In 2018, GDPR shook things up for businesses around the globe. But in 2020, stronger data privacy starts right here in the USA.

Last year, California signed restrictive data privacy legislation that will transform commerce as we know it. The California Consumer Privacy Act (CCPA) will require more transparency from businesses in the kinds of data they collect on their consumers — and how they choose to use it.

This change is prompted by the Facebook data breach that led to the compromise of a whopping 87 million users’ personal information. Though the GDPR and CCPA have similarities, they also have differing qualities, which means large businesses operating in both jurisdictions will need to comply with both. Businesses that are affected by the new legislation still have time to prepare before the law goes into effect in January 2020.

What kinds of businesses does the CCPA impact?

The CCPA applies to for-profit businesses that operate in the state of California. A business must meet one of the following requirements to be affected by the new law:

1. Have annual gross revenues over $25 million

2. Buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices 

3. Derive 50% or more of its annual revenues from selling consumers’ personal information 

Though the law only protects residents of California, it will impact businesses without physical presence or employees in California. As long as there are digital interactions occurring between a business and California residents, there will be consequences if that business fails to comply.

What do businesses need to do to be compliant?

Businesses that meet one of the requirements above are subject to consequences if they fail to comply with the CCPA standards. They should be prepared to:

1. Provide opportunities for consumers to opt out of the sale of their personal information  

2. Comply with consumer requests for access to their personal information 

3. Delete relevant data upon request 

4. Comply with consumer requests to stop sharing their personal information with third parties 

5. Provide the same level of quality and service to consumers who exercise their privacy rights

6. Make sure data sharing with third parties meets all restrictions 

After being notified of a violation, businesses have a 30-day time frame to comply. If the violation was intentional, the maximum fine is $7,500. Consumers have the right to take private action if their data is stolen or illegally accessed. The maximum fine in a civil suit is $750, but for large data breaches, this amount could compound substantially.

How are consumers affected?

Consumers are constantly being tracked online, whether they are aware of it or not. In certain instances, consumers want to exchange their personal information for valuable offers or content selections that are catered to them. In other instances, consumers fear that their information will fall into the wrong hands. The CCPA lays out the following rights for consumers:

1. The right to know what personal information is being collected on them 

2. The right to know whether their personal information is disclosed and to whom 

3. The right to say no to the sale of personal information 

4. The right to access their personal information 

5. The right to equal service and price, even if they exercise their privacy rights 

The kind of data that constitutes personal information in the CCPA is different than that of the GDPR. The data doesn’t necessarily have to match up with a name, but can be anything that uniquely identifies a person or household. With this definition, things like purchase history could qualify as personal information. This vague definition is likely going to spark issues when the law is put into practice in January.

Speaking of vague definitions, are there other gray areas in this legislation? 

The CCPA can be altered until it goes into effect in January 2020, and there are gray areas that will be controversial if they’re not addressed prior to then. Here are some issues that have been pointed out:

• Due to vague terminology, the CCPA may impose excessive costs on smaller businesses. Though 50,000 consumers may seem like a lot, the definition of “consumer” isn’t well defined in the law. Consumers could be people or households. It’s also important to note that businesses with 50,000 consumers a year are much smaller than businesses with 50,000 consumers a day. This means some small businesses will likely need to be compliant. With already stretched resources, the CCPA puts an additional strain on these businesses. 
• Personal information isn’t defined specifically. The law states that personal information includes “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” So what all does this entail? The law states that information like electronic network activity falls under the same category as personal identifiers such as social security numbers and postal addresses. With a definition that’s open to interpretation, there are many ways the text could be stretched to incorporate identifiers that lawmakers weren’t anticipating.
• It is unclear whether consumers who choose to exercise their privacy rights will be allowed different treatment for doing so. In the text, the law states that a business may offer financial incentives to consumers as compensation for the collection or sale of personal information. The business may also offer a different price to the consumer if that price is related to the value provided by the consumer for their personal data. In addition to this, it states that businesses can’t discriminate against a consumer because the consumer has exercised any of their privacy rights, including charging different prices or rates for goods or services. These statements directly contradict each other, so it’s hard to tell how businesses can actually incentivize the sharing of personal data by their consumers.

How can companies prepare for this legislation to go into effect?

Determine whether your business will need to be compliant.

Small businesses should consider their customer base and whether they will need to comply. “Consumers” can be counted as households, and the kinds of data falling under personal information isn’t clear. Businesses should take into account both the amount and type of information they’re collecting.

Create a singular data policy that treats all consumer data the same, regardless of geographic location. 

Treating California consumers differently than consumers in other states will be costly and inefficient. It will be beneficial for businesses to put policy in place now that will ensure compliance. In addition to this, companies treating California consumers differently will likely alienate other consumers — giving them more reason to adopt a nationwide privacy strategy. If similar legislation is passed in other places, this strategy will pay off in the long term.

Audit processes for data collection, storage and management.

Over the next few months, it will be important for businesses affected to allocate time and resources to an audit of current practices. Mechanisms will need to be put in place for disclosing information and allowing consumers to opt out. For those who opt in, security measures will be necessary for companies who currently don’t have them in place.

What does this all mean for marketers?

Marketers often rely on third party data to target customers with relevant content. As third party data becomes more difficult to obtain, data inventory may decline in its effectiveness. These changes especially impact marketers who leverage third party data for programmatic advertising.

As third party data availability declines, first party data will become increasingly important. Marketers will need to manage this valuable consumer data well and understand how it flows throughout their ad stack. Since the CCPA allows users to request deletion of their data, there should be processes in place between marketers and their third party partners to remove information on consumers who choose to opt out.

Due to the vague definition of personal information, marketers and programmatic partners will need to be careful when leveraging identifiers like Device ID and geofences for targeting and attribution purposes. In addition to other kinds of businesses, marketing agencies and their partners should audit their marketing technology and ensure they have mechanisms in place to, upon request, access, change, or remove consumer data.

What does this mean for the future of data privacy legislation in the US?

The CCPA passed unanimously in both houses of the California legislature, and other states are following their lead. Nevada, New York, Washington and Texas have all introduced similar bills. US companies should expect more legislation like this in the future as consumers continue to be more thoughtful of what information they’re sharing online and with whom.

Transparency is key to winning consumer trust, and businesses that choose to put privacy mechanisms in place will benefit from their investment. The CCPA and similar legislation create opportunities for businesses to have stronger relationships with consumers and build trust.

Disclaimer:this article is an opinion of a complex legal issue and cannot be construed to be legal advice. Consult a qualified legal counselor for questions about the The California Consumer Privacy Act (CCPA) or other regulations.