possesses data on more than 50,000 persons.
- Makes more than half of its revenue from the sale of personal data.
What’s the Punishment for Offenders?
Companies must comply to requests within 30 days. If they don’t, there’s a fine of $2,500-$7,500 per violation.
Analysis and Impacts from a Digital Marketing Perspective
First Party Data
The reliability of third-party information like audience categories, in-market segments, and email lists is going to take a hit. The more legislation like the CCPA that passes, the weaker third-party data will become. Collecting first-party data like web engagements, social traffic, and email leads will become more important if laws like this become more widely adopted.
Brands have to step up their collection of first-party data and its packaging. Getting to the nitty-gritty—Repurposing observations from social channels, creating email lists based on white paper downloads, and remarketing based on de-identified web engagement data—is already important for approaching audiences from different angles. The weakening of third-party data will make getting your own data more and more important.
We’ll also have to focus more on sponsored content and contextual targeting. If we can’t follow audiences to the water cooler, we’re going to have to make sure we’re waiting there for them. The old craft of combining first-party data with third-party studies and consumer research will play a more active role than it has in recent years.
We’ll also have to finesse our content to suit different purposes better. Leveraging audience feedback and learning what attracts certain users will help produce valuable content that has appeal on each channel.
Playing It Safe
For those who know that they definitely have to make changes to be in compliance with CCPA, here is a checklist from Morgan Lewis. For everyone else, the smart move would be to be as transparent as possible anyways.
Customers are pushing back against data collection. The GDPR and CCPA are just evidence of a larger frustration with modern marketing tactics, and there’s no telling as to whether or not a more restrictive federal bill will be passed. The safest thing to do is to increase transparency about any data we collect on consumers, even if it can’t be used to identify someone. Making it easy for past contacts to delete their information or see what information we have on them by offering information control channels will be ahead of the game if more legislation like the CCPA occurs. Good brands are founded on trust. If we earn trust by asking for information before we have to, we’re much more likely to be held in high standing by our audiences.