If you have an inbox, you may have received a helpful hint or 200 about the implementation of California’s Consumer Privacy Act (CCPA). It, along with a handful of other privacy, security and protection themed bills raced through California’s legislature between 2018 and 2019 and go into effect on January 1, 2020. Happy New Year!
Some emails I have received try to tie a common thread between CCPA and its European kissing cousin, the General Data Protection Regulation (GDPR) that went into effect in 2018. For those companies that took GDPR seriously and took the tough steps toward compliance, there is absolutely an advantage. Those actions won’t cover everything.
There ARE a couple ways that the two are VERY similar:
- Both demand that an organization have a complete inventory and understanding of all sources of data. For CCPA that includes third party data.
- Both aim to make consumers feel they are in more control over their personal data.
- Both place a hefty price tag on ignoring the value of trust
Here is a not so quick list of what CCPA is and is not.
First up...who it covers:
- CCPA applies to for-profit companies established in California (i.e. companies that do business in California) or are “indirectly” doing business (i.e. parents and subsidiaries of companies doing business in California) that meet one of the following:
- Have gross annual revenues greater than $25 million
- Buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices per year
- Make 50 percent or more of their annual revenue from selling consumers’ personal information. Selling is broadly defined as any exchange of data for something of value.
Next up...who is off the hook:
- CCPA DOES NOT apply to:
- Non-profits, smaller companies that don't meet the revenue thresholds, and/or those that don't traffic in large amounts of personal information
Now for what it covers and why it matters:
- CCPA has a BROAD definition of personal data including name, phone number, addresses and other identifiers like title, employers and email address, but also includes Social Security numbers, driver’s license numbers, credit card numbers, purchase history, and “unique personal identifiers” including IP address, device identifiers, online tracking, location information, audio and biometric data. CCPA also includes household data.
- CCPA EXCLUDES information that is publicly available such as property tax data or information from available government records, aggregated data as well as medical or health information that is otherwise governed by California’s Confidentiality of Medical Information Act or Health Insurance Portability and Accountability (HIPPA).
- CCPA gives rights to all California residents to have access to their personal information, to have it deleted and to opt out of any sale of their data.
- Residents MUST be provided with a “Do Not Sell My Personal Information” link on all websites and mobile apps and is a mandatory inclusion on the home page of a site. Sorry, you can’t bury it in the footer. It must be “clear and conspicuous.”
- CCPA creates a "limited private right of action" for any consumer impacted by a data breach. The law permits consumers to bring a civil suit for statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. This private right of action is ONLY related to breaches involving “nonredacted and unencrypted personal information” and only specific to a narrow segment of personal information.
- CCPA requires transparency about data and information use. Specifically, residents have the right to request what personal information a business has collected and whether their information is being sold or disclosed for a business purpose to other parties.
- CCPA empowers residents to request the deletion of their personal data and mandates that residents NOT be discriminated against for exercising their rights as outline by CCPA. Requests must be answered within 45 days.
- CCPA has specific Privacy Policy requirements. If you were hoping a new section on “selling your data” was going to be it…think again. Complaint notices will inform consumers about how personal information is collected, how that data is used, and the individual categories of personal information the business has sold to third parties in the past 12 months.
- The Privacy Policy must also reinforce the rights consumers have under CCPA including the ability to provide copies of personal information and the right to opt-out and the right to delete data.
- CCPA gets specific about how to handle the sale of children’s data: businesses must first obtain opt-in consent for the sale of a minor’s data. Consent must be obtained from parents for kids under 13; teens 13-15 can provide their own consent.
As someone insane enough to sit down and READ both documents, I have to say that CCPA, while not as voluminous as GDPR, is just as poorly written with loopholes, questions and ouroboros-like mandates that seem to negate themselves by the end of the tome. An important note is that there are at least a dozen amendments already waiting for vote on CCPA as legislators, special interest groups and consumer watchdogs all pile on to streamline and strengthen the bill.
The bottom line remains the same: consumers have the expectation for data privacy and security and in the State of California, they have the right to opt-out and delete their data…if we fail them…they have the right to sue for a LOT of money.
My attitude about CCPA is like that of GDPR: we shouldn’t wait for legislators to define trust.
If we wait to secure the trust our consumers have in our brands, we will fail them, and we will be on the costly losing end of this stick. Both GDPR and CCPA are pains in our collective corporate rear ends. But they are both also an opportunity to kick our data and personalization agenda can down the road a bit.
Personalization requires data. Rich, contextual, relevant and resonant personalization that goes beyond slapping a familiar product or a customer’s name on an email demands customer data that sits at the core of CCPA. Now, we have a regulatory reason to have the tough conversations about organizational data practices to accurately and uniformly assess where and how this data is being collected, stored and used across the entire organization. It forces marketing to look beyond its walls and helps IT look within them.
Most of the CMOs I have spoken with about CCPA (and the lasting impact of GDPR) have said that it helped IT, Operations and Marketing have very different conversations about data. For smart teams, GDPR was the lightening rod to get data collected, cleaned and utilized to the benefit of the consumer. Now, CCPA is the lightening rod to further advance how third party, location and device data is integrated into the mix and better leveraged across all engagements.
You have a choice: see this as a curse or an opportunity. But know this…CCPA isn’t the last regulatory thrill ride. With legislation pending in New York, Nevada and new calls for federal data privacy and security standards, CCPA is just the beginning of the chaos.
Now…if you REALLY want to get into it…and can stand to read a little more...
Here is another bill to watch especially if you are in the game of selling connected devices in the State of California: CA SB 327 & AB 1906.
- Approved and filed by the state in September 2018 with a start date of January 1, 2020
- Together, these two companion bills regulate standards for IoT devices sold in California
- They require the manufacturer of a connected device to equip the device with a “reasonable security feature appropriate to the nature and function of the device”, and the information it collects, receives or transmits
- Also required are measures that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure”
- “Reasonable” security is further explained to be:
- a means for authentication outside a local area network
- a pre-programmed password unique to each device
- OR a feature that requires a new password be generated before access to the device is granted for the first time
My take on this: these bills lack any teeth to make either of these truly worrisome for manufacturers. They have far more bark thanks to headlines around what “could” happy with bad actors getting their hands on data, passwords or devices themselves. If we are being honest, these IoT measures basically ask for stronger passwords. But we all know that passwords do not a comprehensive privacy and security practice make.
Without a clear path to enforcement, punishment and a dollar figure looming in the wake of breech, this isn’t going to counter the operational cost argument of holding up the manufacturing process to embed costly security directly into the device, so it is secured from the metal up.
So HAPPY NEW YEAR California! Let this be the decade of privacy and protection…wrapped in chaos and confusion if these bills are any indication. Regardless, the next 10 years are going to turn what we know about trust, privacy and identity on its ear so get ready. It’s going to be a fast, wild ride!