Following Europe’s lead, California is now enacting the first stringent data law in the United States. Much like Europe’s GDPR (General Data Regulation Protection) this regulation is designed to protect the data of citizens and ensure that their data is used safely and within the bounds of the law.
While the California Consumer Privacy Act (CCPA) is a California law, it still pertains to every business in the US. For that matter, similarly to GDPR, for any business in the world that allows their website to be displayed in California. (GDPR is a bit more complex, but it follows the same logic.) Unless you’re willing to not do business with the state that has the world’s fifth largest economy, the act is something that should be on your radar.
There is a silver-lining to CCPA compared to GDPR though. The law was written specifically for large corporations in which the sale of data is a core part of their business. GDPR, on the other hand, can be enforced to any sized company that simply misuses data to market incorrectly.
So, what is this CCPA and should you fear it? Below are the five things everyone needs to know about the California Consumer Privacy Act…
Should I Be Afraid?
While in the long run this law will likely be the catalyst for stronger laws, perhaps on the federal level, for now the answer to this is based on the size of your company. If your revenue is under $25 million or there is no chance that you have any data of a Californian, you’re really off the hook. On the other hand, if you have large revenues and have a ton of data, then you might need to consider a strategy.
While you won’t have any legal issues on January 1, as there is a 6-month grace period to get compliant, the real issues will be with the complexities and costs associated with sorting your data and ensuring compliance. This alone could make the cost of the penalty look paltry.
According to the California Legislative Information website, here are the three criteria that make a business vulnerable to CCPA
- if the business has annual gross revenues exceeding $25 million
- if it annually buys or sells personal information of 50,000 or more California consumers, households, or devices
- if it derives more than 50% of its annual revenue from selling California consumers’ personal information.
So, to answer the question more succinctly, should you be afraid, probably not. Should you be prepared, absolutely.
What is the Possible Penalty?
Things get fairly murky here. The actual punishment for the violation is $7,500 for blatant offenders and for non-intentional violators $2,500. Of course, that is per violation. It’s not hard to imagine that a company not in compliance has many datasets in violation. The math is simple and scary, if you have 100 violations that $2,500 turns to $250,000. No penalty will be enforced before a 30-day period to get into compliance.
The real penalty could be on the civil side though. The law also allows for residents to sue for each violation. Despite the financial reward for the plaintiff, which would be between $100 and $750 for each event, the cost for your defense could mount if multiple plaintiffs come forward.
How will CCPA Be Enforced?
The California Attorney General will initially enforce this. There is a ballot initiative in 2020 in California that could create a state agency called the California Privacy Protection Agency to police it. If the agency is created, enforcement would clearly go up as the state would have dedicated resources.
What’s In It for California Residents?
Ultimately, laws are written to protect citizens. In this case the California legislature decided that their residents’ online data needed protecting.
Californians will be able to request, from businesses, the data they collect, the purposes of collection, and with whom it was shared and or sold. They will also receive the right to request access to the actual pieces of data collected, the right to request opt out (directing a company to not sell their personal information to third parties), and the right to deletion (the ability to request that a company delete the personal information it has collected about them). According to law firm Schwabe Williamson and Wyatt the following rights are what California residents can expect…
- The right to know: Consumers have the right to request details related to the categories and types of personal information being collected about them; the purposes for collection and use of their personal information; and whether, to whom, and why their personal information is disclosed to any third parties;
- The right to deletion: subject to some exceptions, Consumers have the right to request a business to delete the personal information it has collected about them;
- The right to opt out of the sale of their personal information: Consumers have the right to direct a business not to sell their personal information to any third parties;
- The right to access: Consumers have the right to request a copy of the personal information a business has collected about them, or to have it transferred to another entity (this is sometimes referred to as a “data portability” right under other privacy laws, such as the GDPR); and
- The right of non-discrimination: this is unique to the CCPA, and, subject to limited exceptions, provides that businesses cannot treat a Consumer differently in terms of price or service level offered because a Consumer exercised any of their individual rights granted under the CCPA.
How Will My Digital Ads Be Affected?
Your digital advertising strategy might be impacted if you rely on third party data. If you collect the data yourself based on form submissions and a robust digital strategy, you should be in the clear. Certain best practices are advised, such as displaying your cookie tracking policy to anyone who lands on your site and clearly having an opt out button. Best practices such as that, though, should be used regardless any regulations.
If you are concerned with the way your digital engine is set up and want to make sure you aren’t hit with any surprises, check with your advertising partners and vendors, they should be able to review and advise on any necessary changes.
For a free analysis of your media plan don’t hesitate to reach out to SilverBack. We’ll go a step beyond CCPA and guide you on an overall strategy that is not only in the bounds of the law, but also will lead to a robust lead generation strategy.