CCPA, what’s that?
Questions of the day: What is CCPA? (Yay another acronym.) Why should we care?
How did we get here?
On June 28, 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law. Marketers have been repeating those letters for over 2 years, so it shouldn’t come to a surprise to anyone as the law became effective on January 1st of this year.
The intentions behind this act was to know what personal data is collected by companies and know if personal data is being sold or disclosed and to whom. This is to give more control to the consumer, so they have an option to “opt-out” of any tracking they do not want marketers to use or have access to. In addition, this act would enforce businesses to be more aware of what type of personal identifiable information (PII) is collected, while consumers will have the right to request the removal of such data stored. Different than the EU’s GDPR (General Data Protection Regulation), CCPA encourages an “opt-out” experience as opposed to GDPR’s “opt-in” choice.
Back to basics. As a reminder, CCPA explicitly applies to companies that qualify under one or more of the following statutory criteria[1]:
- Have gross annual revenues in excess of $25 million;
- Possess the personal information of 50,000 or more consumers, households, or devices; or
- Earn more than half of their annual revenue from selling consumers’ personal information
This law took effect this year on January 1st, but the 6-month grace period for businesses to get their act together has officially ended, last week on July 1st.
Why is this important?
The risk of non-compliance is damaging from a brand reputation standpoint. In addition, the California Attorney General can impose financial penalties up to $2,500 for non-willful violations and $7,500 for intentional violations.[2] Fines are one thing, can you imagine if you’re selling baby clothes (or insert random product here) online and there was a data breach. During that investigation, it was also uncovered you were non-compliant with CCPA. All of the brand equity that was built up would be tarnished. Just like in life, trust is earned, not given.
Not that I’m a lawyer or anything, but the advice that I have read across articles is to document everything and to know where you are collecting data. Even though the act has California in its name, this applies to any business that is advertising to any resident who lives in California. Also, it may be wise to take inventory of your data sources anyways because data privacy laws are not going anywhere as consumers lean more into the world of digital.
Not to be confused with CCPA, but there’s another act coming down called CPRA, which is the California Privacy Rights Act — CCPA’s younger brother. This will be on the 2020 ballot for the state — the CPRA “would create a sensitive data classification, place additional obligations on processors, and require the establishment of a California Privacy Protection Agency”.[3]
Obviously, this makes the marketer’s job more difficult as you are trying to build up your remarketing lists and grow your RT campaigns. The retargeting strategy is thrown for a loop, if there isn’t a way to track California residents. For business websites, it’s imperative to include use a cookie compliance solution like CookieBot or OneTrust. Google Ads have a centralized opt-out button unlike Facebook.
However, Facebook recently added a new feature called Limited Data Use (LDU). As of July 1, Facebook automatically enabled this for all business accounts, which limited the way user data can be stored and processed in the Facebook ecosystem for all users that FB can identify as Cali residents.[4] This will run through the end of the month, and after that businesses are required to update their PageView pixel to include a LDU parameter. I guess Facebook is trying to save our butts by giving us another grace period to move us in the right direction. Procrastinators unite… tomorrow. But it does have to be resolved by the end of the month.
My hot take(s):
- As a consumer, I like where this act is headed and would like to see this implemented on a federal level, so we are not a patchwork quilt of different state policies. As a marketer, I know this will make my job harder if we can’t see who we are targeting to. But again, advertisers and martech people are known to be crafty and solutions-oriented, so there will be new strategies involved.
- Hope that people take this seriously. It may just be California now, but it will be expanded. You heard it here first. Data privacy is going to be more prevalent in the future, and we need to do the right thing to protect our customers’ private information, so it’s not exploited and used in the wrong hands.
