The California Consumer Privacy Act has been in the pipeline for years now. After a lengthy drafting process, the act came into force in January 2020, and enforcement of it was expected to begin in July 2020.
Given the panic caused by the Covid-19 pandemic, some businesses have recently argued that this data should be delayed, but at the moment California Attorney General Xavier Becerra has shown no signs of changing this date.
What this means is that July 1st, 2020 remains the first day on which the CCPA will be enforced. Companies working with personal information will, therefore, need to ensure that they are CCPA compliant within the next few months, even whilst dealing with a global pandemic.
In this article, we’ll take a look at the CCPA overview, CCPA advertising, and explain the principles that the act is based on. We’ll also show you the consequences of the act for our biggest focus here at LeadsBridge – how to generate and manage Facebook leads, lead generation via Google, and generally ensuring that you achieve the best marketing performance whilst still securing the privacy of your customers.
What is the CCPA?
At the most fundamental level, and as the official CCPA website explains, the CCPA has been designed to protect the privacy and the personal data of individuals who live in the state of California.
At the moment, the act is primarily focused on data collected on the citizens of California via websites and other online data acquisition and analysis tools, but it will also have a huge impact on the privacy of smart home tech and a number of related areas.
The act contains three basic protections for the citizens of California:
- It grants consumers the right to know exactly which data businesses are collecting on them, and the ability to stop them using this data. A user can request that a company tells them which data it collects, the purpose for doing so, and who these data are being sold to.
- The CCPA also ensures that consumers who opt-out of data collection are not discriminated against. For businesses, this means that they cannot offer better services to users in exchange for data.
- Finally, the act also recognizes the link between data privacy and data security. It mandates that all companies dealing with data on the citizens of California have in place “reasonable security measures” to protect these data. At the moment, the definition of “reasonable” remains vague, but will likely become clearer once the act begins to be enforced.
Every piece of privacy legislation, and for that matter every guide to online privacy, defines “personal data” differently. Customers trust companies and businesses with their personal and financial data every day, to the point that actually ensuring the privacy of that data is one of the most important aspects of business integrity.
The CCPA is designed to help ensure businesses protect privacy data, and currently represents the most stringent privacy legislation in force in the US at the moment, and is second only to Europe’s GDPR (see below) in the breadth of its definition of “personal data”.
At the highest level, the CCPA states that personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It then goes on to explicitly spell out the types of data included in this definition:
- Any identifiable information such as names, addresses, contact information, passport numbers, or social security numbers.
- Commercial information such as data on property ownership, product purchases, and any other form of consumer history.
- Biometric data of all kinds.
- Data on the internet usage of consumers, such as IP addresses, browsing history, search history, or any interactions with websites or online advertisements. The restrictions on collecting this last category of data are likely to be those with the biggest impact on online marketers.
On the other hand, it’s also worth recognizing that the CCPA doesn’t pertain to publicly available information. Any data that is accessible through Federal or State level databases is not covered.
Does the CCPA Apply to My Business?
The CCPA applies to the vast majority of businesses that work with the “personal information”, as defined above, of anyone who lives in California.
Certain small businesses are excluded, however, because the act applies to companies who meet ANY of the following criteria:
- Have an annual gross revenue of $25 million or more,
- Holds the personal information of more than 50,000 individuals, households, or devices,
- Or earns more than half its annual revenue through selling personal information.
In practice, this means that the CCPA applies to almost every online marketing business. The vast majority of companies will collect data on California residents, and any reasonably successful data acquisition system will quickly collect more than 50,000 records.
Even companies not focused on online marketing – attorneys, for instance, or even small businesses like pet shops – will be collecting these data (whether they are aware of this or not) through their web hosting provider, and will need to take steps to stay compliant with the CCPA.
How to comply with CCPA
Though the provisions contained within the CCPA are quite stringent, and the consequences of non-compliance can be quite severe, for most businesses they will not require a fundamental change to either ongoing operational processes or business development.
You can still automate data collection processes without undermining privacy, but you will need to put in place managerial systems to ensure that you are CCPA compliant. You will need to:
- Provide consumers with at least two methods to submit requests about their personal data. These must include a toll-free telephone number.
- Respond to requests within 45 days of receiving them, so you will need to have in place a managerial system for achieving this.
- Provide customers with notice that their personal information is being sold, if this is part of your business model. You will also need to give users the option to opt-out of this.
Meeting these requirements also stipulate that you conduct a thorough audit of which data you are collecting, how you are storing and protecting this data, and who has access to it. If you don’t know exactly which data you are collecting – which, unfortunately, is still the case for many businesses – you will be unable to respond to customer requests for these, and so will likely be found to be non CCPA compliant.
You should also take steps to ensure that you meet the “reasonable” security measures that the CCPA mandates. At the moment, the specifics of these requirements are still relatively unclear, but there are some basic steps you should take if you haven’t already.
Ensure, for instance, that you use CCPA-compliant encrypted cloud storage providers for all of your customer data, mandate that your staff use a password manager to access all of the systems they use, and consider securing your internal communications using a company firewall together with a virtual private network.
Beyond these general requirements, there will be specific measures you will need to take depending on your sector and business model. The California State government has produced detailed guidance, which you should carefully review.
The CCPA Penalties for Non-Compliance
The CCPA penalties contain a flexible approach to fines for non-compliant companies. The headline here is that the maximum penalty for violating CCPA laws is $2,500 per violation or $7,500 for each “intentional violation.”
It’s difficult, at the moment, to assess what this will mean for individual companies – the legislature has a lot of flexibility when it comes to leveling fines. However, it’s clear that, since fines are calculated according to the number of individual records that are non-compliant, and since most companies will (by definition) hold more than 50,000 of these, the financial CCPA penalties for non-compliance could be huge.
Though most analysts expect that there will be a grace period – especially for smaller companies – during which accidental breaches are met with a warning rather than high fines, this will not last long. It’s therefore critical that companies have in place the systems and tools above as soon as possible.
What does CCPA mean for advertisers?
The CCPA will affect advertisers who use behavioral advertising. This involves both the use of tracking cookies or pixel installed on a website that places a cookie on a website visitor’s computer and the usage of CSV files for remarketing. The pixel collects information from the visitor’s cookie to produce a profile so that the behavioral advertising provider can create a tailored and targeted advertising for the visitor. Although it is not yet clear how CCPA advertising will affect third-party cookies, an argument has shown that behavioral advertising network access personal information transmitted by the website visitor and thus can be classified as “making available” the personal information. This can be classified as a “sale” under the CCPA advertising. For advertisers, the CCPA requires that there is provision for Californians to opt-out when they sell their personal information.
The CCPA definition of a “sale” is “The selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” As an advertiser to be CCPA compliant follow the steps given under “how to comply with CCPA” above.
Research by SAP consultants showed that tracking cookies provide benefits to consumers. For instance, 26% of customers will come back to a website through retargeting, compared to 8% of customers returning without retargeting cookies. Because of this, advertisers with cookies on their website will have to offer customers a choice to opt-out of tracking cookies. Therefore, CCPA for advertisers may mean reducing the use of tracking cookies.
Meeting the requirements of the CCPA comes at a difficult time for many companies who rely on online marketing. Not only are we in the midst of a global pandemic, but many are already struggling with the fact that browser-based tracking is dying, and rushing to work out how to move away from cookies when it comes to user tracking.
However, the companies who have responded best to the imminent enforcement of the CCPA are those that have looked at it as an opportunity. The provisions contained in the bill codify the best practices that many companies were already following, and by putting in place the protections above you will ultimately find that you have more control over the data you collect.