California Consumer Privacy Act, Explained

Privacy & Consent Management|8 Minute Read

California Consumer Privacy Act, Explained

After many months of waiting for marketing professionals and brands worldwide, the California Consumer Privacy Act (CCPA) is finally in effect in the Golden State.

What does it mean? Well, if your organization operates (or plans to do business) in the state of California, it’s time to ensure complete compliance with the data law.

It also means ensuring any requests from your audience to delete their customer data from your database entirely and notifying them within 45 days of said request that the task has been handled accordingly is now an absolute must for your brand.

From names and email addresses to browsing history and geolocation data, it’s on marketing to ensure consent statuses are always up-to-date and accurate for contacts.

So, it’s time to ask yourself: Are you, your marketing team, and your company at-large compliant with the federal law many call “California GDPR” and “GDPR in the U.S.”?

california consumer privacy act ccpa

What is the CCPA? A breakdown of the California Consumer Privacy Act of 2018

Comparisons to the General Data Protection Regulation (GDPR) were inevitable for the CCPA — and, honestly, not far off, based on the final amendments to the California law.

The CCPA regulation will incorporate many of the same elements as its European Union counterpart — namely consent management options for California residents (the chance to “opt out” of messaging and data use) and customer data collection rules for brands.

Let’s get into how the California data protection law ultimately came to be, the nitty-gritty of the CCPA requirements (and what comparisons can be made to GDPR), and the overall impact the consumer data privacy law will have on businesses — including yours.

From what led to the legislation to how organizations reacted, here are the basics of the California Consumer Privacy Act every marketer and business leader should know.

A brief California Consumer Privacy Act timeline

A mere month after GDPR was enforced for companies operating in the EU, California lawmakers proposed Assembly Bill No. 375, now officially known as — well, you know.

The CCPA text from state legislators shows the measure aligns with other right-of-privacy laws previously enacted in California, such as the Online Privacy Protection Act of 2003.

However, the main impetus for the CCPA regulation proposal in mid-2018 ultimately came from GDPR: California Assembly members wanted to implement similarly stringent consumer protection laws to ensure brands responsibly and ethically used and managed customer info for state residents.

Eventually, the CCPA passed the state house.

At long last, California lawmakers were able to provide its residents with the data transparency, control, and accountability they saw imposed in GDPR.

The CCPA regulation’s effects on consumers and brands

Without covering territory you’re already familiar with, the CCPA law breaks down like this:

  • The California Attorney General’s office heard from state lawmakers, who basically noted consumers have rights regarding how their information (name, home address, IP address, and other unique identifiers) is collected and what brands do with that info is used (targeted advertising from tracking, selling data to third parties, etc.).
  • After much deliberation, a final version of the CCPA was passed in June 2018 (though the final proposed draft rules for the California data protection law were only just released in October 2019). The legislation deemed that as a business collects (or, technically, attempts to collect) info from their audience — like through third-party cookies — they must give users a right to opt out.
  • What’s more, the measure specifies brands must offer consumers an “opt-out-of-the-sale” option, letting them tell companies they do not have the right to sell their personal information or use it for any commercial purposes. (Gov. Gavin Newsom has since approved seven new bills to augment the CCPA.)

As the latest, comprehensive consumer privacy act, CCPA includes many of the same features that hold brands liable for misuse of customer information (their data, essentially — just not explicitly stated as such in the fine print) and, at the end of the day, give consumers some peace of mind.

The consequences of abiding by your audience’s data deletion requests and overall consent preferences? According to the fine print of the California law, damages can amount to anywhere from $100 to $750 per contact per incident (or the actual damages, whichever is greater).

In short, many residents and entities in California, including and especially consumer advocacy groups, are now satisfied. As for brands …

Mixed CCPA law reactions across various industries

As with the GDPR, the CCPA sparked lots of debate among business leaders who operate in California — and even those who don’t. To say the reaction was mixed is an understatement.

In California, CCPA proponents laud the law for finally acting on behalf of consumers. Some companies are even calling for amendments to tighten the CCPA law even further.

On the flip side, many lobbyists for tech companies oppose the CCPA. Trade groups representing tech giants like Apple and Facebook argue the regulation goes too far to protect consumers.

Some businesses were especially displeased with the potential for class-action lawsuits levied against them along with fines (assuming their gross annual income exceeds $25 million.)

The debate is likely to continue, even with the CCPA now in effect.

CCPA vs. GDPR: How the data privacy regulations stack up against one another

Whatever you think about the CCPA, one thing is clear: It’s not exactly the same as GDPR.

While the two share many similarities, they are really two distinct consumer data/info laws.

This “CCPA-vs.-GDPR” breakdown showcases the primary differences between the two:

ccpa vs gdpr

As you can see, these are modest distinctions. As for similarities between CCPA and GDPR, there are too many to name. The laws basically have two primary objectives in common:

  • Goal #1: Protect consumers’ personal data/info and give them control about it’s use.
  • Goal #2: Continually and consistently hold brands accountable for data/info use.

With data privacy legislation now approved in California, CCPA advocates will now pay close attention to whether the regulation can truly keep consumers’ information safe.

Meanwhile, brands that work in the state will (presumably, hopefully, finally) get consent management platforms, if they haven’t already done so to comply with GDPR, so they can do the same for the CCPA.

(More on that shortly.)

The CCPA requirements a blueprint for future consumer data measures worldwide

California is certainly leading the way in the United States in terms of states adopting consumer data legislation. However, it’s far from the only one with privacy laws passed or in the pipeline.

As noted in our post on how GDPR is changing the customer data landscape, the New York Privacy Act looms for marketers. The data privacy measure would mirror the CCPA law closely, with few differences.

For instance, the New York law has no annual gross revenue requirements. That means it would affect all businesses, regardless of size and earnings, who collect consumers’ personal information in the state.

Meanwhile, Nevada has a new consumer protection law as well. The measure doesn’t offer the same “Do Not Sell My Personal Information” option as the CCPA and defines who a “consumer” is a bit differently. In truth, though, it resembles the California code more than it deviates from it.

And several states nationwide have passed data security laws to hold businesses who suffer data breaches accountable and make them provide instant notifications regarding any breaches that occur.

All in all, more U.S. states (and other countries) will continue to come out with their own versions of the CCPA and GDPR. The U.S. may even develop its own overriding privacy law.

Whatever new rules go into effect, one thing is now evident: CCPA compliance is a must.

ccpa compliance checklist

Ensuring total California Consumer Privacy Act compliance an absolute must

Chances are, your brand experienced some panic in 2018 when attempting to comply with GDPR. (You weren’t alone: Countless companies weren’t prepared for GDPR compliance.)

As of August 2019, the data privacy law compliance situation appears to be repeating itself, as just 8% of brands say they’re prepared for CCPA compliance once the consumer regulation begins.

With the IAB CCPA Compliance Framework finalized — new data access provisions for brands, language around what constitutes a consumer or household, etc. — it can certainly be tough t to keep up with the latest additions and revisions to the CCPA.

If you operate in California (or plan to once the measure is signed into law), CCPA compliance should be a top priority. Chances are, your leadership team has recognized as much already. Now all you need is the right consent management platform or functionality in place for your brand.

Consent management: Simple with the right solution

As you might’ve expected, there are many facets to CCPA compliance, including how you and your team go about collecting and storing info for all contacts in your database solutions — like a CDP.

Manual marketing tasks will never go away entirely. Advancements to modern martech, though, means you can automate many of your day-to-day duties — like consent management.

With a customer data platform like BlueConic, which has consent management functionality built in, our customers have achieved GDPR compliance since its inception with ease.

Simply put, platforms like ours help marketers like you know when consent messaging need to be served to users — like, say, California residents who fall under CCPA jurisdiction.

This, in turn, can help ease any CCPA compliance concerns you have.

As with any other regulations you must comply with, looping in legal is a must. However, a solution like ours can handle arguably the biggest component of consumer data law compliance for you.

Whatever solution you use, just know this type of tech can give your business some breathing room when it comes to CCPA compliance — and keep you focused on the marketing tasks that matter.

Watch our on-demand webinar to get insights into how the California Consumer Privacy Act of 2018 will impact your marketing strategy in the long term.

california consumer privacy act ccpa

See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.