CCPA: Understanding the California Consumer Privacy Act

News|6 Minute Read

CCPA: Understanding the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) hasn’t even gone into effect in the Golden State. And yet, marketers already refer to the impending law as “California GDPR” and “GDPR in the U.S.”

Comparisons to the General Data Protection Regulation (GDPR) were inevitable — and not far off.

The CCPA law will incorporate many of the same elements as its European Union counterpart: consent management options for California residents and customer data collection rules for brands.

Let’s get into the nitty-gritty of the new California measure, including how it came to be, what comparisons can be made to GDPR, and the overall impact it will have on businesses — including yours.

What is the CCPA?

From what led to the legislation to how organizations reacted, here are the basics of the CCPA.

A brief California Consumer Privacy Act timeline

A mere month after GDPR was enforced for companies conducting business in the EU, California lawmakers proposed Assembly Bill No. 375 — now officially known as … well, you know.

The CCPA text from state legislators shows the measure aligns with other right-of-privacy laws previously enacted in California, such as the Online Privacy Protection Act of 2003.

However, the main impetus for the CCPA proposal in mid-2018 ultimately came from GDPR: California Assembly members wanted to implement similarly stringent consumer protection laws.

Eventually, it passed the state house. At long last, California lawmakers were able to provide its residents with the data transparency, control, and accountability they saw imposed in GDPR.

The CCPA’s effects on consumer data and brands

Without covering territory you’re likely familiar with already, the CCPA breaks down like this:

  • The California Attorney General’s office heard from state lawmakers, who basically noted consumers have rights regarding how their information is collected and what brands do with that info is used (targeted advertising from tracking, selling info to third parties, etc.).
  • After much deliberation, a final version of the CCPA was passed in June 2018. The legislation deemed that as a business collects (or, technically, attempts to collect) info from their audience — like through third-party cookies — they must give users a right to opt out.
  • What’s more, the measure specifies brands must offer consumers an “opt-out-of-the-sale” option, letting them tell companies they do not have the right to sell their personal information or use it for any commercial purposes.

As the latest, comprehensive consumer privacy act, CCPA includes many of the same features that hold brands liable for misuse of customer information (their data, essentially — just not explicitly stated as such in the fine print) and, at the end of the day, give consumers some peace of mind.

In short, many in California, including consumer advocacy groups, are now satisfied. As for brands …

Mixed CCPA reactions across various industries

As with the GDPR, the CCPA sparked lots of debate and opinions among business leaders who operate in California — and even those who don’t. To say the reaction was mixed is an understatement.

In California, CCPA proponents laud the law for finally acting on behalf of consumers. Some companies are even calling for amendments to tighten the CCPA law even further.

On the flip side, a number of tech lobbyists oppose the CCPA. Trade groups representing tech giants like Apple and Facebook argue the regulation goes too far to protect consumers.

The debate is likely to continue (shocker) until CCPA goes into effect on January 1, 2020. Until then, you can expect many more think pieces about the impending law (and more analysis from us).

CCPA vs. GDPR: How they differ

Whatever you think about the CCPA, one thing remains clear: It’s not exactly the same as GDPR.

While the two share many similarities, they are really two distinct consumer data/info laws.

This “CCPA-vs.-GDPR” breakdown showcases the primary differences between the two:

ccpa vs gdpr

As you can see, these are modest distinctions. As for similarities between CCPA and GDPR, there are too many to name. The laws basically have two primary objectives in common:

  • Goal #1: Protect consumers’ personal data/info and give them control about how it’s used.
  • Goal #2: Continually and consistently hold brands accountable for customer data/info use.

With data privacy legislation now approved in California, CCPA advocates will now pay close attention to whether the regulation can truly keep consumers’ information safe.

Meanwhile, brands that work in the state will (presumably, hopefully, finally) get consent management platforms, if they haven’t already done so to comply with GDPR, so they can do the same for the CCPA.

(More on that shortly.)

CCPA paves way for privacy laws

California is certainly leading the way in the United States in terms of states adopting consumer data legislation. However, it’s far from the only one with privacy laws passed or in the pipeline.

As noted in our post on how GDPR is changing the customer data landscape, the New York Privacy Act looms for marketers. The data privacy measure would mirror the CCPA law closely, with few differences.

For instance, the New York law has no brand revenue requirements. That means it would affect all businesses, regardless of size and earnings, who collect consumers’ personal information in the state.

Meanwhile, Nevada has a new consumer protection law as well. The measure doesn’t offer the same “Do Not Sell My Personal Information” option as the CCPA and defines who a “consumer” is a bit differently. In truth, though, it resembles the California code more than it deviates from it.

And several states nationwide have passed data security laws to hold businesses who suffer data breaches accountable and make them provide instant notifications regarding any breaches that occur.

All in all, more U.S. states (and other countries) will continue to come out with their own versions of the CCPA and GDPR. The U.S. may even develop its own overriding privacy law at some point.

Whatever new rules go into effect, one thing has become evident: Compliance is a must.

Ensuring CCPA compliance

Chances are, your organization experienced some panic in 2018 when attempting to comply with GDPR. (You weren’t alone: Countless companies weren’t prepared for GDPR compliance.)

Now that you’ve had practice, so to speak, ensuring CCPA compliance should be a cinch. All you need is the right consent management platform or functionality in place for your brand.

Consent management: Simple with the right solution

Manual marketing tasks will never go away entirely. Advancements to modern martech, though, means you can automate many of your day-to-day duties. One such task is consent management.

With a customer data platform (CDP) like BlueConic, which has consent management functionality built in, our customers have achieved GDPR compliance with ease.

Simply put, platforms like ours help marketers like you know when consent messaging need to be served to users — like, say, California residents who fall under CCPA jurisdiction.

This, in turn, can help ease any failure-to-comply concerns you have.

As with any other regulations you must comply with, looping in legal is a must. However, a solution like ours can handle arguably the biggest component of consumer data law compliance for you.

Whatever solution you use, just know this type of tech can give your business some breathing room when it comes to CCPA compliance — and keep you focused on the marketing tasks that matter.

data privacy laws

See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.