Just a month after the EU General Data Protection Regulation became effective, California enacted the Consumer Privacy Act of 2018, which has caused almost as much concern among organizations doing business there. Given the size of the state’s population and economy, a huge number of both domestic and international companies will be covered by the law when it becomes effective on January 1, 2020.
What the CCPA Requires
The CCPA includes several requirements that will be familiar to those still enjoying the obligations of the GDPR. Consumers have the right to request access to the personal information a business holds about them, as well as the right to request that their information be deleted, subject to certain restrictions – again, not unlike the GDPR. These access and deletion requests result in businesses sharing the categories of data they hold, the specific information held on the individual, the purposes behind collection of the information, and details of third-party recipients of the personal information, whether by selling the data or simply engaging a service provider.
In a reflection of what seems inevitable in the U.S., the CCPA defines personal information as broadly as the GDPR does, with geolocation, IP address, biometrics, and even household details all included. Following the GDPR approach, the CCPA’s definition of personal information is essentially “information about an identified or identifiable natural person.” This is a more expansive view than U.S. rules have typically taken, and because of California’s population (largest in the U.S.) and economy (5th-largest in the world), businesses will likely have to adopt these definitions and operational rigors as the new normal.
The broad territorial sweep of the CCPA continues with a definition of “business” subject to these rules. A “business” is a legal entity “for profit” that “determines the purposes and means of” processing AND meets at least one of the following:
- Has annual gross revenue of at least $25 million
- Alone or in combination annually buys, receives, sells, or “shares for commercial purposes” the personal information of 50 thousand “consumers, households, or devices”
- Generates 50% of annual revenue from personal information sales
While the latter two points focus on businesses that buy and share/sell personal information, they will also capture businesses that participate in list sharing. The $25 million revenue threshold means that small businesses are largely exempt, with huge swaths of the U.S. economy covered.
Unlike the federal CAN-SPAM law and Canada’s Anti-Spam Law, the CCPA ignores details on commercial marketing messages. Its definition of “consumer” also means that there is no immediately apparent distinction between personal information held in a B2B relationship versus a B2C relationship. The focus of the CCPA is on who is holding, sharing, and selling personal information. So what are the key takeaways in a marketing context?
- Reconsider whether you want to use third-party data. The CCPA gives consumers the right to know “the categories of sources from which the personal information is collected.” This impacts the data-broker industry, including those selling marketing lists. If your company is buying third-party data beyond what is publicly available about your customers or prospects, it will eventually come to light via a CCPA request. Furthermore, note that “publicly available” does not include information that an individual has posted online and is publicly viewable. Also note that if you have purchased personal information, the CCPA states that a third-party recipient “shall not sell personal information about a consumer that has been sold to the third party” unless the consumer has received explicit notice and opportunity to opt out.
- Reevaluate the data fields on your forms and profiles. The CCPA is part of a clear shift toward data transparency (see: Vermont’s new data broker law) that requires businesses to take a second thought about the data they collect (directly or indirectly) and how they use it.
- Data-minimization principles come to the U.S. Data is an asset, but increasingly, it’s also a liability. The CCPA grants a private right of action to individuals whose data has been stolen, lost, or improperly used. While the temptation may be to collect as much information as possible, the organizational and disclosure requirements mean you need to understand what data you have and where it is.
- Figure out how to identify, locate, and delete consumer information. Both CCPA and the GDPR stipulate that consumers have the right to request that any data your company has on them be deleted. There are some caveats on what data a business can retain for legal, compliance, and business reasons, but a mechanism must exist to quickly delete all other information about a consumer. This exceeds the opt-out requirements we are accustomed to fulfilling.
- Think carefully before selling information about your customers or users. If you’re going to sell user information to other companies, the CCPA requires you to keep a record of all sales for 12 months and provide a “clear and conspicuous” link on your website with the call-to-action “Do Not Sell My Personal Information” so people can opt-out of that practice. Selling the data of children 16 years old and younger has even more requirements. You can avoid the need for such a button by not selling customer information. As importantly, failing to honor such requests can result in significant penalties from the California Attorney General’s office.
Given the speed with which the legislature passed the CCPA, amendments and corrections were inevitable. The first substantive amendment passed only a month later, and it is likely that the CCPA will evolve further over the course of 2019. The California legislature had earlier considered applying further restrictions on commercial emails – essentially dropping the opt-out approach established by the federal CAN-SPAM Act – and moving California closer to the approach taken in the Canadian Anti-Spam Law. In the meantime, those preparing for the GDPR have already taken steps that will help with the CCPA once it becomes effective.