A large portion of the American population is becoming increasingly concerned about online privacy and cyber security in this age of modern technology. Amidst the fast growth and development of the Internet and the sluggish enactment of laws, the balance between legal access of businesses of user information and the customer’s right to privacy tends to sway from one direction to another. One of the latest examples of this would be in the form of the CCPA legislation in California. This is a law that can and will impact the digital marketing field for a long time. If you or anyone you know works in this field, they have to focus on the implementation and correct adherence to this law or else they will find themselves sitting on a pile of fines, as well as facing potential litigation from unhappy customers .
CCPA or California consumer privacy act
The CCPA is a state law that has implications even at the international level. It has been brought into practice to offer protection to California’s residents’ online privacy and make the space more transparent in regards to how their personal data is being gathered and used. With the help of this law, the residents of California now hold a legal right to-
- Be aware of the sort of personal information that is collected
- Be aware of any personal data being sold
- Know the buyer of their data that is being sold
- Refuse to be a part of this data sale
- Get personal access to their information
- Require any business to delete any personal information they hold
- Not face any discrimination for exercising these rights to online privacy
- Get additional protection from data collection if they are minors
This may come across as an unexpected and drastic change in the online business and privacy regulations space but this bill was already signed into law in 2018. All businesses had been given a grace period of two years to prepare before the law went into full effect from the end of June, 2020.
Definition of personal data according to the CCPA
Personal data is a vague and broad term that could include anything. The CCPA defines it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The bill lists kinds of personal information but also mentions that this list is not all encompassing. Along with name, address, Social Security number, browser history, IP address, and so on, it also includes biometric data, and all other inferences that are made based on such collected personal data, including olfactory (olfactory relates to smell, not the right word in this context. What are we trying to say?) information.
CCPA and businesses
The CCPA is a set of laws that emphasizes and protects consumer rights. Any business that interacts with a California resident or considers them as their target audience for business promotions using digital marketing needs to be aware of and comply with the CCPA rules.
The most basic implication of this law is that businesses and digital marketers cannot collect or use the personal data of California residents without their consent. Businesses must look up and be aware of specific ways to carry out this responsibility, which will be particular to the sort of industry they are catering to. A few general practices that one needs to perform in order to maintain CCPA compliance are as follows:
- Acquire consent for data sharing. For minors under 13, permission needs to be obtained from parents or guardians. Affirmative consent required for minors between 13 and 16.
- Must showcase a ‘Do not sell my personal information’ link on the homepage of their website whereby the users will be redirected to a page where they can opt out of data sharing
- Shared designated processes to submit data access requests
- Restrict requests for opt-in consents within 12 months of opting out initially
Failure to adhere to these regulations will result in heavy fines on the culpable business. Apart from fines, businesses are also likely to face class-action lawsuits from residents for data breaches or theft of personal information.
Types of businesses affected by the CCPA
All businesses are not required to maintain CCPA compliance. They have to fulfill certain criteria to be eligible as a CCPA adhering company, such as-
- Buy, receive, or sell personal data of 50,000 or more customers and households
- Earn more than half of its annual profits from selling personal information of customers
- Have an annual gross revenue of more than $25 million
Digital marketers and CCPA: what is next?
Digital marketing has always been about adapting. A digital marketer knows that the world is constantly changing, not just online platforms. The key is to be aware and flexible enough to be able to make these changes rapidly. However, the CCPA has wider implications and the domino effect it causes is worth discussing.
- Wide reaching implications of the CCPA
As we already know, the CCPA was brought into law to protect the citizens of California. Businesses have the primary role of ensuring the protection of personal data of the California residents that they are collecting. People can carry on navigating the Internet according to their wish with absolute certainty regarding where and how their personal information is being used. As the Internet is not an entity that is based on geographic locations, it means that online businesses are required to inculcate policies for protecting the privacy rights of the users from California or have to stop catering to them altogether. A business might not actively market to California but if a user from California visits their site and experiences a data breach, it could result in the business being slapped with CCPA fines. Given the size and spending of the population in California, most of the businesses are left with no other option than to accept the restrictions laid down by the CCPA.
- Domino effect of the CCPA
Another important fact one needs to understand is that just because they do not do business with customers in California, it does not mean that other states are not also taking steps to protect the data rights of their citizens. The CCPA is the first step towards such national restrictions. Nevada is already enacting similar laws and other states will soon follow suit . Usually, the first state level policy takes time to get approval and is quite challenging but once it is enacted, other states use this as an example and enact similar legislation. With more and more states adopting similar policies, businesses will realize that there are chances of their customer pool shrinking unless they take initiative and start adhering to the data privacy laws of different states. This could have drastic implications on the market shares of different companies, and those who do not adopt compliance policies will fall behind those who do .
The CCPA has set a new standard in the data privacy world and is here to stay. This is why all digital marketers must consider getting accustomed with the CCPA law as similar legislation is spreading in different states across the US market.