Back to Blog

What is the California Consumer Privacy Act and How Should You Prepare?

In this sponsored blog post, Akshatha Kamath, Content Marketing at MoEngage, breaks down new privacy legislation which could impact financial institutions across the states.

Stronger privacy protection and greater data transparency online are growing global trends. The Cambridge Analytica scandal, in which the Facebook data of at least 87 million people were misappropriated, and other instances like this have brought attention to how businesses collect, use, and sell consumer data. Concern over the use and misuse of this data is widespread. 

In many global jurisdictions, the response has been privacy legislation which forces businesses to comply with sometimes onerous regulations regarding consumer data and privacy. One of these pieces of legislation is the California Consumer Privacy Act. In its second section it lays out how pervasive privacy concerns have become and how “it is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.”

All of this data can be great for marketers, but businesses need to comply with privacy laws in order to avoid fines and stay up to date with consumer demand for privacy and data transparency online.

The California Consumer Privacy Act (AB-375)

The California Consumer Privacy Act of 2018 (CCPA) is by far the strongest privacy legislation enacted in the United States at this time. Businesses must be in compliance by January 1, 2020 (the starting date on which the state can bring enforcement actions involving noncompliance).

For marketers there are three major things to be aware of. First is that wherever personal information is collected businesses must disclose what information they collect and how they will use it. Secondly, businesses have to provide consumers with the ability to “opt out” of having their information sold to third parties. Thirdly, businesses must allow consumers to view and delete the information that has been collected about them.

Is My Company Affected by the CCPA?

If your business (or for-profit entity) is located in California and meets any of the following criteria, it has privacy requirements that need to be met under the law. The criteria are:

  • Your business’ annual revenue is over $25 million
  • Your business receives information of over 50,000 consumers, households, or devices annually
  • At least half of your business’ annual revenue comes from selling personal information

The law doesn’t differentiate between brick-and-mortar and online companies. This means that even a company with no physical presence or employees in California could still do business there and therefore has obligations under the law. So your business doesn’t even need to be located in California for the California Consumer Privacy Act to apply to you. Like the GDPR, CCPA will affect businesses outside the law’s jurisdiction.

Consumer’s Rights Under the CCPA

Consumers have new rights under the CCPA that companies need to be aware of. These rights fall into three broad categories:

  1. The Right to Knowledge – Under the CCPA, businesses must allow consumers to obtain, twice per annum at zero cost, all the information that the business has about them, how that information was collected, and who else has been given said information.
  2. The Right to be Forgotten – The CCPA stipulates that consumers must be able to request the deletion of all of their personal information from a company. If the information has been shared with third parties then those parties must also delete said information.
  3. The Right to Control who has Access to their Information -Businesses must allow consumers to be able to opt out of the resale of their information. Consumers under the age of 16 must affirmatively opt in to allow the resale of their data. Consumers under the age of 13 must have written permission from a parent or guardian in order to allow the resale of their data.

What Marketers Need to Do

First of all, marketers need to review their current procedures and understand their policies and procedures regarding the collection, storage and use of subscribers’ data and mailing preferences. They need to know how a user’s preferences about their data can be stored and how documentation would be provided if a user requests it.

Second of all, marketers need to think in the long term about how they set up their systems. For example, even though GDPR only applies to EU visitors, many companies have opted to implement the same higher standards across their entire platform in order to proactively prepare for similar legislations. In the same vein, marketers who prepare for the CCPA will have a leg up if privacy bills that are making their way through the legislature pass in New York, Mississippi, and Massachusetts.

Penalties for Non-Compliance of the CCPA

If, because of a business’ negligence, a consumer’s information is improperly disclosed, the CCPA makes it easier for consumers to sue (even if there is no evidence that the data breach caused the consumer harm!).

What could be very costly for businesses is the potential for class-action lawsuits due to a data breach. Companies could be on the hook for between $100 and $750 per incident (or even more if the actual damages exceed $750).

Conclusion

The California Consumer Privacy Act will go into effect on January 1, 2020. Marketers should prepare in advance to make changes to comply with the regulations. At the same time, CCPA presents marketers with an opportunity to strengthen the relationship between consumers and your business. Educate consumers on the data you are collecting and how you make use of it. Be sure to tell them their rights under the CCPA and how you are compliant. This can build trust with consumers and help you use the CCPA to your advantage.