Disclaimer: This blog post is not legal advice for your company to use in complying with U.S. data privacy laws like CCPA. Instead, it provides background information to help you better understand CCPA. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this as legal advice, or as a recommendation of any particular legal understanding.
Nowadays, marketers rely on the information they receive from consumers to make decisions on what type of content their audience prefers to receive, and in what form.
There isn't anything inherently wrong with using information to create a better, more personalized marketing strategy.
In fact, when done well, it can largely benefit the consumer -- for instance, when I'm scrolling through Instagram, I like to see content from some of my favorite brands, like HelloFresh. By staying up-to-date on their products and offerings, I'm able to make better purchasing decisions.
However, marketers get into murky (or even illegal) territory when they misuse the information their consumers have provided. If a consumer fills out a form on your website, for instance, she's letting your company have access to that information -- she's not agreeing to have you sell her data to an ad targeting company.
In 2017, we covered What is the GDPR? And What Does it Mean for the Marketing Industry? Here, let's dive into what The California Consumer Privacy Act (CCPA) means for you as a marketer, and how it differs from GDPR.
California's Data Privacy Law
California's data privacy law, known as The California Consumer Privacy Act, was approved in 2018 but goes into effect on January 1, 2020. Simply put, the law affords consumers protection in terms of how their information can be used by for-profit entities that do business in the state of California. The businesses affected by the CCPA must have more than $25 million in revenue, receive information of over 50,000 consumers, or derive 50% or more of its revenue from selling consumers' personal information.
CCPA Requirements
As mentioned above, the California Consumer Privacy Act was approved by California's State Governor back in 2018, but won't go into effect until January 1, 2020.
Ultimately, the law applies to any companies that conduct business in the state of California, and have one of the following criteria:
- Has revenue of $25 million or higher
- Receives information of over 50,000 consumers, households, or devices annually
- Derives 50% or more of its annual revenue from selling consumers' personal information
It's important to note -- the law stretches beyond businesses that have physical brick-and-mortar shops in California. That means if you're a marketer for an ecommerce business that collects data on residents living in California, you'll still be affected by the law.
What the CCPA Means for Marketers
Now, you might be thinking -- okay, but I'm not the CEO of my business, I'm a marketer. What does this law mean for me?
If the CCPA applies to your business, this means whenever you collect your consumers' personal information -- whether it be for a social media campaign, email survey, or something else -- you'll need to disclose what information you're collecting, and how you'll be using your consumers' personal information.
Additionally, you need to give your consumers the right to opt-out of having their information sold to third-parties, and you need to let consumers view and delete the information you've collected about them.
GDPR vs. CCPA
The GDPR is an EU regulation that enhances the protection of personal data of EU citizens and applies to all companies that control or process data of EU citizens. The CCPA is less comprehensive than the GDPR, but is a step in the right direction for California to similarly protect its own state citizens' data privacy.
There are a few additional differences between GDPR and CCPA that are worth noting.
One main difference is, GDPR focuses on data related to the EU consumer, while the CCPA considers data related to both the CA consumer and the household. Additionally, the CCPA only considers data provided by the consumer, as opposed to data sourced from third-parties.
Additionally, there are differences in penalties -- GDPR's penalty for companies that violate their regulation is up to $20 million or 4% worldwide turnover, whichever is greater.
In comparison, CCPA's penalty is up to $2,500 per violation or $7,500 per intentional violation, plus an additional $100-$750 per incident to the affected individuals.
There's also a difference in the type and scope of data collected. GDPR applies to all data collected about EU citizens. The CCPA, on the other hand, applies only to data collected directly from, and about, California consumers.
If you're unsure whether the CCPA will affect your business, you're not alone -- a recent ESET survey found 44% of respondents had never heard of the CCPA, only 11.8% didn't know if the law applied to them, and 34% of executives weren't sure if they'd need to change how they capture and process data to comply with the law.
Fortunately, if you're a marketer who's already done the work to ensure you comply with GDPR regulations, it shouldn't be too difficult to additionally comply with CCPA. For more information, check out our web page designed to help you prepare for the CCPA.