Nov 11, 2019

All About the California Consumer Privacy Act (CCPA)

If you haven't yet heard about the CCPA, this is your chance to get caught up. 

The closest thing to GDPR in the U.S., the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. It has has huge ramifications for the online world, having seen resistance from large corporations in the technology sector prior to its arrival, and many people unsure about what changes in privacy the CCPA brings.

What is the CCPA?

Put simply:

The CCPA is a landmark bill that aims to protect consumer privacy rights. Large technology companies like Google and Facebook will have less freedom with data harvesting, and consumers will have greater control over the personal information that these companies collect, store, and share.

California has made its name as the cradle of tech since even before the internet boom in the 1990s, with Silicon Valley as the beating heart. While startups have been flourishing in other parts of the world, Silicon Valley is still the epicenter of tech and innovation.

And now, any company that deals with the data of California residents will have to review their practices. When the CCPA comes into effect on January 1, 2020, it will be the most restrictive state privacy law passed anywhere in the U.S.

So, it's a big deal.

Why is the CCPA Happening?

Over the past few years, there has been a litany of data leaks and consumer privacy scandals, leaving consumers feeling wary about sharing personal information online.

The Cambridge Analytica debacle that revealed Facebook had compromised 87 million user accounts was the major headline. Amazingly, after a lengthy court battle, the social media giant has escaped with a paltry fine of £500,000 ($645,000).

Yahoo was not so lucky. Multiple breaches between 2012 and 2016 ended up costing the company $117.5M in a class-action lawsuit. LinkedIn, Capital One, Equifax, and Uber have all found themselves in hot water in the past few years, bringing the data-driven age under question.

As technology evolves and the world’s data reserves grow, so too does the threat of cyber-crime and data breaches. Research by Visual Capitalist found that 75 data records are compromised every second.

In the online world, much of 2018 was dominated by the hype around the European General Data Protection Regulation (GDPR). The changes enacted by the GDPR laws forces companies to take more responsibility with consumer data and to inform consumers about the practices and processes involved in data collection.

In its first year, TechRepublic reported that there were over 200,000 cases of breaches and complaints, and over $60 million in fines issued. You can learn more about the impact of GDPR in our webinar.

With GDPR now ingrained, it’s hard to find any reputable website that doesn’t display a notice to tell site visitors about their use of cookies. It was always only a matter of time before the U.S. followed suit, and it’s set to start with California.

How Does the CCPA Differ From GDPR?

While the GDPR came from the top-down, by comparison, the CCPA started from the bottom-up, beginning as a grassroots initiative driven by a collective led (and funded) by wealthy real estate developer, Alastair Mactaggart. The coalition called themselves, "Californians for Consumer Privacy," and began their battle in San Francisco and Oakland as a citizen ballot initiative.

Mactaggart summarized the proposal as follows:

“Tell me what you know about me. Stop selling it. Keep it safe.”

In the wake of the Facebook scandal, the initiative built up a head of steam, defeating all opposition from the companies it would impact the most.

All About the California Consumer Privacy Act (CCPA)

Google, Facebook, Comcast, Verizon, and AT&T created a fund to try and derail the CCPA, and are expected to continue their opposition in an effort to water down the new laws.

24% of C-suite members claim the GDPR changes caused frustration with customers due to the extra steps needed to opt-in.

So just how is the CCPA different from the GDPR?

Well, whereas the GDPR applies to all companies, the CCPA only applies to larger companies, specifically those that satisfy these three conditions:

  1. They make more than $25 million in gross revenue
  2. They hold data on over 50,000 consumers
  3. They earn at least 50% of their income through data brokers (i.e., selling consumer data)

It’s understandable why the digital giants above are so opposed to this act, but there is another critical difference from the GDPR that may actually be the saving grace for these companies:

The CCPA is opt-out, meaning an individual consumer has to make the effort to do so if they don’t want their data collected or stored.

As such, marketers may be able to adhere to the new laws without adding much friction to their marketing funnel and data collection processes.

Because of the opt-out nature of the CCPA, not many expect it to have the same negative impact on marketing databases as the GDPR changes.

What the CCPA Means for Consumers

When the CCPA bill passed on May 29, 2019, many consumer protection groups celebrated, viewing this as a significant victory,

We live in a data-driven age, where companies leverage consumer data for personalized marketing, automated customer service, and laser-focused sales techniques.

This is a double-edged sword for consumers, as you can benefit from sharing more, but you run risks when companies aren’t taking care of your personal information.

“The Consumer Privacy Act will allow consumers to take control of and make informed choices about their own data, control that fosters a healthy relationship to technology and overall digital wellbeing,”

Under the CCPA, consumers will have several fundamental rights:

  • Access - Request a full data disclosure from companies, accessing information that includes biometrics, internet browsing information, purchasing history, geolocation data, academic and employment information, and more.
  • Delete - If a consumer doesn’t like anything, they can request to have their data deleted.
  • Opt-out - Consumers have the right to opt-out so that a company cannot sell any of their data.

Ultimately, the CCPA will give consumers more transparency from companies so that they can have more control over their personal information.

What the CCPA Means for Companies

So, if your company fits the bill in satisfying the three aforementioned conditions above, it would be expected to adhere to the CCPA regulations, which are:

  • Companies must make data available upon request via mail or email.
  • Companies must provide information on data selling, including who they sell to, how, and why.
  • Companies must honor consumer requests to opt-out of data collection.
  • Companies must honor consumer requests to delete their personal information.
  • Companies must continue providing products and services to consumers, even if those consumers have chosen to opt-out.

With these new restrictions placed on companies, it's easy to see why big corporations aren't so keen on the CCPA. It's clear that the act is designed for consumers.

But what about the companies? Can the CCPA benefit companies too?

How the CCPA Could Benefit Companies

All companies in California will have to get in line. Therefore, the playing field in California will be level, with no businesses holding any advantages over another.

Some may worry that they will lose an edge on their competition for business outside of California, but here’s the thing:

California is not just one of the fifty states in the United States - it’s actually the fifth largest economy in the world.

Data protection is a global movement, and consumers all over the world want to know their personal information is kept safe. Companies who take steps towards greater compliance will be viewed as more trustworthy by consumers both in California and further afield.

Furthermore, with the CCPA clamping down on data selling, companies must rely on first-party data. By working harder to collect their consumer data, they ensure its integrity and accuracy.

In the long run, having more accurate data will be a solid foundation for any data-driven marketing strategies. It’s feasible that the CCPA may bring companies and consumers closer together, fostering greater trust and understanding between them.

All About the California Consumer Privacy Act (CCPA)

What Happens if A Company Doesn't Comply With the CCPA?

The Attorney General (AG) of California is set to enforce a $7,500 penalty for intentional violations of the California Consumer Privacy Act. Also, if a company gets hacked, individual consumers may sue for $100-$750 per event, or possibly more if the damages cost more.

When you compare that to the GDPR, which gives EU regulators the power to fine companies over US$23 million, it’s quite easy to imagine a lot of businesses bending the rules of the CCPA. Some people doubt whether it will be enforced at all.

Despite its best intentions, there are some grey areas in the CCPA - most notable is the inclusion of a controversial "cure" provision. This provision effectively lets a company off the hook, providing they take certain steps to amend their data violation.

Many critics of the bill believe the California AG office is not adequately prepared to police the CCPA law, and so companies will skirt the law, knowing they can rely on the “cure” loophole should they ever get caught.

A leading figure in a prominent privacy class-action firm, Jay Edelson, gave a damning review of the CCPA:

“Our view is that this is a disaster of a law because it scares the bejesus out of businesses and costs them a ton of money in compliance. But to us, it's totally toothless."”

It’s Time to Get Ready

While doubts still circle the CCPA, the reality is that the new law will come into effect on January 1st 2020.

Many smaller companies will fly under the radar, and others outside of California won’t worry at all.

But what about big companies that deal with California residents? Their digital marketing team needs to be prepared for it. Digital marketers should be exploring new processes for collecting and storing data, and preparing strategies to deal with the inevitable wave of data release requests from consumers.

Already, thousands of businesses are getting ready for the iMeanwhile, major players in Silicon Valley continue to mount their challenge against the CCPA. However, those efforts may prove futile, as Fortune reports politicians and lawmakers in California are united against anything that seeks to weaken the CCPA.

For better or worse, the California Consumer Privacy Act is coming. It’s time your company got ready to ride the wave.


Chris Haughey
Chris Haughey

Chris Haughey is a creative copywriter and journalism graduate with a desire to educate more people about all things digital. Over the past decade, he has specialized in creating engaging online content for innovative brands in eCommerce, AI, MarTech, and PPC advertising. You can find him on LinkedIn

Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.