CCPA: California Consumer Privacy Act, Explained

Privacy & Consent Management|8 Minute Read

CCPA: California Consumer Privacy Act, Explained

The much-discussed California Consumer Privacy Act of 2018 (CCPA) is officially in effect for ‘data processors’ (a.k.a. companies) who operate in the Golden State.

And it’s now (well past) time to ensure you comply with the CCPA in its entirety.

It also means complying with consumer requests to delete their data (and notifying them within 45 days of said request) is now an absolute must for your business.

From names and email addresses to browsing history and geolocation data, it’s on companies for which the CCPA applies (i.e., businesses with sizable customer databases) to ensure individuals’ consent statuses are always up-to-date, accurate, and used properly.

So, it’s time to ask yourself: Is your company fully compliant with the federal law many call “California GDPR” and “GDPR in the U.S.”?

If not, it’s time to address your organization’s consent management strategy (or lack thereof) and implement a game plan to ensure CCPA compliance.

What is the CCPA? A breakdown of the California Consumer Privacy Act of 2018

Comparisons to the General Data Protection Regulation (GDPR) were inevitable for the CCPA. And, honestly, they’re not far off, based on the final amendments to the California law and categories of personal information covered in the wide-ranging measure.

The CCPA regulation has many of the same elements as its European Union counterpart.

Namely, it mandates consent options for California residents (i.e., chance to “opt out” of messaging and data use via ‘personal information link’) and data collection rules for brands.

Let’s get into how the California data protection law ultimately came to be, the nitty-gritty of the CCPA requirements (and what comparisons can be made to GDPR), and the overall impact the consumer data privacy law will have on businesses — including yours.

From what led to the legislation to how organizations reacted, here are the basics of the California Consumer Privacy Act every marketer and business leader should know.

consent management platforms

A brief California Consumer Privacy Act timeline

A mere month after GDPR was enforced for companies operating in the EU, California lawmakers proposed Assembly Bill No. 375, now officially known as — well, you know.

The CCPA text from state legislators and the Office of the Attorney General shows the measure aligns with other right-of-privacy laws previously enacted in California, such as the Online Privacy Protection Act of 2003.

However, the main impetus for the CCPA regulation proposal in mid-2018 ultimately came from GDPR: California Assembly members wanted to implement similarly stringent consumer protection laws to ensure brands responsibly and ethically used and managed customer info for state residents.

Eventually, the CCPA passed the house.

At long last, California lawmakers were able to provide its residents with the data transparency, control, and accountability they saw imposed in GDPR.

The CCPA regulation’s effects on consumers and brands

Without covering territory you’re already familiar with, the CCPA law breaks down like this:

  • The California Attorney General’s office heard from state lawmakers, who basically noted consumers have rights regarding how their information (name, home address, IP address, and other unique identifiers) is collected and what brands do with that info is used (targeted advertising from tracking, selling data to third parties, etc.).
  • After much deliberation, a final version of the CCPA was passed in June 2018 (though the final proposed draft rules for the California data protection law were only just released in October 2019). The legislation deemed that as a business collects (or, technically, attempts to collect) info from their audience — like through third-party cookies — they must give users a right to opt out.
  • What’s more, the measure specifies brands must offer consumers an “opt-out-of-the-sale” option, letting them tell companies they do not have the right to sell their personal information or use it for any commercial purposes. (Gov. Gavin Newsom has since approved seven new bills to augment the CCPA.)

As the latest, comprehensive consumer privacy act, CCPA includes many of the same features that hold brands liable for misuse of customer information (their data, essentially — just not explicitly stated as such in the fine print) and, at the end of the day, give consumers some peace of mind.

The consequences of not abiding by data deletion requests and consent preferences?

According to the fine print of the California law, damages can amount to anywhere from $100 to $750 per contact per incident (or the actual damages, whichever is greater).

In short, many residents and entities in California, including and especially consumer advocacy groups, are now satisfied. As for companies impacted by the law …

Mixed CCPA law reactions across various industries

As with the GDPR, the CCPA sparked lots of debate among business leaders who operate in California — and even those who don’t. To say the reaction was mixed is an understatement.

In California, CCPA proponents laud the law for finally acting on behalf of consumers. Some execs are even calling for amendments to tighten the CCPA law further.

(Update: This did occur, with the passage of the California Privacy Rights Act.)

Conversely, lobbyists for tech companies oppose the CCPA. Trade groups representing the likes of Apple and Facebook argue the law goes too far to protect consumers.

Some businesses were displeased with the potential for class-action lawsuits levied against them along with fines (assuming their gross annual income exceeds $25 million.)

The debate is likely to continue, even with the CCPA now in effect.

consent management

The CCPA requirements a blueprint for future consumer data measures worldwide

California is leading the way in the United States in terms of states adopting consumer data legislation. However, it’s far from the only one with laws passed (or in the pipeline).

As noted in our post on how GDPR is changing the customer data landscape, the New York Privacy Act looms for marketers.

The data privacy measure would mirror the CCPA law closely, with few differences.

For instance, the New York law has no annual gross revenue requirements. That means it would affect all businesses, regardless of size and earnings, who collect consumers’ info.

Meanwhile, Nevada has a new consumer protection law as well.

The measure doesn’t offer the same “Do Not Sell My Personal Information” option as the CCPA and defines who a “consumer” is a bit differently.

In truth, though, it resembles the California code more than it deviates from it.

And several states nationwide have passed data security laws to hold businesses who suffer data breaches accountable and make them provide instant notifications regarding any breaches that occur.

All in all, more U.S. states (and other countries) will continue to come out with their own versions of the CCPA and GDPR. The U.S. may even develop its own overriding privacy law.

Whatever new rules go into effect, one thing is now evident: CCPA compliance is a must.

Ensuring total California Consumer Privacy Act compliance an absolute must

Chances are, your brand experienced some panic in 2018 when attempting to comply with GDPR. (You weren’t alone: Countless companies weren’t prepared for GDPR compliance.)

As of August 2019, the data privacy law compliance situation repeated itself, as just 8% of brands said they were prepared for compliance once the regulation ‘begins.’

With the IAB CCPA Compliance Framework finalized — new data access provisions for brands, language around what constitutes a consumer or household, etc. — it can certainly be tough t to keep up with the latest additions and revisions to the CCPA.

If your company operates in California (or plan to once the measure is signed into law), complying with the consumer measure should be a top priority.

Chances are, your leadership team has recognized as much already. Now all you need is the right consent management platform or functionality in place for your brand.

Consent management: Simple with the right solution

As you might’ve expected, there are many facets to CCPA compliance, including how you and your team go about collecting and storing info for all contacts in your database solutions — like a CDP.

Manual marketing tasks will never go away entirely. Advancements to tech, though, means you can automate many of your day-to-day duties. Like consent management.

With a CDP with consent management functionality built in, like BlueConic, organizations can achieve GDPR compliance since its inception with ease.

Simply put, platforms like ours help marketers like you know when consent messaging need to be served to users — like, say, California residents who fall under CCPA jurisdiction. This, in turn, can help ease any CCPA compliance concerns you have.

As with any other laws you must comply with, looping in legal is a must. However, a solution like ours can handle arguably the biggest component of data compliance for you.

Whatever solution you use, just know this type of solution can give your C-suite some breathing room when it comes to CCPA compliance — and keep your tech users focused on their core tasks that matter: from lifecycle orchestration to multi-dimensional segmentation.

Watch our webinar to get insights into how the CCPA will impact your marketing — and how a CDP like BlueConic can help you comply and streamline consent management.

california consumer privacy act ccpa

See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.