Over the past two years, there are two regulations that have had a major impact on digital marketers – GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). As you probably recall, the EU law went into effect in May 2018 to ensure data protection and privacy for all individuals citizens of the European Union (EU) and the European
Economic Area (EEA) and companies doing business in those areas.
This year, we’re all gearing up for the CCPA. The Act came into effect January 1, 2020, and is reported to be among the most stringent data protection privacy laws in the U.S.
Focusing on the privacy rights of individuals, CCPA regulates the way marketers handle personal
information of California residents. If a business has over $25M in annual revenue, processes (buys, sells, receives, or shares) 50,000 or more California consumer records each year, or earns 50 percent or more of its annual revenue from selling personal information of California residents, it must comply with CCPA. CCPA also applies to companies that share common branding (name, service mark or trademark) with a business that meets the criteria. This includes marketing agencies, online payment processing vendors, and digital marketing
technology companies, for example. If your business doesn’t fall within the criteria outlined above but is a service provider to a company that does fit the criteria, you should still be
knowledgeable about CCPA requirements.
While GDPR’s roots are European and CCPA’s are in California, both regulations have had a ripple effect on businesses around the globe, forcing businesses to provide greater transparency and institute more stringent business processes around customer data.
It’s no wonder when you look at the fines. The fines for failing to comply with GDPR range from 10 million euros to four percent of the company’s annual global turnover, which could add up to billions for some companies. Businesses that don’t comply with CCPA can face a maximum fine of $750 per consumer or violation. For example, if a business collects data from 1,000
California residents without complying with CCPA, they can face fines of up to $750,000. Also, if a business doesn’t meet certain data security requirements, consumers can demand that it be fixed within 30 days or the business risks legal action. Some might think it’s easy to just suppress California contacts from a campaign list but that’s short sighted. Let’s not forget that with a population of 39.5 million, California is the world’s sixth largest economy according to the Bureau of Economic Analysis.
Both GDPR and CCPA have driven digital marketers to update back-end systems, review privacy
statements, update third party contracts, audit contact lists, and confirm subscribers. While these actions can be time consuming and costly, they create opportunities for digital marketers to elevate their presence in customers’ inboxes.
CCPA is the latest example of the rising demand for transparency of collection and management of customer data. We can likely expect other states to follow suit with CCPA and institute even more strict regulations and fines to protect consumers.
Maryland, Mississippi, New York and North Dakota have similar legislation in the works. Though a majority of the new laws copy the structure of the CCPA, there are some notable places where they diverge, which will complicate prospective compliance efforts. The most critical area is
enforcement. CCPA provides a private right of action only for the unauthorized disclosure of
unencrypted, sensitive data. Massachusetts would extend the private right of action to any violation of its privacy law. Three of the state laws (Mississippi, New Mexico, and Rhode Island) extend a private right of action to any unauthorized disclosure of personal information, regardless of sensitivity of the data and potential risk to consumer.
Similarly, while all these new state laws try to protect consumer privacy, the degree of specificity and format requirements vary, which will likely increase criticisms that privacy policies are written in legalese and too difficult to understand.
The result is that businesses may have to implement multiple layers of protection in privacy policies for consumers in different states, even when the underlying data practices are the same nationally.
The Consumer Bankruptcy database we compile is considered public information which is gathered by the courts and is not subject to the CCPA. The BK data is regulated by the Fair Credit Reporting Act and we are not Credit Reporting Agency.
We will keep you abreast of the ever changing data collection landscape as it continues to unfold.