CCPA Summarized

CCPA is a law passed by the California state legislature in 2018. It was amended and clarified throughout 2019, and it went into effect in 2020. The law affects all companies that have a meaningful level of business with California residents, even if the company is not based in California. Penalties for noncompliance could potentially reach 7-8 figures for relatively small, unintentional violations.

Though there are a lot of additional details and exceptions within the law not to be overlooked, CCPA ultimately covers the following consumer rights:

• The right to know what categories of personal information a business and its service providers are collecting. That information includes the consumer's name and email address, but also what they're browsing, where they're located, and what they've purchased. It also includes more sensitive information, such as their protected-class characteristics, stored audio, or inferences drawn from all protected information.
• The right to request the deletion of that personal information. There are a few exemptions, including if the personal information is necessary for the business to maintain the information in order to complete the transaction, ship the product, or provide the service requested by the customer, detect security incidents, protect against malicious acts, etc.
• The right to opt out of the sale or exchange of their personal information with any other party outside of the business and its service providers. Basically, if a company exchanges consumers' personal data with any other company for any reason, the company must give the consumer a clear way to opt-out. There are some exceptions in the law pertaining to service providers.

Why CCPA Is Such a Big Deal

Anyone doing business with customers in California should be aware of this law and understand how both the relevant parties within their organization and the way they manage customer interactions are affected.

CCPA establishes that the California Attorney General can undertake lawsuits that have a $2,500 fine per user, per piece of data, for unintentional violations; that penalty rises to $7,500 for each intentional violation of the law.

The reality is that if marketers don't pay attention and don't ensure their organization and service providers/vendors are up to speed, the brand could get hit with a lawsuit that can end up costing them their job.

What Marketers Need to Do to Comply

At the highest level, marketers need to personally take the responsibility to...

• Understand how personal data at your company is being used to message to and serve your customers.
• Ensure your team has a clear understanding and is trained on the law and compliance process, too.
• Make sure CCPA responsibilities are delegated within your organization as soon as possible, and that they're following a comprehensive checklist to do so.

Within your organization, clarify the following roles:

• Who is responsible for reviewing the proposed regulations in full to understand the specifics of how it impacts your business
• Who is responsible for mapping personal data and gathering notices across all of your systems, internal and vendor
• Who is responsible for making sure those notices are presented to customers via the privacy policy page and "do not sell my info" links placed on the homepages of all websites and on landing pages for mobile apps
• Who is responsible for managing and carrying out consumer rights requests, both online and offline
• Who will train those who might also handle requests or assist consumers in exercising their rights under CCPA

Within your marketing team, be sure to...

• If you're providing discounts or incentives in a way that could be perceived as exchanged for personal information, calculate the monetary value of personal information exchanged for offers or discounts and communicate that information in your privacy policy.
• Understand how the systems (marketing, CRM, CDP, ad platforms, etc.) you're using to send messages will comply.
• Connect with martech vendors and service providers, and legal teams working on vendor contracts, to ensure consistency and a process they will follow for handling the rights requests you receive.

Closing Thoughts

Most of the news and conversation around CCPA has become more talk and less action from those who are affected by these regulations. Don't let confusion get in the way of compliance, because even minor violations could have a huge impact on your business.

Take the time to personally understand and review next steps, define and involve the proper departments within your organization, ensure outside vendors are following best-practices and processes, and arm all parties with the tools they need to successfully comply. It'll be worth it.

CCPA and GDPR Resources on MarketingProfs

• CCPA Is Here, But Not Enough Marketers Are Paying Attention
• 10 Steps Marketers Can Take to Prepare for 'California's GDPR'
• GDPR vs. CCPA: Data Privacy and US Marketers [Infographic]
• CCPA: Questions of Privacy, Compliance, and Enforcement
• What You Need to Know About GDPR and Data Privacy: Lisa Loftis of SAS [Podcast]
• GDPR Is Already Here: A Simple Marketing Guide for Compliance
• What CMOs Need to Know About the Looming General Data Protection Regulation (GDPR)
• A Marketer's Checklist: Are You Ready for GDPR Compliance? [Infographic]
• What Is GDPR, and How Can It Impact Your Business? [Infographic]
• Are You Ready for GDPR? [Infographic]