The CCPA: Going from “Buyer Beware“ to ”Buyer Be Warned”

Sometimes it seems California has it all: beaches, wine, movie stars. Now, add one more item to that list: the nation’s most stringent and comprehensive privacy protection law for online consumers. While it’s only a single state law, it will have an impact on online marketing for just about every company in the United States and beyond. But there are some things every e-commerce marketer can do now to protect themselves.

California. Consumer. Protection. It’s All in the Name!

The California Consumer Protection Act (CCPA) is very much what its name says: a statute aimed at assuring every single consumer in California the right to keep their data to themselves. While the law does not prevent marketers from collecting data, it makes it far easier for consumers to opt out while placing potentially severe penalties on marketers who don’t comply with their requests. It’s a pretty big shift from “Buyer beware” to “Seller, be prepared.” The onus for privacy has definitely shifted to the marketer.

The law has some key and clear requirements:

  • Businesses have to inform customers at or before data collection on the categories of data and the intended use of their data.
  • Customers have the right to know what data a company has about them (even sites they’ve visited), how the data was collected and why, where the data is shared, and how it is used for profit, and to request the deletion of their data. Customers may also request that their data not be shared.
  • Customers cannot face any penalty for the deletion of their data, including on pricing or services offered.
  • Businesses have to provide notice of a customer’s right to opt out in the privacy policy, with a link saying “Do Not Sell My Personal Information” on the home page.

Does that Mean All Data? All Companies?

So far, it seems pretty simple. And, for the most part, it is. If you collect data from a California consumer, let them know what you’re collecting and why. Then, give them an easy way to say no. But there are exceptions on both what data can be excluded and when companies do not have to comply.

The law only applies to companies that:

  • have over $25 million in annual revenue
  • hold data on over 50,000 customers, or
  • earn more than half their revenue from their sale of data.

If none of these apply, a company is off the hook. But if the company checks off even just one of those boxes, then the entire law applies as well.

Quick tip: If you’re even close to the line on any of these points, treat it like you’re already there. Don’t wait until you’re past the threshold and run the risk of being in violation.

Prepare Now, or Be Prepared to Pay the Penalty

To mangle the words of the Red Hot Chili Peppers, even one Californiviolation could mean some pretty serious fines. If a customer requests that their information be removed from an e-commerce marketer’s data, or simply just asks for information on how their data is used, and the marketer does not comply in a specified time frame, the fines can start to add up quickly. In fact, it wouldn’t take long for those penalties to hit the seven-figure mark. And remember, this applies to any business that conducts e-commerce in California, no matter where that company operates.

If this applies to your company, there are some steps you should take now to stay in compliance:

  • Ensure clear and concise privacy policies that are easily understandable to the average consumer.
  • Create a detailed, documented data ecosystem: The ability to understand your data flow across systems, partners and platforms is mission critical for any business and will enable more agility in responding to consumer and regulator requests.
  • Put a process in place to address requests that come in, and that there are data protection agreements or codes of conduct in place for any partner with whom you are sharing data.
  • Revisit the disaster recovery plan, including action steps and protocols to follow if there is a breach of data.
  • Read the CCPA Framework the IAB (Interactive Advertising Bureau) has developed—it has important guidance for any company doing online business with consumers in California.

Quick tip: There are additional exceptions for some specific data uses, as well as for companies in certain industries. If you’re in doubt if your company qualifies, speak to your corporate counsel or an experienced e-commerce consultant (such as, well, Marketsmith).

Finally, remember that the consumers this law is meant to protect are also your customers. Do not treat this as a law to get around. E-commerce marketers that embrace the spirit of the law will benefit in the long run. The more transparency you show consumers, the more they will trust your brand. Don’t think of the CCPA as a problem, but as a Golden (State) opportunity to show your customers that you’re on their side.

Need support documenting your data ecosystem?
Contact Marketsmith today!