What is the California Consumer Privacy Act?
The California Consumer Privacy Act, or commonly called the CCPA, is a law that will go into effect in California on Jan 1, 2020. The act’s purpose is to secure the privacy of California citizens with regards to online activities, digital marketing, and personal information. Generally speaking, the CCPA gives a person more control and transparency about how their personal data is being used by companies, and requires that companies be accessible in handling personal data.
Overall, the CCPA applies to any entities conducting business in California that collects personal information (either directly or indirectly), and also meet one or more of these requirements:
- have annual gross revenues in excess of $25 million (adjusted for inflation over time)
- have 50% or more of their annual revenue from the sale of personal information
- annually buy, receive for marketing purposes, sell, or share (or a combination of these activities) the personal information of 50,000 or more consumers, devices, or households
How Is Personal Information Defined?
The act defines a broad scope of what can be considered personal information.
Obvious information such as name, email, address, phone, Social Security Number, driver’s license, and passport numbers are included, since they are readily identifiable and common.
The broad scope comes into play with other data. Content such as any personal identifier, any geolocation data, any biometric data, any internet browsing history, any psychometric data, any employment history, and any inferences a company might make about a consumer to segment or target them are also included. Clearly, the act is meant to make any data attached to a person attainable and included in the discovery portion.
What Does It Mean For Consumers?
The net effect is that the CCPA will set the groundwork for privacy nationwide, since many businesses will find it burdensome to maintain different privacy policies – one for California residents, and another for all other US citizens.
The law says that consumers have the right to request information a company has about them in a “readily usable format” that enables transfer to another party without hindrance. This means no piles of data a person must sift through to find useful – but rather a clear, concise export of information. The act also requires that consumers have the right to request the deletion of personal information, and also opt-out of the sale of personal information.
What Does It Mean For Companies?
The CCPA requires that companies provide consumers with the right to opt out of the sale of their personal information through a clear and conspicuous link on the site titled “Do Not Sell My Personal Information”, as well as links to the relevant privacy policies. Some companies will need to merely adapt their website; for other companies, it can drastically impact their business model. To prevent consumers from being targeted, the CCPA also defines that consumers cannot be discriminated against with regards to prices or services based on their CCPA exercised rights.
Does GDPR Compliance Equate To CCPA Compliance?
Some overlap exists between the CCPA and GDPR, and companies that are already GDPR-compliant may have an approach to data protection and disclosure. However, GDPR compliance is not the same as CCPA compliance for the following reasons.
- The CCPA definition of personal information is more extensive than GDPR
- CCPA is expected to provide broader rights to data deletion and includes different personal data than GDPR
- CCPA provides more rights to consumers than GDPR
- CCPA has more stringent restrictions on sharing personal information than GDPR
“To be certain, CCPA places a greater burden on businesses than GDPR in terms of the types of data required to be disclosed at consumers’ requests, and also by providing consumers with direct means of determining the type and uses of data they will allow. The CCPA will change the way digital advertising is conducted, and should lead to better quality data at advertisers’ disposal. If that proves true, there will be a corollary improvement in ad effectiveness and consumer experience for responsible brands.”
– Kendall Carter, General Counsel, Accrescent Marketing LLC
How Can A Businesses Become CCPA Compliant?
First, talking to an attorney or consultant that specializes in data privacy is recommended. That said, there are some general guidelines.
- Clear, transparent policies: Consumers should be able to request a report on the types of data collected, data sources, collection methods, and uses for their data.
- Knowledge of the CCPA: Become familiar with all CCPA requirements.
- Provide a clear and conspicuous link on the business’ internet homepage, entitled ‘Do Not Sell My Personal Information’
- Ensure any individual who handles data knows and understands regulations
- Organized Data Collection Practices: The CCPA allows consumers to obtain all information collected about them. The requests are to be fulfilled at no cost. Companies need to be able to assemble consumer data and to compile these reports quickly.
The Impact Of CCPA On The Future
Overall, a lot of small businesses likely won’t be affected by this, but as consumers we can expect to see more of a shift in online privacy.
Primary companies that gain revenue from targeted advertising (Facebook, Google, etc), will need to allow California residents to review and delete their data. It is expected that they will comply, since their business depends on this information to survive.
There are also interesting impacts across the media industry. For instance, ISPs (Verizon, AT&T, Comcast) collect internet activity and sell the data for advertising. The businesses will have to comply with the CCPA or give up that portion of their revenue. Another example are data brokers (Experian, Oracle, Epsilon), which generate tremendous profits by vacuuming up data and selling it to third parties – such as ad networks, marketers, retailers, or anyone else. These too will have to become compliant.
In the end, consumers will start to see responsible data management by companies and understand how complex digital marketing is. As for companies, digital marketing will become more reliable, as data that is approved and published can be considered “verified”, leading to more efficient digital marketing.
Learn More About The CCPA