Understanding the California Consumer Privacy Act (CCPA)

While the COVID-19 pandemic is changing the way we’ll live and do business for years to come, many pre-COVID issues are still prevalent. One of those issues is data privacy. We’ve already seen privacy and security become a hot topic for those seeing a boom in business during the crisis (like Zoom). With companies and employees navigating the (not-so) secure world of working from home, and with email and app messaging being go-to sources of reliable customer communication, data privacy is a topic all marketers need to familiarize themselves with now. It will be one of the defining digital marketing issues of the next 5 years (and maybe sooner thanks to the pandemic). If you aren’t thinking about how to protect your customers’ data, and how to add a level of transparency to what you’re collecting and storing, you’re already behind. Customers are expecting to have insight into and control over their data, and the law will be on their side in your locale, if it isn’t yet.

Failing to meet legal obligations and customer expectations could lead to fines, or more crucially, to a loss of trust in your brand. Even if your business isn’t bound by an existing law, it’s critical to understand the landscape and plan for future compliance.

What is the CCPA?

In 2018, the State of California passed sweeping regulations to protect the privacy of California consumers. The CCPA went into effect in January, 2020, and is considered the first comprehensive non-healthcare consumer privacy law in the United States. It was created and designed to provide consumers more control over their personal data, how it is collected and with whom it is shared.

The CCPA provides these rights to Californians:

  • To know what personal information is being collected
  • To know whether their information is being sold to or shared with third parties, and the right to opt-out of that process
  • To review and request deletion of stored information
  • To be protected from unequal treatment in the event they exercise these rights

The European Union’s General Data Protection Regulation (GDPR) was big news when implemented in 2018, and affects nearly everyone living or doing business in the EU. This broad privacy regulation requires opt-in consent to data collection and processing of any personal information.

The CCPA can be considered a cousin to GDPR. Its rules and regulations have broadly similar goals, but arrive at them by different means. Some key differences:

  • Penalties: GDPR violators can be fined up to the higher of €20 Million or 4% of gross annual revenue. CCPA violators will be fined $7500 for intentional violations or $2500 for unintentional violations. Most importantly, though, consumers protected by the CCPA have the right to sue violating companies for uncapped damages.
  • Consent: GDPR is an opt-in framework (explicit consent), while CCPA is an opt-out framework (implied consent).
  • Data Types: GDPR gives consumers control over all types of processing of all types of data collected about a consumer, including first party, broadly interpreted PI. It affords transparency and ultimate control to the consumer. CCPA requires transparency, but ultimately is more concerned about the sale of data to second and third parties. It also covers household-level data.

In the two years since GDPR’s rollout, we’ve seen companies like Google, Marriott, & British Airways fined massive sums of money in the EU. The enforcement phase of CCPA isn’t quite upon us yet, but expect to see large lawsuits filed on behalf of affected consumers in the coming months.

Who does it apply to?

The CCPA has a limited scope. Unlike GDPR, which applies to every person in the European Union, the CCPA is relevant to companies collecting data on customers in California and meeting any of the following criteria:

  1. Gross revenues of $25 million or more
  2. Buys or sells personal data of 50,000 or more Californian consumers
  3. Derives more than half of its revenue from the sale of Californian consumer data

If you do business in California, or with Californians, you may be bound to comply with the CCPA. It’s about the location of the customers, not the location of the company.

It’s important to remember that we are bound by relationships with clients. While a specific agency or consultant may not meet the criteria to abide by CCPA, it’s possible that they participate in activities with clients that are bound by the law. Such qualifying companies are held responsible for data management by third parties and vendors. Because of this, expect to see increased diligence regarding your data management policies and procedures.

What do online marketers need to do?

The first step is to determine whether you or your customers are immediately impacted by CCPA. If you’re bound by the law, you’ll need to make a plan of action toward compliance.

1. Audit your data. Have a clear understanding of your customer data:

    • What are you capturing?
    • Where is it being stored?
    • Do you have consent?
    • Who has access to the data (employees and vendors)?
    • Is the data being shared?

2. Develop a data diagram. After understanding where all of your data resides and who can access it, develop a diagram outlining all of the flows and processes. It is critical to keep this diagram updated as new vendors, platforms and data sources are introduced.

3. Update your privacy policy. Be transparent about what is being collected and how it will be used, and outline the protections afforded under the CCPA.

4. Develop a system to manage customer requests. Your employees and systems need to be able to handle opt out and deletion requests from customers. This may include vendors, databases and third party platforms.

5. Own your data ecosystem. You are responsible for your customers data. Hold your platform and service vendors to the same standard you’re measuring yourself against.

Periodic reviews of your data and systems are vital to continued compliance. Establish a clear process for introducing new data capture facilities or third party platforms. It’s important to have clear control over your data every step of the way.

Privacy compliance can be a significant undertaking. It’s critical to involve the correct people, including staff, consultants and other vendors, in the planning and execution process. An organization-wide understanding of the importance of customer data will transform everyone into customer data advocates.

What’s Next?

Privacy regulations are not going away. If you’ve made this far without being affected by GDPR or CCPA, rest assured there will soon be a regulation impacting your organization and customers. There are bills working their way through many state legislatures, and at some point, we can expect laws at the federal level governing data privacy and sharing. Even if you’re not required today, it is strongly recommended that you take action toward compliance.

Here are some steps that you can take, beyond those mentioned above, to get your organization on the right path:

  • Cookie consent. Across all digital channels, including websites and mobile apps, obtain consent from your customers to capture data.
  • Privacy management software. Consider using software platforms to assist in managing data opt outs, audit trails, and customer communication history. Some platforms include tools for data mapping and privacy policy authoring.
  • Regularly review privacy policies, terms of use, and data sharing agreements.
  • Own your data. Understand who you’re sharing your customer data with and why. Document your data relationships, and be sure that your vendors and partners are treating your customer data with the same care that you are.

Data privacy has become a strategic imperative, rather than an operational task. Don’t treat data privacy and transparency merely as a compliance exercise; treat it as an opportunity to re-define your data universe, solidify your infrastructure and reduce the likelihood of catastrophic data issues. Doing so will build trust with your customers, create valuable differentiation from your competitors, and yes, position you well toward future compliance. Defining guidance and processes to manage your customer marketing data now will position you well for future laws.


Jeffrey Rudolf is Chief Technology Officer of Response Labs, a digital CRM marketing agency in Baltimore and Seattle. Response Labs is a Salesforce, Marketo and Sitecore Partner that helps Fortune 1000 clients “Make Every Message Matter.” Response Labs is a proud AMA Baltimore sponsor. Photo Credit: © cherryandbees / Adobe Stock