The California Consumer Protection Act (CCPA) — called of the strictest legislation of its kind ever enacted — takes effect today, January 1, 2020.*
As leading law firm White & Case comments in its briefing on the CCPA, firms that have not started to prepare for it have a lot to do to catch up. In a sense, however, there is some wiggle room. Enforcement of the CCPA by the State's Attorney General does not begin until July (mostly because amendments and final regulations are still being considered)—but private suits by consumers are permitted starting January 1.
The background: CASL and GDPR
Affected businesses do have different starting lines for getting ready to comply because many will have implemented rules and systems for compliance with two earlier pieces of legislation. (Thus far, stringent laws to protect consumer privacy in the age of email and the internet have not been enacted by the U.S. government, but other countries, and now California, have done so in ways that impact U.S. firms doing business there.)
Canada's Anti-Spam Legislation (CASL), which went into effect in July 2014, is one of the world's strictest anti-spam laws. More than one-quarter of email marketers say that CASL has had a significant or dramatic impact on their company's email marketing program.
CASL took its time rolling out and entered the final phase in 2017. Briefly, CASL is intended to protect Canadian citizens from "unsolicited messages"—a tall order when you reflect on how many "unsolicited messages" you receive. To implement this goal, CASL sets requirements for all commercial emails.
To take but one example, promotional emails have to include a working "unsubscribe link" (certainly no longer a rarity) and it must be easy for the recipient to identify the sender of an email. But at the heart of CASL is an opt-in law: Brands are only permitted to send email to people who've agreed to receive messages from them.
Although CASL is Canadian legislation, of course, it doesn't apply only to Canadian brands. All senders of emails to recipients in Canada must comply.
The General Data Protection Regulation (GCPR), which went in effect May 28, 2018, is a European Union (EU) law on data protection and privacy for all citizens of the EU and European Economic Area. But it also addresses the transfer of personal data outside those areas. The intention of GDPR is to give control to citizens over their personal data and also supposedly to simplify the regulatory environment for international business. In technical terms, GDPR applies to any "entity" processing personal data that has an establishment in the EU, offers goods and services in EU, or monitors the behavior of individuals in the EU. That, to say the least, has not left businesses in the United States unaffected.
The California Consumer Privacy Act (CCPA)
CCPA, which goes into effect January 1, 2020, applies to a wide range of for-profit companies (and potentially their subsidiaries) that do business in California.
It may cover retail businesses that process consumer personal information (both online and in physical stores), social media companies that collect data through apps, advertising and marketing outfits that collect and share data on consumers to create profiles or ads. Data brokers that buy and sell personal information are expected to be impacted heavily. Even banks and other financial services firms that collect the personal information of California residents not related to financial products or services are expected to be affected by CCPA.
Therefore, the first item on any checklist to prepare for compliance is for the business to ascertain if CCPA applies to it. The reason is that size matters, here. The legislation excludes many small businesses or businesses with limited involvement with consumer personal information.
To be specific, the law applies to any for-profit entity doing business in California that annually:
- exceeds $25 million in gross revenue.
- handles the personal information of 50,000 or more consumers, households, or devices.
- derives more than 50% of its annual revenue from selling consumers' personal information.
Before an explicit checklist of steps to prepare for the start date of CCPA, a few general points:
- CCPA directs firms to be transparent in their practices relating to the collection, sale, and disclosure of personal information from California residents. That applies both to public disclosures and responses to consumer requests.
- Businesses that do not comply with the Act face injunctions and up to $2,500 for each violation or $7,500 for each intentional violation of the CCPA.
- Also, consumers in individual and class actions have a private right of action to seek damages ranging from $100 to $750 per consumer, per incident, as a result of a data breach caused by a business' lack of reasonable security.
Your CCPA compliance checklist
- Confirm application of the CCPA. Beyond ascertaining if your business is subject to the CCPA (taking account of subsidiaries and affiliates), you should know if your business depends on the sale or purchase of personal information. If so, to what extent does your disclosures of information to third parties come under the definition of the "sale" of data?
- Confirm that your cybersecurity practices meet recognized industry standards on issues such as the use of encryption, multi-factor authentication, and other controls.
- Understand how your business collects, shares, and sells personal information. What is the map of internal data flows, storage, and transfers? You will need this to assess if you meet your CCPA obligations.
- Revise privacy policies in-house and externally to take account of personal information-processing activities that must be disclosed under the CCPA—and how you will recognize the new rights and mechanisms available to Californians.
- Offer a clear path for consumer opt-out of the sale of personal information. One useful step is to put up a separate web page to enable California residents to exercise their opt-out rights in cases where your business sells their personal information.
- Create processes for receiving and responding to consumer requests. How will your business accept, track, and verify such requests? (Companies already complying with GDPR have a head start, here.)
- Review any agreements with third-parties and service providers with whom you share personal data to ensure they comply with risk-management practices. White & Case quotes the old adage: "A company can outsource a capability, but it cannot outsource responsibility."
- Start training your employees who will be handling consumer inquiries to deal with them in a timely, consistent, and appropriate way.
Businesses unprepared for compliance on January 1 should realize that California, too, is rushing to finalize the law and regulations. Already, there have been amendments to the frankly hasty, rather poorly written legislation. Amendments tried to address industry concerns and clarify language. The California AG was required to adopt regulations implementing the CCPA and was limited in enforcement until July 1, 2020. Finally, amendments virtually excluded medical information from CCPA on the grounds that it already is adequately protected by earlier acts.
Identifying the best management system
It will be of the first importance to be sure that your data management system is capable of handling, and insofar as possible automating, your compliance with CCPA regulations. Workflow management, data collection, data change, reporting, auditing, and other information processing should be up to speed with compliance tasks.
Not surprisingly, the market has responded to CCPA as an opportunity to introduce new customers to their software systems for customer management, email marketing services, sales tracking, and enterprise management. HubSpot, Pardot, Salesforce, Marketo, SharpSpring, and Mailchimp are several examples of well-tested brands in this field. Unfortunately, there are few head-to-head comparisons of these and other marketing management brands' compliance measures for CCPA specifically. The best approach is to consult with marketing professionals who can help you to evaluate leading brands for features appropriate to your business's challenges in meeting the demands presented by CCPA.
Businesses that have not begun efforts at compliance will now have to get up to speed rapidly. Also, businesses are required under CCPA to keep current with new developments and, in particular, to maintain the flexibility to adapt their CCPA implementation plans to changes in the law and regulations.
Check back regularly with Beacon Digital Marketing for information and insights about all phases of digital and integrated marketing strategies. Our team of B2B marketing professions is ready to answer your questions about optimal marketing strategies for scaling up your business.
*This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
Whitney Parker Mitchell
Whitney is a highly sought-after B2B online marketing expert with more than 12 years of experience leading marketing and communications teams in a variety of organizations, including nonprofits, small businesses, tech startups, and large global corporations. She’s helped dozens of brands gain greater recognition for their causes and products in the digital world.