As we rang in the new decade, January 1 also marked the official start of the California Consumer Privacy Act (CCPA). The law is meant to protect consumers' personal information as well as increase the transparency of how the personal data of California residents is being used.

What CCPA is trying to accomplish is somewhat similar to the EU's GDPR regulations, but its differences call for a deeper review and understanding—especially for marketers who depend on processing personal data to effectively acquire and engage customers.

Since 2018, CCPA has been a recurring topic in anticipation of the 2020 deadline. But what's most surprising is that the law, though many have known it's coming, still doesn't seem that big of a deal in the marketing landscape. People don't seem to be paying attention to it as closely as they should.

That may be due, in part, to the lack of straightforward documentation out there for marketers and execs (by that, I mean actionable checklists without all of the legal jargon that makes it hard for nonlawyers to decipher).

Without easy-to-follow guidelines, it's hard to ensure proper CCPA compliance, including the involvement of those, internally and externally, who have a role to play in compliance. So, if you feel behind or lost, or you don't know what to feel about CCPA, this article should help.

CCPA Summarized

CCPA is a law passed by the California state legislature in 2018. It was amended and clarified throughout 2019, and it went into effect in 2020. The law affects all companies that have a meaningful level of business with California residents, even if the company is not based in California. Penalties for noncompliance could potentially reach 7-8 figures for relatively small, unintentional violations.

Though there are a lot of additional details and exceptions within the law not to be overlooked, CCPA ultimately covers the following consumer rights:

  • The right to know what categories of personal information a business and its service providers are collecting. That information includes the consumer's name and email address, but also what they're browsing, where they're located, and what they've purchased. It also includes more sensitive information, such as their protected-class characteristics, stored audio, or inferences drawn from all protected information.
  • The right to request the deletion of that personal information. There are a few exemptions, including if the personal information is necessary for the business to maintain the information in order to complete the transaction, ship the product, or provide the service requested by the customer, detect security incidents, protect against malicious acts, etc.
  • The right to opt out of the sale or exchange of their personal information with any other party outside of the business and its service providers. Basically, if a company exchanges consumers' personal data with any other company for any reason, the company must give the consumer a clear way to opt-out. There are some exceptions in the law pertaining to service providers.

Why CCPA Is Such a Big Deal

Anyone doing business with customers in California should be aware of this law and understand how both the relevant parties within their organization and the way they manage customer interactions are affected.

CCPA establishes that the California Attorney General can undertake lawsuits that have a $2,500 fine per user, per piece of data, for unintentional violations; that penalty rises to $7,500 for each intentional violation of the law.

The reality is that if marketers don't pay attention and don't ensure their organization and service providers/vendors are up to speed, the brand could get hit with a lawsuit that can end up costing them their job.

What Marketers Need to Do to Comply

At the highest level, marketers need to personally take the responsibility to...

  • Understand how personal data at your company is being used to message to and serve your customers.
  • Ensure your team has a clear understanding and is trained on the law and compliance process, too.
  • Make sure CCPA responsibilities are delegated within your organization as soon as possible, and that they're following a comprehensive checklist to do so.

Within your organization, clarify the following roles:

  • Who is responsible for reviewing the proposed regulations in full to understand the specifics of how it impacts your business
  • Who is responsible for mapping personal data and gathering notices across all of your systems, internal and vendor
  • Who is responsible for making sure those notices are presented to customers via the privacy policy page and "do not sell my info" links placed on the homepages of all websites and on landing pages for mobile apps
  • Who is responsible for managing and carrying out consumer rights requests, both online and offline
  • Who will train those who might also handle requests or assist consumers in exercising their rights under CCPA

Within your marketing team, be sure to...

  • If you're providing discounts or incentives in a way that could be perceived as exchanged for personal information, calculate the monetary value of personal information exchanged for offers or discounts and communicate that information in your privacy policy.
  • Understand how the systems (marketing, CRM, CDP, ad platforms, etc.) you're using to send messages will comply.
  • Connect with martech vendors and service providers, and legal teams working on vendor contracts, to ensure consistency and a process they will follow for handling the rights requests you receive.

Closing Thoughts

Most of the news and conversation around CCPA has become more talk and less action from those who are affected by these regulations. Don't let confusion get in the way of compliance, because even minor violations could have a huge impact on your business.

Take the time to personally understand and review next steps, define and involve the proper departments within your organization, ensure outside vendors are following best-practices and processes, and arm all parties with the tools they need to successfully comply. It'll be worth it.

CCPA and GDPR Resources on MarketingProfs

Enter your email address to continue reading

CCPA Is Here, But Not Enough Marketers Are Paying Attention

Don't's free!

Already a member? Sign in now.

Sign in with your preferred account, below.

Did you like this article?
Know someone who would enjoy it too? Share with your friends, free of charge, no sign up required! Simply share this link, and they will get instant access…
  • Copy Link

  • Email

  • Twitter

  • Facebook

  • Pinterest

  • Linkedin


image of Craig Sturgis

Craig Sturgis is the VP of product at SmarterHQ, a personalization platform that helps marketers to power highly personalized cross-channel customer experiences.

Twitter: @craigsturgis

LinkedIn: Craig Sturgis