03 Jan How Will the CCPA Affect You?
This January 1 marked more than the beginning of the year 2020. Ringing in along with the new year was the California Consumer Privacy Act (CCPA), which has permanent, profound effects on companies that do business in California – and upon the online advertising economy. As we reported in our December 27, 2019 blog post – “2020 Vision – Digital Marketing Trends to Look For” – the CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that businesses collect. Just in case this has caught you by surprise, here’s what you need to know in order to be complaint.
What is the California Consumer Privacy Act?
Before the CCPA went into effect, companies weren’t legally required to tell consumers what data they collected about them, and consumers had no control over what companies did with said data. It’s similar to the European Union’s General Data Protection Regulation (GDPR) – which took effect on May 25, 2018 – which is currently the global benchmark for online privacy.
Which businesses are affected by the CCPA?
The act applies to California residents and the following types of businesses:
- For-profit entities that do business in California and collect personal information of consumers. This also applies to businesses with a website that can be viewed by California residents, whether or not they’re in California at the time – which, in effect, means practically every business.
- Businesses that have annual gross revenues in excess of $25 million.
- Businesses that process the personal information of at least 50,000 consumers, households or devices every year. This also applies to businesses that have this number of California residents in its email database.
- Businesses that derive 50 percent or more of their annual revenue from selling consumers’ personal information.
“The new bill has a broad definition of ‘selling personal information,’ which also includes sharing data in return for ‘valuable consideration.’ This means that some businesses, which don’t seek financial compensation from sharing personal data, might find that they still fall under the CCPA’s definition of ‘selling.’
Leprince-Ringuet quoted Lothar Determann, partner at law firm Baker & McKenzie, about interpretations of the definition of “selling” information:
“The definition of selling in this law captures not just the transfer of information for money, but also information gained from exchanges – which happen all the time for business or government planning. It is a broad definition that we need to think about.”
So what constitutes personal information? The data items mentioned in the legislation include: your name, username, password, phone number and physical address, household purchase data, family information, financial information, race, religion, marital status, biometric information (fingerprint or facial recognition data), browsing history and location information. Data found in public government documents is excluded as long as the data is collected directly from government records, not from secondary sources, such as social media accounts.
Consumers know their rights
Here is what California consumers now have the right to do under the CCPA:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- The right to delete personal information held by businesses and by extension, a business’s service provider.
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA. However, notes cybersecurity writer Laura Hautala for CNET, that although companies can’t turn away users if they opt out of the sale of their data, they can give people a stripped-down version of their offerings.
A brief history of the CCPA
Although the CCPA is the strongest, most sweeping privacy act in the United States, it is ambiguous in some areas and open to interpretation (or misinterpretation). If you’re confused, you’re not alone. Even lawyers such as Determann express their opinion that the bill was rushed. “The law came out of just a few days of negotiations. It was not completely thought through, and I think it can come with unintended consequences.”
Why was such an important piece of legislation so quickly put together? The American Bar Association relates the timeline as follows:
“In early 2018 a California real estate developer spearheaded an effort to include a new privacy law — the Consumer Right to Privacy Act of 2018 — on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with representatives of affected California businesses and other interest groups, quickly negotiated and passed a substitute bill — The California Consumer Privacy Act of 2018 — the CCPA — in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.”
The California Consumer Privacy Act of 2018 was approved by the state’s Governor, Jerry Brown, on June 28, to go into effect on January 1, 2020. Because of its hasty origins, the new bill creates some amount of ambiguity and confusion about specifics. However, the CCPA can be amended, if needed.
How businesses must comply
Consumers also have the right to access the personal information a business has on them. The CCPA requires at least two ways of doing so, including at a minimum a toll-free phone number. Users who ask to see their personal data should be granted access within 45 days. If customers request their data be deleted, businesses must comply.
Paying the penalties
So what happens if a business doesn’t comply with the CCPA? Offenders can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. Also punishable by law are unauthorized access to personal data, or data breaches. Should theft or exfiltration of data occur, businesses are liable for fines of up to $750 per consumer per accident.
Is this the way the cookies crumble?
Obviously, life just became much more complicated for businesses in other ways. As Sam Dean reports in the Los Angeles Times, “The most wide-ranging effects of the new law fall on the online ad economy and the businesses … that rely on it.”
Users who opt out of providing data or allowing a website to track their activities through cookies – small text files stored on your browser when you visit or interact with a website or advertisement – make targeting ads that much more difficult. Dean points out:
“Those who opt out will probably see fewer hyper-target ads, the kinds that show users a product they left unpurchased halfway through the checkout process, or that seem to eerily promote a store they visited a few days earlier. After multiple deletion requests, users could eventually see only ads that are related to the page they are visiting – car ads on an article about cars, or meal-delivery ads on a food website.”
Enter the Interactive Advertising Bureau. This is a consortium of most major U.S. publishers, advertisers and ad tech companies. The organization devised a framework of contracts and digital tags that, as Dean describes, “… functionally staple a user’s desire to not have their data sold to the data itself, like an ink tag on a piece of merchandise.
“Google signed on to this system in December and gave its customers – which include most of the websites on the internet – a toolkit for building this opt-out system into their own sites.”
Google Ads Help provides detailed information on its site regarding how it helps advertisers, publishers and partners manage their CCPA compliance.
Is this the beginning of the end for online advertising?
While it is too early to determine how many consumers will demand their information not be sold or tracked, the effects of the CCPA can’t be ignored. It could well be that most people will just click past or through the new privacy options the same as most click on the Accept button to allow cookies. Still, we leave you with two thoughts from thought leaders who are members of the Forbes Technology Council.
“Users are finally realizing just how costly free can be – and this might be the driver for change in the way consumers treat their own data. A service in exchange for data is no longer enough – users want to control their own data and whom it is shared with, as well as see real, tangible benefit from giving up information about themselves.”
From Alan Price, Vision Critical:
“California’s new data privacy law signifies the introduction of a specific, individual right for customers to opt out of having their personal information sold. As these transparency standards are backed by legislation, it’s increasingly important for brands to remain honest with their customers if they want to retain their loyalty.”
The take-home message
Making sure your business is CCPA compliant doesn’t need to be an overwhelming process. Virtual Stacks Systems offers comprehensive web design, Google Ads and PPC services, and social media marketing services that can help you make compliance seamless. Contact us to learn more.