Starting in January 2020, marketers and websites won’t be able to collect data on consumers as freely as they once had. Ever since the California Consumer Privacy Act was passed by the US state of California, marketers have started worrying about the bill affecting the way they do business.
Consumers, on the other hand, have begun rejoicing.
In this post, we’re taking a deep look into the circumstances and consequences of the California Consumer Privacy Act (CCPA) to understand what we can do to prepare our businesses and consumers for it.
After all, the CCPA is only a herald of privacy laws yet to come.
What Is CCPA?
On June 28, 2018, Assembly Bill No. 375 was officially signed by the governor of California. Shortly dubbed the California Consumer Privacy Act, it is a bill co-created by a member of the California State Assembly, Ed Chau, and Senator Robert Hertzberg.
The CCPA came as a direct response to the Californians for Consumer Privacy initiative whose members demanded stricter privacy laws. Over 600,000 votes were collected and it became clear that the Californian lawmakers couldn’t deny the imposing threat of numerous data breaches we have already seen.
The bill itself starts by mentioning frequent data breaches, many of which haven’t been disclosed:
“The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach.”
The bill is set to take effect on January 1, 2020, giving businesses ample time to get ready.
On the consumer side, the CCPA promises that they will be:
- Informed on which personal information an entity is collecting about them
- Informed on whether the business collecting the data is selling or disclosing it to third parties
- Able to say no to the sale of their personal data
- Able to access and review the personal data a business has collected on them and their behaviour
- Able to get the same services even if they exercise their privacy rights
The fifth aspect is, in particular, relevant to the post-GDPR application of privacy rights.
Numerous businesses have updated their data privacy statements while retaining the right to deny service to consumers who disagree with the collection and retention of their personal data.
The CCPA itself requires the following businesses to comply with the practices outlined in the bill:
- They are a for-profit entity that does business in California
- Their annual gross revenue is over $25 million
- They have information on more than 50,000 consumers, households or devices
- They earn more than half of their annual revenue by selling the consumers’ personal information
The bill then goes fairly deep into outlining the practices businesses should implement, including processes such as:
- Obtaining parental consent for minors
- The right to say no to the sale of personal information
- Methods for submitting data access requests
- Updating privacy policies
- Avoiding new opt-in consent requests 12 months after a California resident opted out
If a business does not comply with the bill, they are liable to lawsuits requiring them to pay statutory damages, prosecution, and fines for both intentional and unintentional violations.
It is widely believed that this is a bill that first and foremost aims to control the personal data policies of major websites such as Facebook.
However, it’s not only Facebook and major social networks that are going to be affected.
Due to the nature of loyalty programs which are used for a similar purpose, banks, supermarkets and other organizations are also subject to the CCPA compliance.
And according to the LA Times, there are quite a few organizations lobbying for significant changes in the CCPA.
However, major changes to the bill aren’t expected. In fact, experts predict that other states will soon follow suit. Georgia has already started working on data privacy bills, similar to California’s.
And even though they’re similar in nature, showing us the trends we can expect out of data privacy laws worldwide, there are a few differences between the CCPA and the GDPR.
CCPA vs GDPR
According to the Baker Law report, the first aspect where CCPA and GDPR are different is the scope.
CCPA is narrower, focusing on for-profit businesses with gross revenue greater than $25m annually. GDPR, on the other hand, covers all EU subjects, even if the companies aren’t formally collecting or processing information in the EU.
The CCPA also protects Californian residents only, while the GDPR includes all data subjects which can be identified as people with personal information.
When it comes to personal information that is subject to law, both laws are similar. However, the CCPA also includes information collected on households and devices, making it much broader in its definition.
A significant workaround on privacy laws has been the anonymization of data.
However, both GDPR and CCPA set high standards for what can be considered deidentified data. The organizations can then use and sell anonymous data, but they have to comply with the required processes to be able to claim that the data can’t be connected to a person.
While the GDPR and CCPA’s disclosure requirements are similar, but if businesses want to use the personal information for a different purpose, they’ll have to notify the consumers and ask for their consent again.
The GDPR also requires organizations to implement processes for the control of data, while the CCPA doesn’t. However, it does state the penalties if the businesses don’t uphold the law.
The Main Difference between the GDPR and the CCPA: Opt-Out Rights
The EU law doesn’t explicitly mention the right to opt out of personal data sales, whereas the CCPA does.
Under the CCPA, businesses have to allow the consumers to opt-out of the sale of personal information to third parties. The option for opting out has to be stated clearly on the homepage of the organization’s website.
And if the consumer says no to the sale of their personal data, the organization mustn’t ask them for new authorization in the next 12 months.
While the GDPR allows consumers to withdraw their consent, it doesn’t outline the practices. In that respect, the California Consumer Privacy Act is much more defined.
Another difference between the two laws is in regulating children data privacy.
The GDPR is stricter, as all children under the age of 16 have to have a parent or a guardian consent to both sales and data processing.
The CCPA only regulates the sale of children’s data.
When it comes to disclosure, portability and access to our personal data, both the GDPR and the CCPA outline how organizations should provide access. Responding to rights requests is also similarly treated in both laws.
The Right to Be Forgotten is also one of the contemporary rights covered both by the GDPR and the CCPA. If we want our data to be erased (and a lot of people do in order to reduce their digital footprint and potential consequences), both laws regulate the requirements we must satisfy in order for our data to be completely erased.
The CCPA and the GDPR are substantially different when it comes to the right of rectification of incorrect or incomplete personal data. The GDPR allows consumers to correct their personal data, whereas the CCPA doesn’t.
Another difference can be found in the right to restrict processing, and the right to object to automated decision-making and processing. The GDPR allows data subjects to restrict the processing of personal data under certain requirements. The CCPA doesn’t.
Both the GDPR and the CCPA wanted to restrict businesses from discriminating against consumers who’ve opted out of personal data collection. However, under the CCPA, businesses can offer monetary incentives to motivate their customers to consent to the collection of personal data.
GDPR and CCPA Penalties
If a business fails to comply with the laws, both bills propose penalties and regulate the judicial treatment of violations.
Both laws allow for private action against companies who have violated consumer data, but the CCPA determines fines ($100 to $750 per consumer per incident) and gives the organizations a 30-day cure period.
Under the CCPA, civil fines range from $2,500 per unintentional violation, to $7,500 for intentional violation.
With GDPR, the fines are significantly higher. They can reach up to €20m or 4% of annual global revenue.
All things considered, the scope and the penalties of both laws vary significantly. Regardless, they will continue to prevent marketers and businesses from collecting data as freely as they once had.
How Can Marketing and Development Prepare for the CCPA?
The best news following the CCPA is that the majority of us have already become accustomed to the GDPR. We’ve implemented practices that increased the transparency of our data collection processes.
And because of the root similarities of the two laws, we’ll only need to make small adjustments.
Transparency is one of the most important parts of the CCPA. Consumers don’t so much object to data collection as much as they object to not understanding where their data is going.
Consumer Complaints and Exercising Rights
Undoubtedly, consumers are going to exercise their rights. If we want to comply with the CCPA, we should make it easy for them to do so.
If we use third-party data processors, the right data agreements should be set and if we receive deletion requests from consumers, we should automatically forward them to our DP.
Ideally, the data processor we’ve chosen should also have a customer platform where consumers can see which data we’ve collected on them, how we use it, and how they can revoke consent if they are not comfortable with it.
This will enhance the transparency required by the California Consumer Privacy Act, as well as improve our branding. Data privacy is the new black and by complying with lawful practices, we won’t only avoid fines, but we’ll also create a positive brand.
Consumers in the Other States
If we only collect information from Californian residents, it should be fairly easy to just implement the practices site-wide.
However, if we collect information on visitors from other countries and states, we could choose to implement the CCPA practices only to Californian residents.
Keep in mind that for this, we should be able to easily distinguish between people coming from California (and that pertains to California residents who are currently in other areas).
With the trend moving towards the passing of data privacy laws in other states and even federal laws, it’s a smart move to implement the CCPA practices just as we’ve implemented the GDPR for the citizens of the European Union.
The GDPR and the CCPA are just the beginning.
More and more people and citizen initiatives worldwide are demanding more control over how their data is collected, processed and sold.
And with the definitions of PII (personally identifiable information) growing broader and broader with each passing day, we may soon find ourselves compliant to our own country or state laws – even if we’re not in the EU or in California.
Complying with the CCPA and the GDPR is a way to stay ahead of the curve.
Businesses who want to be competitive in the 21st century can’t only think about profits – they have to think about persons.
And when data is properly implemented, with all the transparency that people want, it will no longer be an obstacle we collectively have to overcome.
It’ll become another way of making better decisions for the future of our business.