The California Consumer Privacy Act of 2018 (CCPA) is a landmark new law meant to provide California consumers with control over their personal information. It went into effect on January 1, 2020, and businesses had a six-month window to comply. That compliance window ended in June 2020, so brands that have been putting it off need to start paying attention now.
THE PURPOSE OF CCPA
CCPA provides new privacy rights for California residents like:
- The right to know about the personal information (PI) collected by a business and how it will be used and shared.
- The right to delete personal information gathered about them — though there are a few exceptions.
- The right to opt-out of the sale of their personal information to third parties. Note that the requirements are even stricter for the sale of PI of minors under the age of 16.
- The right to non-discrimination for exercising these new rights.
Businesses that collect consumer data are now required to provide California consumers with a notice about how they may use it.
- Brick-and-mortar operations that collect significant and sensitive customer data (like an auto dealership that performs credit checks, for instance) must also describe how they will use any gathered information. For businesses to be compliant, customers must acknowledge the data sharing information with their signature.
WHICH BUSINESSES ARE SUBJECT TO CCPA?
The CCPA applies to every for-profit organization that does business in California, which meets any of the following criteria:
- A gross annual revenue equalling $25 million
- A company that buys sells or receives the personal information of 50,000 or more California residents — including their devices or households
- Any business that earns 50% or more of their yearly revenue by selling California residents' data
But, if you think CCPA regulations may not apply to your organization, think again. While the criteria above seem likely to exempt smaller organizations, any company that collects any personal data from California residents — even something as small as a California shipping address — will likely be subject to the regulation.
Furthermore, CCPA is possibly just the first step towards regulation at a national level. Nevada enacted a similar measure, and other states may follow suit in 2020. Ultimately, these state laws could lead to federal regulation. So, it's best to seek long-term strategies regarding customer data compliance, even for businesses outside of California.
WHAT IF A COMPANY DOES NOT COMPLY WITH CCPA?
CCPA regulations are to be taken seriously. Penalties will vary based on the type and severity of non-compliance. A single non-willful violation — a simple mistake — can earn a $2,500 fine, while willful non-compliance can receive a penalty of $7,500 per instance.
- Fines and penalties will increase based on the sensitivity of the information and the number of consumers involved.
- The sale of particularly sensitive PI like health histories or Social Security Numbers might become a reason for severe charges.
- A serious infraction like the blatant sale of consumer information after a warning from the California Attorney General's office could easily cost an organization hundreds of thousands of dollars, if not millions.
- However, if a violation is remedied within 30 days of notice, the penalties may be waived.
CCPA is a California state legislation. As of July 2020, it's still unclear how fines or penalties will be enforced or collected outside the state of California. However, there is a private/individual right of action when a California resident's personal information is wrongfully disclosed under CCPA. In other words, California residents can sue organizations if their personal information is gathered unknowingly, sold, or abused.
Most recently, a class-action lawsuit was filed against Minted, an online craft and stationery retailer, stemming from a data breach that occurred in May. As a group, California residents can file a class action suit asking for $100 - $750 per person for the misuse of their private data. So, we see that a company that fails to implement reasonable security measures surrounding customers' private information may be on the hook for much more than government fines.
WHAT ABOUT FACEBOOK ADVERTISING AND CCPA?
As soon as CCPA was signed in 2018, California residents' PI began to disintegrate as companies started to delete any data collected from those consumers. This loss of information left Facebook advertisers scrambling for metrics. Facebook then came out with a new feature — Limited Data Use (LDU), to put the burden of compliance on advertisers, not Facebook.
- As of July 1, LDU has been automatically enabled for all Facebook business accounts.
- It limits the ways user data can be stored and processed for all users identified as California residents.
- If a Facebook user lives in California, limited data use rules are applied.
- This feature will only stay on until July 31, 2020, but businesses can extend the transition period for implementing Limited Data Use beyond August 1, 2020, until October 20, 2020, in Events Manager.
- After that, Facebook will require advertisers to update their pixel to include an LDU parameter.
- Organizations that do not take action by July 31 (or after the October 20 extension period of the default application of Limited Data Use) will take on the sole responsibility of CCPA compliance.
"[LDU] automatically applies to all Facebook business accounts, and specifically to users in California that ads are targeting. [LDU] ultimately puts the onus on the advertiser to be in compliance... Its goal is to limit 'personal information,' but there is confusion about what that means." - Search Engine Journal
THE CONSEQUENCES OF CCPA ON FACEBOOK ADVERTISING REMAIN TO BE SEEN
This early in the game, the consequences of CCPA compliance on Facebook and Instagram are unclear. We know that Facebook will be limiting how the platform uses PI. Naturally, we expect to see customer behavior tracking and audience targeting become more challenging for digital marketers who rely on Facebook to generate business in California.
Ultimately, full compliance with CCPA should be the goal of any online retailer, regardless of its annual income or the location of its customer base. Equally, any brick-and-mortar operation in California should pay close attention to the information they are gathering, storing, using, or selling.
Adlucent is proud to offer strategic planning and consulting services for retailers selling to California residents. Our services run the gamut from robust marketplace product listings to fully managed 3PL to smart A/B testing, and actionable analytics. If you need help with CCPA compliance or are looking to develop better ways to do business in California, reach out to Adlucent today!