California Consumer Privacy Act (CCPA), Explained

Privacy & Consent Management|7 Minute Read

California Consumer Privacy Act (CCPA), Explained

UPDATED (December 2019): With the CCPA now imminent, we’ve added some of the latest news and insights that can help you ensure CCPA compliance for your business in 2020 and beyond.

The California Consumer Privacy Act of 2018 (CCPA) hasn’t even gone into effect in the Golden State. And yet, marketers already refer to the impending law as “California GDPR” and “GDPR in the U.S.”

Comparisons to the General Data Protection Regulation (GDPR) were inevitable — and not far off.

The CCPA law will incorporate many of the same elements as its European Union counterpart: consent management options for California residents and customer data collection rules for brands.

Let’s get into how the California data protection law ultimately came to be, the nitty-gritty of the new CCPA requirements (and what comparisons can be made to the GDPR requirements), and the overall impact the consumer data privacy law will have on businesses — including yours.

What is the CCPA?

From what led to the legislation to how organizations reacted, here are the basics of the California Consumer Privacy Act of 2018 every marketing professional and business leader should know.

A brief California Consumer Privacy Act timeline

A mere month after GDPR was enforced for companies conducting business in the EU, California lawmakers proposed Assembly Bill No. 375, now officially known as — well, you know.

The CCPA text from state legislators shows the measure aligns with other right-of-privacy laws previously enacted in California, such as the Online Privacy Protection Act of 2003.

However, the main impetus for the CCPA regulation proposal in mid-2018 ultimately came from GDPR: California Assembly members wanted to implement similarly stringent consumer protection laws to ensure brands responsibly and ethically used and managed customer info for state residents.

Eventually, the CCPA passed the state house. At long last, California lawmakers were able to provide its residents with the data transparency, control, and accountability they saw imposed in GDPR.

The CCPA’s effects on consumer data and brands

Without covering territory you’re likely familiar with already, the CCPA law breaks down like this:

  • The California Attorney General’s office heard from state lawmakers, who basically noted consumers have rights regarding how their information (name, home address, IP address, and other unique identifiers) is collected and what brands do with that info is used (targeted advertising from tracking, selling data to third parties, etc.).
  • After much deliberation, a final version of the CCPA was passed in June 2018 (though the final proposed draft rules for the California data protection law were only just released in October 2019). The legislation deemed that as a business collects (or, technically, attempts to collect) info from their audience — like through third-party cookies — they must give users a right to opt out.
  • What’s more, the measure specifies brands must offer consumers an “opt-out-of-the-sale” option, letting them tell companies they do not have the right to sell their personal information or use it for any commercial purposes. (Gov. Gavin Newsom has since approved seven new bills to augment the CCPA.)

As the latest, comprehensive consumer privacy act, CCPA includes many of the same features that hold brands liable for misuse of customer information (their data, essentially — just not explicitly stated as such in the fine print) and, at the end of the day, give consumers some peace of mind.

In short, many in California, including consumer advocacy groups, are now satisfied. As for brands …

Mixed CCPA reactions across various industries

As with the GDPR, CCPA sparked lots of debate and opinions among business leaders who operate in California — and even those who don’t. To say the reaction was mixed is an understatement.

In California, CCPA proponents laud the law for finally acting on behalf of consumers. Some companies are even calling for amendments to tighten the CCPA law even further.

On the flip side, a number of tech lobbyists oppose the CCPA. Trade groups representing tech giants like Apple and Facebook argue the regulation goes too far to protect consumers.

Some businesses were especially displeased with the potential for class-action lawsuits levied against them to go along with fines (assuming their gross annual income exceeds $25 million.)

The debate is likely to continue (shocker) until CCPA goes into effect on January 1, 2020. Until then, you can expect many more think pieces about the impending law (and more analysis from us).

CCPA vs. GDPR: How they differ

Whatever you think about the CCPA, one thing remains clear: It’s not exactly the same as GDPR.

While the two share many similarities, they are really two distinct consumer data/info laws.

This “CCPA-vs.-GDPR” breakdown showcases the primary differences between the two:

ccpa vs gdpr

As you can see, these are modest distinctions. As for similarities between CCPA and GDPR, there are too many to name. The laws basically have two primary objectives in common:

  • Goal #1: Protect consumers’ personal data/info and give them control about how it’s used.
  • Goal #2: Continually and consistently hold brands accountable for customer data/info use.

With data privacy legislation now approved in California, CCPA advocates will now pay close attention to whether the regulation can truly keep consumers’ information safe.

Meanwhile, brands that work in the state will (presumably, hopefully, finally) get consent management platforms, if they haven’t already done so to comply with GDPR, so they can do the same for the CCPA.

(More on that shortly.)

CCPA paves way for privacy laws

California is certainly leading the way in the United States in terms of states adopting consumer data legislation. However, it’s far from the only one with privacy laws passed or in the pipeline.

As noted in our post on how GDPR is changing the customer data landscape, the New York Privacy Act looms for marketers. The data privacy measure would mirror the CCPA law closely, with few differences.

For instance, the New York law has no annual gross revenue requirements. That means it would affect all businesses, regardless of size and earnings, who collect consumers’ personal information in the state.

Meanwhile, Nevada has a new consumer protection law as well. The measure doesn’t offer the same “Do Not Sell My Personal Information” option as the CCPA and defines who a “consumer” is a bit differently. In truth, though, it resembles the California code more than it deviates from it.

And several states nationwide have passed data security laws to hold businesses who suffer data breaches accountable and make them provide instant notifications regarding any breaches that occur.

All in all, more U.S. states (and other countries) will continue to come out with their own versions of the CCPA and GDPR. The U.S. may even develop its own overriding privacy law at some point.

Whatever new rules go into effect, one thing has become evident: CCPA compliance is a must.

ccpa compliance checklist

Ensuring CCPA compliance

Chances are, your organization experienced some panic in 2018 when attempting to comply with GDPR. (You weren’t alone: Countless companies weren’t prepared for GDPR compliance.)

As of August 2019, the data privacy law compliance situation appears to be repeating itself, as just 8% of brands say they’re prepared for CCPA compliance once the consumer regulation begins.

With the IAB CCPA Compliance Framework finalized — new data access provisions for brands, language around what constitutes a consumer or household, etc. — it can certainly be tough t to keep up with the latest additions and revisions to the California Consumer Privacy Act.

If you operate in California (or plan to once the measure is signed into law), CCPA compliance should be a top priority. Chances are, your leadership team has recognized as much already. Now all you need is the right consent management platform or functionality in place for your brand.

Consent management: Simple with the right solution

As you might’ve expected, there are many facets to CCPA compliance, including how you and your team go about collecting and storing info for all contacts in your database solutions — like a CDP.

Manual marketing tasks will never go away entirely. Advancements to modern martech, though, means you can automate many of your day-to-day duties. One such task is consent management.

With a customer data platform like BlueConic, which has consent management functionality built in, our customers have achieved GDPR compliance since its inception with ease.

Simply put, platforms like ours help marketers like you know when consent messaging need to be served to users — like, say, California residents who fall under CCPA jurisdiction.

This, in turn, can help ease any CCPA compliance concerns you have.

As with any other regulations you must comply with, looping in legal is a must. However, a solution like ours can handle arguably the biggest component of consumer data law compliance for you.

Whatever solution you use, just know this type of tech can give your business some breathing room when it comes to CCPA compliance — and keep you focused on the marketing tasks that matter.

data privacy laws

See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.