Not only did the California Consumer Protection Act (CCPA) ring in a new decade—going into effect on Jan. 1, 2020—it also rang in a new era in consumer relations.
While CCPA is a state law, its reach is national because it affects any business made available to California residents. Therefore, if your headquarters is in Ohio, but California residents can access your website and you capture their data, then your business must be CCPA compliant.
As marketers, we’ve gone through these data privacy and security exercises several times in recent years: Canada’s Anti-Spam Law (CASL) in 2014, the (General Data Protection Regulation) GDPR in Europe in 2018, the major data breaches of companies like Target and Equifax, along with data scandals that emerged at Facebook and Cambridge Analytica.
CCPA doesn’t seem to have caused the type of public reaction that came with GDPR. That’s because GDPR forced most brands to implement a wide range of changes to their data policies and CCPA became an iteration of those updates.
But this law still differentiates itself in several important ways.
A broad stroke of data
First, CCPA defines private data more broadly than GDPR. According to data privacy software company Clarip Inc.: “Personal information includes anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
Marketers understand the need to protect private data points such as name, birth date and address. Still, under CCPA, any data that can be reasonably associated with an individual or household would also be protected. That means website browsing behavior is protected, private data.
CCPA is already popping up in more places than I have anticipated. Living in California, I have found even trips to the doctor’s office requires an update to my medical permission forms to ensure CCPA compliance.
Inferred data is also considered private data. As marketers have made strides to personalize their communications, many of us have been looking at behavioral data—such as email clicks—to infer if someone is more likely to be interested in a particular category of goods. Marketers have used the inferred data to deliver a more personalized email experience. However, CCPA protects this data as private, so marketers now must correctly note and timestamp the collection method and properly store the data.
CCPA gives consumers a voice
The second key differentiator with CCPA is that, for the first time, individual consumers can ask companies what data they had collected on them when they collected it, and how they used it. Consumers also can opt out of allowing the sale of their data.
The CCPA lays out clear expectations for how brands need to notify consumers that they are collecting personal information—for example, via a clear footer on their website. The law also protects consumers by allowing them to request to view the data companies hold on them, how and when it was collected and to request its deletion. Any consumers who feel that companies are holding incorrect data can pursue legal action against said company. This privacy law puts consumers in a much more proactive position to protect their data and determine what companies can and cannot do with it.
What’s to come
Despite being effective a few months, the ramifications of CCPA and how officials will enforce it remain a mystery. But no matter what, the impact on US data privacy will be far-reaching, and the potential fines facing companies in violation could be steep.
CCPA is the law-making the news right now, but several other states have similar laws working their way through legislative committees. As more and more states begin enacting similar, but slightly different privacy laws, I would not be surprised if Congress passes a bill to regulate data privacy at the federal level. Such a measure could come as amendments to the CAN-SPAM Act currently in effect or be a new piece of legislation the augments or supersedes CAN-SPAM.
Several other countries also have additional privacy laws going into force, such as the Freedom of Information and Protection of Privacy Act (FIPPA) and Personal Information Protection Act (PIPA) in British Columbia, Canada and the Personal Information Protection Act in South Korea.
Ultimately, marketers must work with their legal teams to understand how their companies are interpreting the laws and what steps the legal team feels are best for your organization to maintain compliance.
But one thing is clear: CCPA has ushered in more than just a change to how marketers can market. It is an overall change to how consumer data is acknowledged, gathered, and tracked. We’ve reached a new era of data privacy.
DEG, an Isobar Company is a digital marketing agency.
Favorite