As we rang in the new decade, January 1 also marked the official start of the California Consumer Privacy Act (CCPA). The law is meant to protect consumers' personal information as well as increase the transparency of how the personal data of California residents is being used.
What CCPA is trying to accomplish is somewhat similar to the EU's GDPR regulations, but its differences call for a deeper review and understanding—especially for marketers who depend on processing personal data to effectively acquire and engage customers.
Since 2018, CCPA has been a recurring topic in anticipation of the 2020 deadline. But what's most surprising is that the law, though many have known it's coming, still doesn't seem that big of a deal in the marketing landscape. People don't seem to be paying attention to it as closely as they should.
That may be due, in part, to the lack of straightforward documentation out there for marketers and execs (by that, I mean actionable checklists without all of the legal jargon that makes it hard for nonlawyers to decipher).
Without easy-to-follow guidelines, it's hard to ensure proper CCPA compliance, including the involvement of those, internally and externally, who have a role to play in compliance. So, if you feel behind or lost, or you don't know what to feel about CCPA, this article should help.
CCPA is a law passed by the California state legislature in 2018. It was amended and clarified throughout 2019, and it went into effect in 2020. The law affects all companies that have a meaningful level of business with California residents, even if the company is not based in California. Penalties for noncompliance could potentially reach 7-8 figures for relatively small, unintentional violations.
Though there are a lot of additional details and exceptions within the law not to be overlooked, CCPA ultimately covers the following consumer rights:
- The right to know what categories of personal information a business and its service providers are collecting. That information includes the consumer's name and email address, but also what they're browsing, where they're located, and what they've purchased. It also includes more sensitive information, such as their protected-class characteristics, stored audio, or inferences drawn from all protected information.
- The right to request the deletion of that personal information. There are a few exemptions, including if the personal information is necessary for the business to maintain the information in order to complete the transaction, ship the product, or provide the service requested by the customer, detect security incidents, protect against malicious acts, etc.
- The right to opt out of the sale or exchange of their personal information with any other party outside of the business and its service providers. Basically, if a company exchanges consumers' personal data with any other company for any reason, the company must give the consumer a clear way to opt-out. There are some exceptions in the law pertaining to service providers.
Why CCPA Is Such a Big Deal
Anyone doing business with customers in California should be aware of this law and understand how both the relevant parties within their organization and the way they manage customer interactions are affected.
CCPA establishes that the California Attorney General can undertake lawsuits that have a $2,500 fine per user, per piece of data, for unintentional violations; that penalty rises to $7,500 for each intentional violation of the law.
The reality is that if marketers don't pay attention and don't ensure their organization and service providers/vendors are up to speed, the brand could get hit with a lawsuit that can end up costing them their job.
What Marketers Need to Do to Comply
At the highest level, marketers need to personally take the responsibility to...
- Understand how personal data at your company is being used to message to and serve your customers.
- Ensure your team has a clear understanding and is trained on the law and compliance process, too.
- Make sure CCPA responsibilities are delegated within your organization as soon as possible, and that they're following a comprehensive checklist to do so.
Within your organization, clarify the following roles:
- Who is responsible for reviewing the proposed regulations in full to understand the specifics of how it impacts your business
- Who is responsible for mapping personal data and gathering notices across all of your systems, internal and vendor
- Who is responsible for managing and carrying out consumer rights requests, both online and offline
- Who will train those who might also handle requests or assist consumers in exercising their rights under CCPA
Within your marketing team, be sure to...
- Understand how the systems (marketing, CRM, CDP, ad platforms, etc.) you're using to send messages will comply.
- Connect with martech vendors and service providers, and legal teams working on vendor contracts, to ensure consistency and a process they will follow for handling the rights requests you receive.
Most of the news and conversation around CCPA has become more talk and less action from those who are affected by these regulations. Don't let confusion get in the way of compliance, because even minor violations could have a huge impact on your business.
Take the time to personally understand and review next steps, define and involve the proper departments within your organization, ensure outside vendors are following best-practices and processes, and arm all parties with the tools they need to successfully comply. It'll be worth it.
CCPA and GDPR Resources on MarketingProfs
- CCPA Is Here, But Not Enough Marketers Are Paying Attention
- 10 Steps Marketers Can Take to Prepare for 'California's GDPR'
- GDPR vs. CCPA: Data Privacy and US Marketers [Infographic]
- CCPA: Questions of Privacy, Compliance, and Enforcement
- What You Need to Know About GDPR and Data Privacy: Lisa Loftis of SAS [Podcast]
- GDPR Is Already Here: A Simple Marketing Guide for Compliance
- What CMOs Need to Know About the Looming General Data Protection Regulation (GDPR)
- A Marketer's Checklist: Are You Ready for GDPR Compliance? [Infographic]
- What Is GDPR, and How Can It Impact Your Business? [Infographic]
- Are You Ready for GDPR? [Infographic]
Take the first step (it's free).
You may also like:
- What Workers Want From Their Employers Right Now
- Advancing Racial Justice, One Decision at a Time: Lee Deas on Marketing Smarts [Podcast]
- Your B2B Marketing Career: The Parable of Melanie the Mindful Marketer
- To Advance Racial Justice, Have Those Uncomfortable Conversations: Lori Hall on Marketing Smarts [Podcast]
- A Six-Step Checklist for Planning Your Marketing Campaign