Just 26 days ago, on the first day of 2020, the California Consumer Privacy Act (CCPA) became law, enhancing privacy rights and consumer protection for the residents of California.

For the advocates for the new privacy law, the goal was to have similarly strong legislation to that of the European Union’s General Data Protection Regulation (GDPR). However, the power of corporate influence prevailed, to a certain degree, and California ended up with a somewhat lighter version of the GDPR model.

When the new legislation was hurriedly passed in June 2018 California became the first U.S. state to usher in new data privacy protections for its citizens. At that time, however, many commentators criticized the CCPA as being riddled with drafting errors, practical problems, and constitutional vulnerabilities.

In this article, we take a fresh look at the CCPA and its impact on direct marketing in 2020.

Game Changer

It is widely acknowledged that the CCPA is something of a game-changer for companies around the world that do business in California.

To fully understand what the CCPA means for both consumers and businesses, it is important to first understand how the CCPA protects the privacy of consumers’ personal information and what businesses must do to comply with the law.

Examples of personal information protected by the CPPA:

  • Behavioral profile: Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

  • Biometric information: An individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information

  • Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

  • Contact information: Name, alias, email, phone number, address

  • Device information: IP address, Browser, device, screen resolution

  • Financial information: Payment information, bank information

  • Geolocation information: IP address, GPS coordinates

  • Government identifier: SSN, passport number

  • Health insurance information: Group number, subscriber number

  • Internet and electronic activity information: Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web Site, application, or advertisement

  • Medical information: Conditions, symptoms, treatment, diagnoses

  • Non-public education information: School records

  • Professional or employment information

  • Protected class information: Race, color, sex, age (40 and older), religion, national origin, disability, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability: physical or mental, marital status, military or veteran status, political affiliations or activities

The Consumer’s Right To Know

The CCPA provides new protections and rights for consumers who reside in California. As of January 1, 2020, the state’s residents have the right to know:

  1. the categories of personal information is collected about the consumer;

  2. the specific pieces of personal information the business collects about the consumer;

  3. the categories of sources from which their personal information is collected;

  4. the business or commercial purpose for collecting, processing or selling personal information; and

  5. the categories of third parties with whom the business shares personal information.

Armed with these rights, consumers can access the personal data being collected and held about them and decide what happens to their personal data. Consumers can take the following actions:

  • Receive clear, transparent information concerning the specific pieces of personal data a business has collected, the purpose for the collection and/or sale of their personal data, and the categories of third-parties with whom the data has been shared. This right comes under the “transparency” principles of the CCPA and is closely tied to privacy notice requirements.

  • Request access their personal information. Businesses must provide the consumer, upon request, a copy of their personal data in a portable format. Under the CCPA, this information must be provided free of charge either in printed form sent by mail, or electronically. If the data is sent electronically, it should be provided in a portable format, allowing the consumer to transfer the data to another party.

  • Request to know whether their personal information is sold or disclosed to third parties. When a consumer makes this request, businesses are required to provide:

    • the categories of personal data that have been collected and stored;

    • the categories of personal data the organization has sold or disclosed to a third-party; and

    • the categories of third-parties with whom the personal data has been disclosed.

  • Opt-out of the sale of their personal information. This right exemplifies the importance of giving consumers greater control over their personal information. Businesses must provide consumers with a “clear and conspicuous” “Do Not Sell My Personal Information” link conspicuiously placed on their website’s home page. This link must direct consumers to a specific page that enables them to opt-out of the sale of their personal data.

  • Request the deletion of their personal information. When a consumer exercise this right, the businesses is required to erase all personal data pertaining to the consumer within 45 days of receipt of the request. (A further 45-day extension is available.) Additionally, the business must notify any third-party providers to also delete the consumer’s personal data. The CCPA provides certain exceptions to the requirement to honor this right. For example; when an organization is required to retain personal data in order to comply with legal obligations or to complete a transaction with the consumer.

  • Receive equal price and service, irrespective of whether they exercise their privacy rights. Businesses are prohibited from discriminating against consumers because they have exercised any of their data privacy rights. In particular, businesses cannot decline to supply products or services to the consumer or charge different prices for products or services. In addition, businesses cannot impose penalties, provide a different level of quality of products or services, or imply that the consumer will receive a different price for products or services. The CCPA does however allow businesses to offer different levels of products or services if they are equal in the value that is lost by being unable to monetize the consumer’s personal data —although It is not clear how this will be achieved or regulated.

Before a business undertakes to honor a subject access request, it must first ensure that the request is valid, by verifying the identity of the requestor. This can be achieved by verifying a customer ID or by using email verification.

Who does the CCPA apply to?

The law applies to any profit-making organization that does business in California, irrespective of its physical location, that collects personal information about California consumers, and meets at least one of the following criteria:

  • Has an anual gross income of $25 million or more; or

  • has 50,000 or more records of consumers, households or devices; or

  • Earns 50% or more of its annual revenue from the sale of consumers’ personal information.

CCPA Impact on Direct Marketing

For any organization that does business in California and meets the criteria above, there is an immediate impact, as well as long-term issues to be addressed.

It is therefore imperative that organizations with business interests in California are compliant with the CCPA in all aspects of their marketing activities.

The deadline of January 1 , 2020 has now passed. Affected businesses should have made the following organizational and website updates:

  1. Implement a process to obtain parental or guardian consent for minors under 13 years.

  2. Place a “Do Not Sell My Personal Information” link on the home page of the company’s website that directs users to a separate page that allows consumers to opt-out of the sale of their personal information.

  3. Provide consumers with methods for submitting data access requests. For example, a web form, a toll-free telephone number, or a dedicated email address.

  4. Update privacy notices with required information, including a description of the new privacy rights of California residents.

  5. Avoid requesting opt-in consent for 12 months after a California resident opts out.

  6. Create a process for the deletion of a consumer’s personal information when requested. The CCPA stipulates that consumers have the “right to be forgotten” and request that any personal data your company has on them is deleted —including backup copies. As previously stated, there are some exceptions regarding what data a business may retain for legal, compliance, or business reasons. However, a process must b e in place to quickly delete all other information concerning a consumer.

Impact on Mailing Lists and Customer Records

Your customer/prospect database and rented lists are vital to the success of direct mail and email marketing campaigns. If your business has collected and stored names, addresses and email addresses over time from customers and/or prospects you had better be prepared to comply with the law. You will likely feel even more of an impact if you rely on third party lists rented from a data broker. Either way, your marketing team will need to identity all lists that are in use as well as the sources of those records.

Without clear knowledge of your third party list source and the accuracy of the data it can be risky using rented lists of California residents. It is your responsibility to ensure the records on rented or purchased lists meet CCPA qualifications for the use of personal data. Even reputable list brokers can struggle to meet the requirements of privacy laws. So make sure that you discuss the CCPA implications with your broker before renting or purchasing lists.

CCPA regulations covering data used for marketing purposes cannot be ignored.

Make no mistake, the CCPA is already having a big impact on digital marketing. No-one can bury their head in the sand and claim they did not know about the California’s Consumer Privacy Act. Even if your company does not buy or sell personal data, it is vital that you understand how your marketing department collects and processes personal data.

The key questions that must be answered are:

  • What data is collected and stored about your visitors and customers?

  • Which tools are currently used for the collection of data about visitors and customers —including any interactions with third parties?

  • What information is shared/disclosed to third parties? and how are they using this data?

  • What is the specific purpose for sharing/disclosing the personal data collected?

  • What mechanisms are being used to provide access to third parties?

  • Do you have contracts in place covering the sale or disclosure of personal information?
    (You will probably need to updated these contracts to ensure data is only used for the needs specified by the business.


The security of personal data has become one of the most serious issues being faced by today’s connected society. On the one hand technology is making life easier. But on the other it can be argued that there are negative outcomes the could affect us all. If the personal data being collected, processed and sold is not adequately protected —and regulated, incidents of data breaches and data leaks are likely to increase. Personal information is already being stolen and used by criminals, causing pain and suffering to countless victims of cybercrime.

Businesses have a duty of care to comply with the requirements of the CCPA. Pure and simple. California’s new law has been set up to avoid the violation of consumers’ rights —and in so doing, avoid penalties for non-compliance. In order to reap the benefits of the digital economy organizations must embrace California’s bid to protect its citizens.

Like other privacy laws, the CCPA is not perfect. However, we can expect that the State will hone and refine the law with further amendments over time. And while the chances of a federal privacy law remain slim under the present regime, more states will no doubt follow California’s lead by introducing their own new laws to protect the privacy rights of their citizens.

Further reading: Free eBook ‘The CCPA Effect’, More CCPA-related articles

NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner as well as legal counsel, when preparing for compliance with data protection and privacy laws.

Contact the author
Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Contact Our Team Today
Your confidential, no obligation discussion awaits.