Last updated on 01 October 2020
Stronger privacy protection and greater data transparency online are growing global trends. Driven in part by the rise in consumer data breaches are greater consumer privacy concerns. The Cambridge Analytica scandal, in which the Facebook data of at least 87 million people were misappropriated, and other instances like this have brought attention to how businesses collect, use, and sell consumer data. Concern over the use and misuse of this data is widespread.
In many global jurisdictions, the response has been privacy legislation which forces businesses to comply with sometimes onerous regulations regarding consumer data and privacy. One of these pieces of legislation is the California Consumer Privacy Act. In its second section, it lays out how pervasive privacy concerns have become and how “it is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information. As the role of technology and data in the everyday lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses.”
All of this data can be great for marketers, but businesses need to comply with privacy laws in order to avoid fines and stay up to date with consumer demand for privacy and data transparency online.
A number of privacy laws are already in effect around the world, and a number are making their way through various legislatures. There is no doubt that the trend towards consumer privacy legislation is growing and marketers will continue to see these types of laws passed around the world. One already in effect is the European Union’s General Data Protection Regulation (GDPR). It went into effect in May 2018 and its aim is to give consumers greater control over their data. The law sets rules for the collection and processing of personal information from people who live in the European Union. Because the law applies regardless of where websites are headquartered it has to be followed by all sites that receive European visitors (even if the site doesn’t specifically market to European Union residents!). The GDPR stipulates that European Union visitors are provided with several data disclosures. Websites must also uphold European Union consumers’ rights to a timely disclosure in the event of personal data being breached. GDPR authorities can issue fines of up to 20 Million Euros or 4% of annual worldwide turnover, whichever is higher if a company goes against the terms listed in the GDPR.
The GDPR is the first of what is likely to be many more privacy laws to come. There is a growing interest in this type of legislation. Despite the fact that privacy legislation bills failed to pass in Washington and Texas, Nevada successfully passed an online privacy amendment. In addition, proposals for privacy bills in New York and Washington, DC have been gaining momentum. Marketers need to stay on top of these laws, note that the landscape is shifting towards greater consumer privacy and figure out what internal changes need to be made to keep on track and avoid penalties from regulators and negative encounters with privacy-minded consumers.
The California Consumer Privacy Act of 2018 (CCPA) is by far the strongest privacy legislation enacted in the United States at this time. It gives more power to consumers over their private data and gives them protection in terms of how their personal information can be used by for-profit enterprises. The law explicitly mentions that it’s in response to the Cambridge Analytica scandal. Businesses must be in compliance by January 1, 2020 (the starting date on which the state can bring enforcement actions involving noncompliance).
For marketers, there are three major things to be aware of. First is that wherever personal information is collected businesses must disclose what information they collect and how they will use it. Secondly, businesses have to provide consumers with the ability to “opt-out” of having their information sold to third parties. Thirdly, businesses must allow consumers to view and delete the information that has been collected about them.
If your business (or for-profit entity) is located in California and meets any of the following criteria it has privacy requirements that need to be met under the law. The criteria are:
The law doesn’t differentiate between brick-and-mortar and online companies. This means that even a company with no physical presence or employees in California could still do business there and therefore has obligations under the law. So your business doesn’t even need to be located in California for the California Consumer Privacy Act to apply to you. Like the GDPR, CCPA will affect businesses outside the law’s jurisdiction. This is due in part because it’s often simpler to comply with the regulations for all users than try to enact different experiences for users based on location.
The International Association of Privacy Professionals estimates that more than half a million US companies will be directly affected. Almost 40 million people live in California (around 12% of the United States’ population). Its economy is worth around $2.7 trillion. If it were a country it would be the fifth-largest economy in the world. It’s a marketplace too large to ignore and companies will have to comply with the CCPA to do business there. Companies that are already in compliance with GDPR will have a leg up on those who do not, as the regulations are similar.
Marketers should prepare not only by gearing up to meet the requirements as set forward in the legislation by January 1 but also by monitoring any changes to the regulation and making adjustments in a timely fashion thereafter.
The broader effects of the CCPA may go beyond compliance obligations. The bill takes direct aim at data brokers and targeted ad-tech solutions. These business models will come under pressure and marketers who rely on these services may have to pursue alternative methods for compiling consumer data and delivering relevant targeted offers.
Consumers have new rights under the CCPA that companies need to be aware of. These rights fall into three broad categories: the right to information, the right to be omitted, and the right to control the access to your information.
Under the CCPA consumers have the right to know what information business is collecting about them, in what way that information will be used, and whether that information will be disclosed or sold to a third party. Businesses must allow consumers to obtain, twice per annum at zero cost, all the information that the business has about them, how that information was collected, and who else has been given said information.
The CCPA stipulates that consumers must be able to request the deletion of all of their personal information from a company. If the information has been shared with third parties then those parties must also delete said information.
Starting January 1, 2020 businesses must allow consumers to be able to opt-out of the resale of their information. The rules are even more stringent for minors. Consumers under the age of 16 must affirmatively opt in to allow the resale of their data. Consumers under the age of 13 must have written permission from a parent or guardian in order to allow the resale of their data.
First of all, marketers need to review their current procedures. They must understand their current policies and procedures regarding the collection, storage and use of subscribers' data and mailing preferences. Note what rights consumers have under the CCPA and be ready to comply with the disclosure and removal of user data. Marketers need to understand how a user's preferences about their data can be stored and how documentation would be provided if a user requests it.
Second of all, marketers need to be thinking in the long term about how they set up their systems. For example, even though GDPR only applies to EU visitors, many companies have opted to implement the same higher standards across their entire platform in order to proactively prepare for similar legislation to be passed in other jurisdictions. Those who are already compliant under GDPR will have a head start on preparing for the CCPA. In the same vein, marketers who prepare for the CCPA will have a leg up if privacy bills that are making their way through the legislature pass in New York, Mississippi, and Massachusetts.
If, because of a business’ negligence, a consumer’s information is improperly disclosed, the CCPA makes it easier for consumers to sue (even if there is no evidence that the data breach caused the consumer harm!).
What could be very costly for businesses is the potential for class-action lawsuits due to a data breach? Companies could be on the hook for between $100 and $750 per incident (or even more if the actual damages exceed $750).
The California Consumer Privacy Act will go into effect on January 1, 2020. Marketers should prepare in advance to make changes to comply with the regulations. They should continually keep an eye on the regulations and update requirements as needed. Providing additional disclosure to consumers, facing restrictions on selling data and the threat of penalties for non-compliance can be scary. Despite this, the CCPA presents marketers with an opportunity to connect with privacy-minded consumers and even strengthen the relationship between consumers and your business. Use the CCPA to educate consumers on the data you are collecting and how you make use of it. Be sure to tell them their rights under the CCPA and how you are compliant. This can build trust with consumers and helps you use the CCPA to your advantage as a marketer.
Here are actionable resources we've curated for you!