Important Notice: The CCPA is a new and novel area, which is subject to change and interpretation. Cheetah Digital is not providing legal advice or warranting that its offerings will ensure a business’s compliance with the law. The below information is intended for general educational purposes only.
Depending on when you are reading this, the enactment of the California Consumer Privacy Act (CCPA) is mere days away, or at most a couple of weeks. On January 1, 2020, the legislation will go into full effect, codifying the way in which businesses that operate in California, or sell products or services to Californians, manage risk when it comes to the consumer data they collect, use, share, and monetize.
The state of play
Although privacy protections do exist in the U.S., there is no de facto law regulating the collection, storage, and use of consumer data. Laws like the CAN-SPAM Act, COPPA, and HIPPA are focused on specific business sectors and uses of personal information. To date, the rights for a consumer to learn what a business knows about them, or to have that data deleted, have been rather limited.
However, since the enactment of the General Data Protection Regulation (GDPR) in Europe, which offers EU/EEA residents sweeping rights over their personal information, U.S. businesses have had to adjust philosophies and practices to continue participating in the European single market. With the advent of the CCPA, doing business in the state now depends on those same businesses turning their eyes to “America’s GDPR.”
Will the CCPA only impact California?
Technically, yes. It’s a state law that only applies to companies that are based in California or do business with California residents. But in reality, any business that has a website has the capacity to advertise or sell to Californians, whether they are in the state or traveling, and would therefore fall under the CCPA’s scope.
And with the California economy -- the 5th largest in the world, it stands to reason that almost every business would want to protect their “seat at the table.”
Why the change?
In light of the Cambridge Analytica scandal and other high-profile privacy abuses, US lawmakers are increasingly feeling the need to protect their constituents. In parallel, consumers are becoming more aware than ever about the role their data plays in the digital economy.
Current legislation, an amalgam of federal and state laws, was adopted long before cloud-based technology, micro-targeting, smart devices, or influential social networks connecting our daily lives and data points in huge volumes.
The CCPA -- the first of many state efforts -- looks to Europe to modernize existing protections, provide consumers with greater transparency and control over their personal data, and hold organizations accountable for their data-driven practices.
Differences between CCPA and GDPR
In 2016 the GDPR set a high global bar. Businesses whose data protection practices have been aligned to the European framework will have a head start with the CCPA. However, despite similar foundations, the CCPA is not a carbon copy of the GDPR. Definitions, scope, and applications are uniquely Californian.
Here are some noteworthy differences:
- The CCPA applies to data that can be reasonably linked to a particular California household, and not just a natural person or their device as the GDPR does. In practice, this could be any and all customer data an organization holds.
- The GDPR covers all organizations that control or process a European’s personal data. The CCPA meanwhile has restricted its applicability to for-profit companies that have an annual gross revenue of over $25 million, and buy, receive, sell, or share a Californian’s data for business, operational, or commercial purposes.
- Furthermore, this data must belong to 50,000 or more consumers and derive 50% or more of the organization’s annual revenue for it to be applicable. This is not a high bar for most web-scale companies in the U.S., let alone Silicon Valley giants.
- The GDPR-empowered EU ePrivacy Directive (i.e., PECR) requires organizations to get prior consent from data subjects for electronic marketing and behavioral advertising, while the CCPA allows consumers the right to opt out of the sale of their data by way of a prominent website link or telephone number.
- The regulatory penalty for non-compliance with CCPA can be up to $7,500 per violation, while liability to an individual consumer is $750 per incident or actual damages, whichever is greater. Whereas noncompliance penalties for GDPR could lead to fines of up to €20m or 4% of a company’s global annual revenue.
Benefits of CCPA for your business
Rather than calling timeout on personalized marketing and advertising, the CCPA is an opportunity for marketers to rebuild trust, improve transparency, refresh their vendor relationships, and deliver an altogether better experience for the consumer.
Given the CCPA’s focus on disclosure and providing consumers the ability to stop the selling of their personal data, the CCPA is arguably a call for organic data collection as underpinned by value-driven interactions. Cheetah Digital has long been a proponent of permission-based email practices, taking a strong stance against bought and purchased email lists. Today, we apply these same principles to our suite of consumer engagement products.
Neither the GDPR nor the CCPA are roadblocks to truly personalized and meaningful marketing efforts. Organic, meaning “zero-party” data — a class of data that a customer intentionally and proactively shares with a brand, used alone or responsibly with other collected or inferred data can enrich consumer interactions, support innovative loyalty programs, and drive great marketing content.
Personal data allows brands to build direct relationships with consumers, and in turn, better personalize their marketing efforts, services, offers, and product recommendations. Zero-party data in particular, when it comes knowingly and directly from the consumer, is the cornerstone of responsible data use.
Are you ready for the CCPA?
With days to go, now is the time to act if you haven’t already, as you will likely need to make changes to business processes and policies, introduce new roles and reporting procedures, and modify the way you engage with customers, and collect and process their personal data.
Cheetah Digital takes a global, principle-based view of privacy issues impacting digital marketers and their service providers. As consumers' expectations of privacy and the legal protections afforded them continue to evolve, we are committed to ensuring the safe, transparent and positive uses of our services. For more information about our privacy practices, please visit our Trust Center.
Danny O'Reilly also contributed to this article.
Privacy Analyst, Cheetah Digital
Cheetah Digital's privacy-compliance efforts are led by Alex Krylov, a #privacypro with over 12 years of hands-on experience in the online marketing and advertising space. Alex is an accredited Information Privacy Professional (CIPP), Privacy Program Manager (CIPM), and Fellow of Information Privacy (FIP), reporting into our Chief Security Officer, Jill Knesek.