In October 2019, California passed a consumer privacy act that will impact U.S. companies even more than the European Union’s General Data Protection Regulation (GDPR) that went into effect last year.
While it doesn’t have some of the most repercussive requirements GDPR has, it does take the protection of California residents much further.
This act, called the California Consumer Privacy Act (CCPA), went into effect on January 1st, 2020, and largely affects U.S. companies conducting significant business with Californians.
Simply put, the CCPA is a state-wide regulation that gives California consumers more rights in regards to how their data is used, stored, and sold by businesses.
There are four basic tenets to the CCPA regulations. At a high level, the CCPA gives consumers:
- The right to know what information companies collect, use, share, and sell
- The right to delete any and all personal information businesses have
- The right to opt-out of their information being sold, and to stop businesses that sell their information already from doing so
- The right to non-discrimination in prices or services if they choose to exercise any of the other privacy rights
While these regulations are unique to California (more on that below), other states have introduced similar legislation, and some companies are extending CCPA protection to the rest of the U.S.
What does the CCPA mean for my business?
Most likely there won’t be much you have to do differently in your day to day operations.
Most companies that are affected by the CCPA should be mostly (if not completely) compliant if they are already following the guidelines set by GDPR.
Even then, the only businesses affected by the CCPA are those that satisfy any of the following criteria:
- Gross annual revenue exceeding $25 million
- More than 50% of their annual revenue deriving from the sale of consumer’ personal information
- Buying, receiving, or selling the personal information of more than 50,000 consumers, households, or devices in California.
If your business meets any of those requirements, you must provide notice to consumers before data collection happens while providing a “do not sell my information” opt-out option for anyone who chooses to.
You’ll also need to have contact information detailed on your website where consumers can contact you and ask questions about their data or request a deletion.
Requests of this type will also have to be processed within 45 days of receiving them, so you might want to consider having additional processes in place to make sure you comply.
It’s not yet clear how California will be enforcing this new law, but there are fines in place for businesses that fall into repeated noncompliance.
Here is what you should do to be CCPA-compliant
- Take another look at your privacy policies: Be sure they are compliant with all of CCPA’s required disclosures.
- Be open and transparent about the specific purposes for data collection: Users need to be informed when providing personal information, so anything ambiguous is a no-go.
- Take a look at how the data you collect is managed and stored: Make sure there are no holes in your data management; look for any potential vulnerabilities.
- Treat data requests from customers as urgent: Create processes to handle these requests quickly. Failing to respond within that 45 day period will result in fines — not to mention you’ll start losing trust with your customers.
What about my advertising in California?
Unfortunately, just like with GDPR, this will have an effect not only on businesses in California, but also those who interact with Californian residents.
What this means is that even if the CCPA doesn’t apply to you, you may still need to pay attention to it.
We know that Facebook is being very aggressive, based on how they are treating ad accounts who are non-compliant.
Even companies who do not need to be compliant (i.e. they don’t satisfy any of the requirements outlined above) are seeing their ad performance negatively impacted within California since the law took effect earlier this year.
As of right now, it’s not clear if Facebook will ease its enforcement and let businesses not affected by the CCPA resume business as usual.
Facebook and CCPA
Regardless if businesses need to become compliant or not, it appears that those who are compliant are being rewarded heavily in California on Facebook.
Our main suggestion would be if you are advertising in California and you are not CCPA-compliant, you’d be better off pausing those ads.
It appears that it really doesn’t matter if you are legally obligated to comply with CCPA or not. Facebook is still dinging performance in California.
California is a huge market and many businesses rely on its population to hit their revenue goals.
The current penalties in Facebook are too large to ignore and can affect other areas of your account, so we would still recommend pausing your California-based campaigns or excluding California from your targeting until you are compliant — or until Facebook eases the current enforcement of the laws.
In the meantime, if advertising in California is a large part of your business you should work hard to become compliant as soon as possible. Consult your legal counsel and development team to get these mandates up and running on your site.
For other platforms like Google, LinkedIn, and Microsoft, we aren’t seeing major effects just yet. This will change, however, as California amends and signs new additions to the law in the near future.
We don’t know when any changes will take place, especially now with California COVID-19 cases surging.
The future of data privacy
The CCPA is a sign of things to come. Personal information and privacy are becoming more and more protected, and more states and countries will follow in California’s footsteps.
As business owners it is our duty to our customers to protect their information and treat it properly.
We can’t expect to build trust and loyalty if we don’t handle data in a responsible, transparent, and ethical way.
Regardless if the CCPA affects you or not, it will pay off to look at how your data is being managed and stored. Take the steps to protect your customers’ information now, before you are legally obligated to do so.
Free Assessment: