California's privacy law enforcement starts today: what marketers should know
Enforcement of California's Consumer Privacy Protection Act (CCPA), which took effect Jan. 1, begins today. Here's what marketers should know:
A new way of operating
CCPA grants residents of the Golden State enhanced data privacy rights and control over personal information, including the right to know, the right to delete and the right to opt out of the sale of personal information—as well as additional protections for minors.
“This isn’t a check-the-box type certification or regulation,” says Mark Wagman, managing director at MediaLink. “Don’t let your legal teams or colleagues tell you otherwise.”
CCPA isn’t just a marketing problem, says Wagman. “Anyone who touches your consumers’ personally identifiable information must disclose what information is being collected, disclose how you actually plan on using that data, enable consumers to opt-out and finally, allow these consumers to view and delete that data,” he says.
Enforcement can be retroactive
Because CCPA has been in effect since the start of the year, the state attorney general can choose to charge companies retroactively, meaning that publishers and ad tech vendors need to already be in compliance, says Eric Shiffman, director of product marketing at SpotX, a video ad-serving platform.
“Today, however, is the first date that the attorney general can bring enforcement action in accordance with the law, so we could see some lawsuits for those currently in violation,” says Shiffman.
A nationwide impact
CCPA applies to any business in California that generates at least $25 million in revenue. Companies that make 50 percent of their revenue from buying, selling or gathering consumer data from at least 50,000 California residents are also included.
Other states have similar laws, or intend to, but CCPA has nationwide impact because of its size—the Golden State has 40 million residents—and because so many digital and tech companies are located there.
Penalties can be severe
Those who violate the law are subject to an injunction by the court and a civil penalty of $2,500 for each violation. If a violation is intentional, the penalty escalates to $7,500 for each infraction. Businesses will have 30 days to remedy violations.
"Ultimately, complying with CCPA will be far less expensive than penalties from non-compliance,” says Tom O’Regan, CEO of Madison Logic, an account-based marketing company.
Ben Segal, VP of Americas for MainAd, a programmatic advertising company, says, “Even collecting personal information on 1,000 consumers can result in a fine as steep as $2.5 million. Now is the time for legal to work closely with marketing to have stewardship, systems and messaging in place.”
Consumers are more aware of their rights
Consumers also have the right to request that personal data be deleted, and companies have 45 days to comply. The Interactive Advertising Bureau’s Tech Lab has released a set of standards so brands and ad tech vendors can easily comply with these requests.
“Be ready for more shake-ups,” says Bob Regular, CEO of contextual ad targeting company Infolinks. “Consumers are just now starting to become aware of the depth and scale of data collection in their everyday lives.”
It’s not just privacy groups that are educating consumers and supporting new regulations, Regular adds. “Leading consumer-focused companies, including Apple, are now finding ROI in providing privacy controls to users and are, in the process, shedding light on the scale of the data economy, making a lot of people uncomfortable and causing apps, like TikTok, to rethink some of their data practices,” he says.
Privacy efforts in other states
States are pursuing their own bills following the passage of CCPA. A total of 29 states have either passed or proposed their own privacy laws, according to the International Association of Privacy Professionals (IAPP), a consumer privacy-focused trade body.
Laws in two states, Nevada and Maine, have taken effect. The rest, including proposals in New York, Illinois and Washington, are still moving through the legislative process, according to the IAPP.
A federal law is still far off
“As privacy continues to be a priority for consumers, state governments will continue to react and mirror their constituents' concerns in legislation,” says Rachel Tuffney, exec VP of US operations at Dianomi, a native advertising company. “I anticipate that more states will pass similar laws to California, Maine and Nevada. However, as more of these laws go into effect, advertisers and ad tech will need to continue to be flexible.”
There are several federal laws on the table, including the Consumer Data Privacy and Security Act of 2020, though none have received much attention from lawmakers.
Impact on marketers and brands
Marketers will need to rethink how they obtain consent and engage with customers, says Dona Fraser, VP of children’s advertising review unit for the BBB national programs.
Brands that rely heavily on third parties to manage their consumer data will struggle, says Fraser. “That business model has been turned on its side,” she says. “Brands are now forced to be more transparent about what consumer data they are collecting, how it’s being shared and with whom, and for what duration.”
Cody Cooper, director of data science at digital agency The Shipyard, says CCPA will also impact analytics. “Companies will need to be more deliberative and purposeful in the types of data they are collecting instead of relying on a ‘collect everything and see’ philosophy,” Cooper says. “This will likely have downstream impacts on any predictive modeling that is conducted to support personalization or optimization efforts.”
A replacement for CCPA is on the November ballot
CCPA might soon be replaced with the California Privacy Rights Act, or CPRA, which will be on the November ballot after receiving more than 600,000 petition signatures statewide. Both laws are the efforts of real estate investor Alastair Mactaggart, who uses his own money to support consumer privacy rights. If approved, CRPA would significantly build on CCPA, but it won’t go into effect until 2023, says Ian Lowe, VP of marketing at Crownpeak, a consultancy that also provides privacy consent services.
“We can safely assume at this point that it will pass,” Lowe says. “This new law will significantly broaden the existing protections of the CCPA, bringing many of the privacy rights valid under GDPR [the European Union's General Data Protection Regulation] to California consumers.”
Lowe believes the long-term trend will result in increasing regulation focused on consumer rights in regard to their data, including tracking information. “Businesses across all industries need to expect and be prepared for this,” says Lowe. “There is likely to be less personal and online tracking data available. Business models that rely on bulk collection of such data need to be re-examined.”