What is CCPA?

This is part 1 of a 2-part series from Chris Arrendale. To view part 2 of this series please see ‘10 Steps for Adjusting to CCPA‘.

The most comprehensive consumer data privacy law in the United States–– the California Consumer Privacy Act (CCPA)––went into effect on January 1, 2020. This law impacts everyone sending email to California residents, and ignoring it may cost organizations millions of dollars. As leaders in compliance and email deliverability, we help our clients avoid this consequence.

Data transparency is good for business

You might see this new wave of data privacy and protection as an incursion on your business processes, but your efforts to comply could end up benefiting your business more than hurting it.

Consumers are tired of data breaches and having their data shared beyond their control. Be trustworthy by being a brand or company that can secure their data. 

Create this selling point in your favor: Become known for keeping data safe and secure and being transparent about how you use it. This makes you the consumers’ choice over companies tainted by breaches or shoddy regard for privacy. 

Data transparency benefits your marketing program and your company in the long run and makes you a respectable participant in the new world of data transparency, safety, and security.

CCPA background: 

For U.S. marketers, CCPA is the first of what’s likely to be a series of strict state laws governing consumer data privacy and transparency, and provisions on storage, security, and access.

California has recognized an individual right to privacy since 1972. The law’s introduction notes that the Cambridge Analytica scandal of 2017, which revealed the misuse of Facebook users’ data in 2016, spurred the move to codify consumer data and privacy rights into state law.

Data covered under CCPA 

• Real names or aliases
• Postal addresses
• Account names
• Social Security, driver’s license and passport numbers
• Product or service purchasing, browsing, or consumption records or history
• Biometric information such as height, weight, fingerprints, or speech
• Geolocation data
• Professional or employment information
• Private education information 
• Metadata or inferences drawn from personal information or behavior

What does CCPA mandate?

CCPA focuses on individual consumer rights and how data is to be shared, stored, and accessed. Under the law, California residents will have the following rights:

• Know what personal information marketers collect about them: California residents have access to how companies got their data, how they use it, whether they sell or share it, and who can access their data. 
• Say no to selling their information: Anyone 16 or older can opt out. Businesses can’t sell or share data of residents under age 16 without a parent’s written consent.
• Have companies delete their personal information: Residents have the right to be forgotten. The law allows companies to maintain data in some circumstances, such as transactions, past relationships, research, exercising free speech, or complying with other state laws.
• Access their personal information: They can request it via phone, email, or letter.
• Receive equal service and price: Even if they opt out of sharing data or exercise their “right to be forgotten,” companies must see them as equal to others. This means companies can’t refuse services, charge more, or treat customers differently if they opt out of sharing or selling their data, or even if they want it all deleted.

Who must comply?

For-profit companies that meet at least one of the following conditions:  

• The business’ annual revenue is over $25 million.
• The business receives information from more than 50,000 consumers, households, or devices annually.
• At least half of the business’ annual revenue comes from selling personal information.

So, if a company is based in New York but has customers and employees who are California residents, the law covers the customers and employees. You don’t need to have a physical footprint in the state.

Also, the law applies whether the company paid for the data through buying or renting email lists, paying a data broker (or any other form of data purchase), or acquired it for free. 

CCPA amendments being considered

Although the CCPA is a done deal, several bills could narrow the focus and define more terms in this broad law. 

Here are some potential amendments:

• Expanding the private right of action, which allows individuals––not just government agencies––to sue under the law.
• Expand the law’s three-day notification requirement after a data breach to 45.  
• Narrow the law’s definition of “consumers,” “personal information,” or “agents.”
• Allow consumers to request removal of their data by calling a toll-free number, sending an email to a dedicated address, or writing to a physical location.

Third-party data in the crosshairs

If you buy or rent lists and use extensive third-party data, the law will impact you more than a marketer who relies only on first-party data (the data you collect yourself). 

We already know that list-buying can hurt email marketing programs through lower deliverability, higher spam complaints, and lower open rates. Using out-of-date data creates a major deliverability challenge. Companies could get blocked or kicked off their ESPs because they’re sending to bad lists. Learn more about Deliverability Challenges. 

CCPA requires updated privacy policies with feedback loops for responding to consumer data requests. Implementing that now will provide a major advantage.

Transparency is the name of the game. Being transparent with customers and explaining how you collect, share, store, use, and protect data, and how you protect their privacy and confidentiality, will give you a major trust advantage. If you have good database integrity and transparency, you’ll be golden.

Is CCPA the new GDPR or CASL? 

Some privacy experts and commentators have compared CCPA to GDPR, the European Union’s General Data Privacy Regulation (2018) and Canada’s Anti-Spam Law (2014)  

They share some common characteristics:

• They focus on data privacy, security, and consumer rights to know, access, and delete data. 
• The laws apply to individual residents or citizens no matter where they live. So, companies in other states, in non-EU countries and outside Canada have to comply with the laws, even if they differ from their own local laws.
• All levy fines for violations, although the CCPA fines are the least punitive. GDPR allows fines of up to 20 million Euro or 4% of annual global turnover (whichever is higher) for violations. CCPA allows for fines of $2,500 to $7,500 and gives 30 days to correct violations.  

But they differ on some key issues: 

• Specifically for email marketers, CCPA doesn’t mandate an explicit opt-in to collect email addresses or other data, but GDPR and CASL do. 
• The scope of companies who must comply with the law is narrower than under GDPR and CASL.
• CCPA currently does not include a private right of action, which allows individuals to sue a company for an alleged violation. CASL’s private right of action has been suspended for the time being.

CCPA may pave the way for a federal law

Many of the data privacy and security laws currently on the books or being considered have conflicting provisions, such as the age of consent for using or selling data on minors.

Washington and Massachusetts are just two of the other states that are actively pursuing legislation. Industry leaders, like Apple CEO Tim Cook, have been pushing for a federal data privacy law that would supersede the patchwork of data laws now developing across the U.S.   

If you need guidance, feel free to contact Shift Paradigm compliance experts. Although we don’t offer legal advice, we have worked with numerous clients in training and advocacy for years and are very involved in industry privacy and security organizations. We would love to help you be sure you are charting the right course to safeguard your customers’ data and retain their trust and loyalty.