Impact of CCPA on Marketing and Advertising
America’s dominant consumer privacy act is having a widespread effect on digital marketing and advertising across the nation. Marketers in every sector are working overtime, to ensure compliance with the California Consumer Privacy Act (CCPA), which becomes law on January 1, 2020.
At the present time, the CCPA is reported to be the strictest consumer privacy law in the U.S. - and shows no signs of giving up its position any time soon.
With a laser-like focus on citizens’ privacy rights, the CCPA brings strict controls to the way businesses collect, store, and process the personal information of California residents.
The new law applies to all businesses with annual revenues of $25 million or more, or purchases, sells, receives, or shares 50,000+ California consumer records per year. Additionally, any company that makes more than 50% of its annual revenue from the sale of California residents’ personal data must also comply with the CCPA.
And it doesn’t stop there… The CCPA also applies to companies that share common branding with a business that meets the CCPA criteria, e.g. company name, trademark, or service mark. This has a direct bearing on marketing agencies and payment processing firms. This also means any business that provides services to an affected company, it should still become knowledgeable regarding CCPA requirements, even if it doesn’t directly fall into the criteria for compliance.
Increasingly, businesses in all sectors are deploying data management systems, or customer relationship management (CRM) solutions to help increase sales. It is inevitable that the CCPA will have a huge impact on companies’ data processing practices as the new law imposes its requirement for higher levels of data privacy transparency and choice for the consumer.
CCPA compliance represents a paradigm shift in the way the majority of businesses operate and manage information. The law provides significantly greater rights to consumers, as well as stricter compliance requirements for businesses than just about every other state or federal privacy law - notwithstanding New York’s recent claim that the New York Privacy Act (NYPA) is even bolder than the CCPA. Therefore, businesses need to gain a comprehensive understand of the CCPA in preparation for compliance.
Comply or get fined
The European Union’s General Data Protection Regulation (GDPR), has had a profound effect on businesses across the globe, compelling businesses to demonstrate much greater transparency, and to implement rigorous processes to protect consumers’ personal information. There seems little doubt, that California’s privacy law is going in precisely the same direction, which is hardly surprising when you consider that the CCPA’s creation is so obviously influenced by the EU regulation.
It’s no wonder when you look at the fines. The fines for failing to comply with GDPR range from 10 million euros to four percent of the company’s annual global turnover, which could add up to billions for some companies.
A rapidly growing list of companies, including some of the biggest names in the tech industry have fallen foul of the GDPR. Since the EU law came into effect in May of last year, the Information Commissioner’s Office (ICO) has imposed record-breaking fines for violations of the GDPR and its predecessor, the UK Data Protection Act. These include:
Facebook - £500,000
Equifax - £500,000
Uber - 385,000
Yahoo! UK Services Ltd. - £250,000
British Telecommunications - £77,000
… and that’s just to name a small handful.
So, what can businesses expect to pay for non-compliance with the CCPA?
For starter’s any company that is found to be in violation of the CCPA can face a maximum fine of $750 per consumer or violation, e.g. if a business collects personal data from 1,000 California residents without obtaining their positive consent, it can expect to be fined up to $750,000.
Another example is if a business suffers a data breach due to inadequate data security measures, consumers can demand that it be remedied within 30 days. If the issue is not fixed within 30 days the business could be subject to legal action.
Private right of action is limited to violations of data security requirements. Currently, statutory damages for such actions are from $100 to $750 per California consumer, plus incidental or actual damages, whichever is greater.
At the time of writing, a pending amendment to expand the private right of action to include any violation of the CCPA was recently rejected by the California legislature. However, such an expansion could be proposed again at some future date.
Businesses and marketing agencies that promote brands, products, and services to potential customers in California should be highly motivated to; update back-office data management systems, review existing privacy notices, update third party contracts, audit marketing lists, and confirm that subscribers have given proper consent.
So far, the CCPA is the best example to be found in the U.S. of an appropriate response to demands for regulated collection and management of consumers’ personal data. Other states are following California’s lead by implementing stricter regulation, with punitive fines being imposed for violations, to protect the personal privacy of consumers.
The challenge of compliance
It’s no secret that the CCPA was rushed through the California legislature in order to avoid a consumer-driven ballot. Consequently, this rapid process resulted in a law that contains a large amount of confusing language and superfluous terms, leaving many details unexplained and open to diverse interpretations.
Accordingly, lawmakers have left the door open for state Attorney General Xavier Becerra to provide further clarification through its rule-making process. Also, there are currently more than 50 amendments pending before the legislature. Therefore, it is highly likely that the CCPA’s definitions, scope, and requirements will be updated before the law comes into effect in January 2020.
The Data Privacy Group recommends…
With the CCPA enactment date looking large, we recommend the following action steps for businesses that serve customers in the state of California:
Conduct an in-depth audit of marketing lists
If you use a marketing agency, you should ensure that your company is specifically named in Privacy Notice and consent clauses.
Remember - your company could be held liable if your marketing agency is non-compliant. Ask for the source of their lists, as well as details of verifiable opt-ins.
Ensure that the contacts in the list can easily update their contact details and preferences, and also withdraw their consent at any time.
Ensure that the contacts in any marketing list are made fully aware of precisely how you will use their data. You cannot simply change the usage of personal data without proper consent.