Not long after the 2018 General Data Protection Regulation (GDPR) went into effect as a core part of Europe’s digital privacy legislation, there was a new kid on the data privacy block: the California Consumer Privacy Act (CCPA).
A Short Introduction to the California Consumer Privacy Act
Don’t be fooled by the law’s geographic specificity – the California Consumer Privacy Act applies to any company that employs or serves California residents, regardless of where that company is located.
Broadly, the CCPA establishes new consumer rights relating to the access, deletion, and sharing of personal information collected digitally by businesses. It also establishes procedures to facilitate consumers’ new rights under the law and guidance for business compliance.
To trace the impetus behind the California Consumer Privacy Act, we can point to the widely-known Cambridge Analytica scandal during the 2018 presidential election that shone a spotlight on the myriad ways consumer information was being used without consumer permission.
Taking action to try and rectify these wrongs, California’s privacy act gives consumers more control over their data, including insight into what information companies have collected on them, whether companies have sold or are selling their personal information, and the option of removing their information from company databases.
The CCPA is essentially the U.S. version of GDPR; incidentally, it was signed into law in 2018, but it officially went into effect in January 2020, which has companies scrambling to ensure compliance.
Which Industries Will be Most Impacted by the CCPA?
The most important designation of the CCPA is that it only applies to businesses that earn more than $25 million in gross revenue, collect data on more than 50,000 people, and acquire more than 50% of their revenue from selling consumer data.
Technology, telecom, and financial services companies may have a “leg up” since they’re already subject to a slew of regulations and are inherently more aware of and prepared for stricter privacy regulations in a post-Cambridge Analytica world (and with the threat of security breaches always looming).
The CCPA will have a different impact on the Facebooks and Twitters of the world, but all tech and telecom companies with customers or employees in California have had to take a series of actions to comply, including:
Other companies, like retailers, have more work to do to comply with the California Consumer Privacy Act because they weren’t subject to GDPR. Although data privacy is a key component of most organizations, compliance with the CCPA requires additional protections.
Likely because of the large amount of work involved to meet the requirements of the CCPA, a lot of companies are choosing to apply the privacy protections to their entire operation – not just to their California contingent. This can also be viewed as a smart move given the likelihood that other privacy laws will be legislated in other U.S. states in the near future.
Will the California Consumer Privacy Act Change Marketing and the Internet for Businesses and Consumers?
According to the law itself, the data it covers includes IP addresses, contact information, internet browsing history, biometrics such as facial recognition and fingerprint data, race, gender, purchasing behavior, and location.
The law grants consumers several rights when it comes to their personal data:
The privacy protections businesses now must offer under the CCPA can really only be achieved by essentially overhauling current data management practices. For most organizations, consumer data is collected in many different ways and in several different departments. For most businesses of the size specified by the CCPA, consumer data comes in through internet usage, social media, store purchases, payment card information; essentially any way in which consumers interact with a business.
We all know that “big brother”-esque feeling we get when an ad pops up for an item or topic we were just searching for. This occurrence, while mildly irritating at best for consumers, reflects a much larger online operation called “real-time bidding”, in which ad buyers bid on ad space based on user data so their ad can appear in front of that user.
Here’s the part that, under the CCPA, users have the ability to opt out of. That user data is then stored so webpages have more specific user information to validate higher ad prices, and that data can also be purchased by companies looking for target audience information.
Because the CCPA grants consumers the right to essentially remove their information entirely from formerly robust databases, it could be seen as a pivotal change for marketing tactics as we know them.
Once the law has been in place for a time, it will be interesting to see how many users actually choose to opt out of data-sharing practices; however, if enough do, the costs for ads – and thusly the revenue they pull in – could be drastically lower. Companies may find themselves working from a smaller pool of data and may have to rely less on purchasing or selling information to beef up audience targeting or raise ad revenue.
However, while the CCPA does impact some keystone marketing tactics, the law is not a red herring for the end of the internet as we know it or anything sinister like that – but it does mean companies will have to adjust and reevaluate how they collect the data that drives many common marketing practices.
Adapting to a Data Privacy-Conscious World
GDPR and the CCPA should be viewed as just the beginning of a more data privacy-conscious online and business environment. Other states will join California in leveling-up privacy protections for consumers; Maine and Nevada have recently passed privacy laws, and numerous other states are considering or have already tried to pass similar legislation.
The California Consumer Privacy Act achieves something pretty big for the U.S. – putting consumers in the driver’s seat when it comes to their personal information. That being said, there is still almost mindless ease with which we share private information, and it’s hard to know whether this law will make a marked difference in behavior, at least right away. After all, when’s the last time any of us read through a privacy policy on a website we visited?
Either way, privacy laws are here and more are coming. If nothing else, these legislative actions draw much-needed attention to the risks of data collection and sharing, and should at the very least prompt businesses not required to comply with the CCPA to voluntarily evaluate their privacy protections and security protocols.
As businesses implement these protections, they’re sure to grapple with the aspects of their marketing strategies that rely on user data for advertising, marketing automation, and other targeting tactics.
If your business is governed by the CCPA and you’re contemplating the next steps for your marketing strategy this year or in 2021, we can help. Being well-versed in privacy rules and marketing means success for your business, even amid big changes.
Related Blog Posts:
The state of marketing at year’s end and a look ahead to what’s next Marketing is an ever-evolving sector influenced by both technological updates and consumer habits on a frequent basis. With so many moving parts — from the nearing dissolution of third-party cookies...
The latest Google Helpful Content update is the most dramatic thus far and includes updates to the AI content policy, advertising policy, and more.
