Over the past two years, there are two regulations that have had a major impact on digital marketers – GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). As you probably recall, the EU law went into effect in May 2018 to ensure data protection and privacy for all individuals citizens of the European Union (EU) and the European
Economic Area (EEA) and companies doing business in those areas.
This year, we’re all gearing up for the CCPA. The Act came into effect January 1, 2020, and is reported to be among the most stringent data protection privacy laws in the U.S.
Focusing on the privacy rights of individuals, CCPA regulates the way marketers handle personal
information of California residents. If a business has over $25M in annual revenue, processes (buys, sells, receives, or shares) 50,000 or more California consumer records each year, or earns 50 percent or more of its annual revenue from selling personal information of California residents, it must comply with CCPA. CCPA also applies to companies that share common branding (name, service mark or trademark) with a business that meets the criteria. This includes marketing agencies, online payment processing vendors, and digital marketing
technology companies, for example. If your business doesn’t fall within the criteria outlined above but is a service provider to a company that does fit the criteria, you should still be
knowledgeable about CCPA requirements.
While GDPR’s roots are European and CCPA’s are in California, both regulations have had a ripple effect on businesses around the globe, forcing businesses to provide greater transparency and institute more stringent business processes around customer data.
It’s no wonder when you look at the fines. The fines for failing to comply with GDPR range from 10 million euros to four percent of the company’s annual global turnover, which could add up to billions for some companies. Businesses that don’t comply with CCPA can face a maximum fine of $750 per consumer or violation. For example, if a business collects data from 1,000
California residents without complying with CCPA, they can face fines of up to $750,000. Also, if a business doesn’t meet certain data security requirements, consumers can demand that it be fixed within 30 days or the business risks legal action. Some might think it’s easy to just suppress California contacts from a campaign list but that’s short sighted. Let’s not forget that with a population of 39.5 million, California is the world’s sixth largest economy according to the Bureau of Economic Analysis.
Both GDPR and CCPA have driven digital marketers to update back-end systems, review privacy
statements, update third party contracts, audit contact lists, and confirm subscribers. While these actions can be time consuming and costly, they create opportunities for digital marketers to elevate their presence in customers’ inboxes.
CCPA is the latest example of the rising demand for transparency of collection and management of customer data. We can likely expect other states to follow suit with CCPA and institute even more strict regulations and fines to protect consumers.
Maryland, Mississippi, New York and North Dakota have similar legislation in the works. Though a majority of the new laws copy the structure of the CCPA, there are some notable places where they diverge, which will complicate prospective compliance efforts. The most critical area is
enforcement. CCPA provides a private right of action only for the unauthorized disclosure of
unencrypted, sensitive data. Massachusetts would extend the private right of action to any violation of its privacy law. Three of the state laws (Mississippi, New Mexico, and Rhode Island) extend a private right of action to any unauthorized disclosure of personal information, regardless of sensitivity of the data and potential risk to consumer.
Similarly, while all these new state laws try to protect consumer privacy, the degree of specificity and format requirements vary, which will likely increase criticisms that privacy policies are written in legalese and too difficult to understand.
The result is that businesses may have to implement multiple layers of protection in privacy policies for consumers in different states, even when the underlying data practices are the same nationally.
The Consumer Bankruptcy database we compile is considered public information which is gathered by the courts and is not subject to the CCPA. The BK data is regulated by the Fair Credit Reporting Act and we are not Credit Reporting Agency.
We will keep you abreast of the ever changing data collection landscape as it continues to unfold.
Tag Archives: CCPA
January 1, 2020 – CCPA
The California Consumer Privacy Act (CCPA) will be enforced on January 1, 2020. We were nervous when the GDPR (General Data Protection Regulation) came into play, and that only governs the use of E.U. citizens’ data. The California law applies to personal data on any state resident, regardless of the location of the marketer. Many believe this is only the first of many states to follow.
Companies that are not compliant with CCPA are subject to hefty monetary penalties though a recent study of US Brands reflected that 56% of businesses surveyed don’t believe they will be compliant by the January 1 kick-off.
In the survey, many businesses sited the cost to become compliant as a major obstacle and equal to the price of a full-time employee. Some companies feel their business isn’t big enough to be subject to the law, or don’t think it applies to them.
To comply with CCPA, marketers must be able to respond to Californians’ requests about their personal data which include:
• Knowing what personal data is being collected
• Can request details on how their data is being processed
• Can access their personal data
• Can request to have their personal data deleted
• Know whether their personal data is sold or disclosed to third parties
• Decline or opt-out of the sale of their personal data
Many believe that the CCPA is complicated, and it is poorly written, leaving a lot of the verbiage open to interpretation.
The main goal of the law is to regulate the collection and sale of Personally Identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.
Now, individuals can tell you to stop disclosing their data to others; and you must comply. One cannot deny goods or services to anyone because of their data opt-out and that is making for a slippery slope. In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? One writer compared it to The Eagles Hotel California tune, “you can check out any time you like, but you can never leave.”
CA Consumer Privacy Act
Starting January 1, California’s Consumer Privacy Act (CCPA), will require all California for-profit businesses to disclose to consumers upon request the specifics of the personal information collected and its sources. Consumers can also require companies to delete personal information, refrain from selling it, and pursue legal action for failure to comply.
As the start date for the law draws near, giants like Google, Amazon, and Facebook, are working to help push through amendments that will make the law easier on businesses.
California is the first government in the US to regulate how businesses retain and use electronic consumer data. The legislation is the first response to the European Union’s GDPR, enacted last year. The General Data Protection Regulation allows the EU the power to fine companies that violate its consumer privacy protections. Google was slapped with a $57 million fine for failing to disclose data collection tactics to consumers, and Facebook is under several investigations from the GDPR governing body.
Personal information protected by CCPA include:
-
- search and browsing history
- geolocation data
- IP addresses
- email addresses
- purchase records
- records on consumption histories and tendencies
- professional and employment information
- educational information
- audio, visual and thermal information
Fines for non-compliance range from $2,500 (if unintentional) or $7,500 per violation (if intentional) for companies that fail to cure alleged violations within 30 days.
As efforts to pass federal privacy legislation in Congress have languished, states have stepped up their pace. According to the National Law Review, five other states — Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico — have introduced CCPA-like privacy bills as of March 2019. Another three states — New York, North Dakota and Washington — have put forth consumer privacy bills to protect personal data.
A federal bill introduced in the Senate in December, The Data Act of 2018, remains in committee. As proposed, among other protections, the legislation would prevent “online service providers” from using individual identifying data in any way that would benefit the online service provider to the detriment of an end user.