Preparing for CCPA: What’s on the Horizon for Marketing Consent?

The California Consumer Privacy Act (CCPA) fast approaching. Here's what digital marketers need to know about this latest privacy law.

This article was first published on Ironhorse.io.

The landscape of marketing consent is rapidly evolving, and with the California Consumer Privacy Act (CCPA) fast approaching, most of our typical marketing touch points will require updates to remain compliant with consumer privacy laws. While most companies know of and have become compliant with GDPR, CCPA is a new challenge, so don’t be fooled into thinking it holds the same requirements. Here’s what you need to know about the impending new privacy law.

What Is CCPA?

CCPA is a new consumer protection law that affects California-based businesses with revenue above 25 million USD, as well as those whose primary business is that of buying and/or selling personal information. The law is structured to protect Californian consumers and give them more control over their data. 

CCPA goes into effect on January 1, 2020 for businesses marketing to consumers. B2B organizations get a one-year reprieve for certain aspects of the regulation, but even this protracted deadline will be here before you know it.

Here are the key requirements of CCPA: 

The Right to Access Information

Californian consumers are entitled to know the “what, who, and why” regarding their personal information. Companies must inform users what categories of data the business collects, and what they intend to do with that information, including whom they might share it with. Companies should update their privacy policies with these disclosures, and make it easy for consumers to find this information. (Find out how atEvent helps you do this at events here.)

The Right to Deletion

Californian consumers must be able to request the deletion of their personal information from the company that has collected it. Companies must have mechanisms in place to securely delete the data, and to request that their service providers do as well. 

The Right to Opt Out

Californian consumers must be able to instruct a company to not sell their personal information to third parties. A company must have clear policies and processes to enable the consumer to prevent their data from being sold. 

It’s important to note that consumers may make requests about personal information collected up to 12 months prior to the request date—or as early as January 1, 2019—and companies need to be ready to provide this access as soon as the law goes into effect.

How Does CCPA Compare to GDPR?

In many ways, the EU General Data Protection Regulation (GDPR) has paved the way for CCPA. Both regulations empower consumers with specific rights, including the right to access their personal information and have it deleted. They also both require transparency about information use, and necessitate reviewing and updating contracts between businesses and their service providers. 

If your company markets to European audiences and has already put practices in place to comply with GDPR, you likely have a head start on CCPA compliance. However, key differences between the two regulations mean you will still need to revisit your privacy policies and practices for CCPA.

A key difference worth noting here is how the two regulations define personal information. While GDPR is limited to personally identifiable information (PII) associated with the consumer, CCPA regulates data associated with the consumer and their household. 

Make sure to consult with your legal team about the nuances of CCPA to ensure your compliance.

What CCPA Means for Digital Marketers

At the bare minimum, digital marketers should take the following steps to ensure compliance:

• Conduct a marketing PII audit. Make sure you understand what data are you capturing, what consent you have for your existing database(s), and where the data is stored.
• Update your privacy policy. Be sure to explain consumers’ rights under CCPA, as well as what information will be collected, where it will be sent, and how it will be used. 
• Provide a path to opt out. Make sure any touch point where you collect consumer data—such as landing pages and email marketing campaigns—includes clear mechanisms for consumers to opt out of the sale of their data to third parties.
• Develop policies to comply with consumer requests. Include training to make sure everyone is on the same page about process and timing for responding to requests, rules for contacting third-party data providers, and how to ensure deletions are thorough and completed.
• Review service level agreements (SLAs). Revisit SLAs with third-party data processors and other partners to ensure that any company that might have access to consumer data you’ve collected is operating at the same high standards as you are.

Get Proactive About CCPA

There’s certainly a lot to learn before January 2020 when this law goes into effect, and with the penalty of non-compliance with CCPA resulting in statutory damages between $100 and $750 per consumer, per incident, you don’t want to be on the wrong end of that invoice.

Check out our webinar, A Digital Marketer’s Guide to Navigating CCPA, with experts from Cooley and ON24, where we answer your questions about CCPA and provide an actionable CCPA checklist for digital marketers. To dive even deeper, check out this comprehensive set of resources from the privacy experts at Cooley.

Disclaimer

We are not lawyers and nothing in this post should be considered legal advice. Please consult an attorney to address the individual needs of your business.