Enforcement of California's Consumer Privacy Protection Act (CCPA), which took effect Jan. 1, begins today. Here's what marketers should know:
A new way of operating
CCPA grants residents of the Golden State enhanced data privacy rights and control over personal information, including the right to know, the right to delete and the right to opt out of the sale of personal information—as well as additional protections for minors.
“This isn’t a check-the-box type certification or regulation,” says Mark Wagman, managing director at MediaLink. “Don’t let your legal teams or colleagues tell you otherwise.”
CCPA isn’t just a marketing problem, says Wagman. “Anyone who touches your consumers’ personally identifiable information must disclose what information is being collected, disclose how you actually plan on using that data, enable consumers to opt-out and finally, allow these consumers to view and delete that data,” he says.
Enforcement can be retroactive
Because CCPA has been in effect since the start of the year, the state attorney general can choose to charge companies retroactively, meaning that publishers and ad tech vendors need to already be in compliance, says Eric Shiffman, director of product marketing at SpotX, a video ad-serving platform.
“Today, however, is the first date that the attorney general can bring enforcement action in accordance with the law, so we could see some lawsuits for those currently in violation,” says Shiffman.
A nationwide impact
CCPA applies to any business in California that generates at least $25 million in revenue. Companies that make 50 percent of their revenue from buying, selling or gathering consumer data from at least 50,000 California residents are also included.
Other states have similar laws, or intend to, but CCPA has nationwide impact because of its size—the Golden State has 40 million residents—and because so many digital and tech companies are located there.
Penalties can be severe
Those who violate the law are subject to an injunction by the court and a civil penalty of $2,500 for each violation. If a violation is intentional, the penalty escalates to $7,500 for each infraction. Businesses will have 30 days to remedy violations.
"Ultimately, complying with CCPA will be far less expensive than penalties from non-compliance,” says Tom O’Regan, CEO of Madison Logic, an account-based marketing company.
Ben Segal, VP of Americas for MainAd, a programmatic advertising company, says, “Even collecting personal information on 1,000 consumers can result in a fine as steep as $2.5 million. Now is the time for legal to work closely with marketing to have stewardship, systems and messaging in place.”
Consumers are more aware of their rights
Consumers also have the right to request that personal data be deleted, and companies have 45 days to comply. The Interactive Advertising Bureau’s Tech Lab has released a set of standards so brands and ad tech vendors can easily comply with these requests.
“Be ready for more shake-ups,” says Bob Regular, CEO of contextual ad targeting company Infolinks. “Consumers are just now starting to become aware of the depth and scale of data collection in their everyday lives.”
It’s not just privacy groups that are educating consumers and supporting new regulations, Regular adds. “Leading consumer-focused companies, including Apple, are now finding ROI in providing privacy controls to users and are, in the process, shedding light on the scale of the data economy, making a lot of people uncomfortable and causing apps, like TikTok, to rethink some of their data practices,” he says.
Privacy efforts in other states
States are pursuing their own bills following the passage of CCPA. A total of 29 states have either passed or proposed their own privacy laws, according to the International Association of Privacy Professionals (IAPP), a consumer privacy-focused trade body.
Laws in two states, Nevada and Maine, have taken effect. The rest, including proposals in New York, Illinois and Washington, are still moving through the legislative process, according to the IAPP.