As marketers, we live and breathe data. It informs our campaigns, segments our audiences, and lets us create relevant online experiences for visitors. But as technology has evolved, so has consumer data and how it’s used.
While GDPR is already in full effect in Europe, the California Consumer Privacy Act (CCPA) is the first of its kind in the United States and is slated to go into effect on January 1, 2020. It’s been widely viewed as the beginning of the “United States’ GDPR” and enacts strict regulations giving California residents more control over their personal information.
First, let’s deep dive into exactly what the CCPA guarantees in terms of consumer rights, how to comply with these regulations, and compare the CCPA to the GDPR.
What the CCPA guarantees consumers
The CCPA guarantees several personal rights with regard to personal information and the ability for consumers to have more control over the data. Below are the guaranteed rights outlined in the Act:
- The right to know what personal information is being collected.
- The ability to access personal information that’s collected.
- The right to know if your personal information is being sold or shared, and if so, with whom.
- The ability to opt-out of having your personal information sold.
- The ability to request all personal information be deleted.
*Data can only be requested from the previous 12 months, with consumers being able to make up to two requests per 12 month timeline.
The CCPA was written to cast a wide net in terms of what is defined as “personal information” for Californians. It includes the expected information like birthdays, SSN, emails, addresses, etc. But also covers a broader scope of interactions like Geolocation, IP address, online behavior, browse and search history, preferences, open and click behavior, etc.
For marketers, this broad definition is a big deal since much of this type of behavioral data is the foundation on which our campaigns are built.
For Californian residents, it means they have the right to request that a retailer delete any information collected on them regarding their email interactions, browsing history, and search patterns on their site. By essentially guaranteeing the right to be forgotten if a consumer requests it, companies will have to rethink their approach to consumer behavior.
The CCPA’s goal is to put the power back in the hands of the consumer with regards to their personal information and its protection, which is an important standard to set.
Here at Justuno, we believe data should always be protected, used ethically, and collected in a manner that is transparent. With access to such a wealth of information, comes a responsibility to protect and respect consumers’ rights.
Our agency partner Tinuiti has been on the front lines of data privacy and how CCPA is a necessary step in the evolving world of e-commerce and personalization:
As marketers, we understand the importance and power of personal data; CCPA will help us to define the use of this power in an effort to increase trust and visibility for our client’s customers. While targeted, relevant content is king, e-commerce businesses must understand the lines between personalization and abuse of personal data.
What types of businesses have to comply?
First, the CCPA does set some minimum thresholds to which businesses these regulations apply. If you are a business who does any of the following then you are legally required to comply:
- An annual gross revenue of $25 million or more.
- Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices.
- At least 50% of annual revenue comes from selling consumers’ personal information.
Since the CCPA extends these guaranteed personal rights to California residents, any business who fits any of the above descriptions and does business with a California resident must comply (including international companies).
What does compliance look like?
Now that we know to whom this applies, it’s time to tackle how to comply.
First, compliance will require a comprehensive audit of your data collection and storage practices. Knowing what personal information is being collected, how it’s used, and to whom it’s disclosed is vital.
Next, you need to revise how you communicate that data. Since providing access to personal information in a readily usable format is required, you need to have a system for generating these reports.
In addition, consumers must always have a way to opt-out of their information being sold, as well as a channel for consumers to make information requests and request their information be deleted.
The silver lining to this consumer data audit is that it’s a great time to also take an introspective look at your database and customer profiles. By assembling these personal information “profiles” into actionable (and compliant) setups, you’re taking a granular look at your customer base. Take this time to learn more about who’s shopping with you, what’s working and what’s not, and where there are gaps to fill in your customer journey.
Once you’ve completed these steps, it’s time to add transparency into your onsite messaging. Pop-ups and onsite messaging are going to be key resources for adhering with CCPA in terms of opt-ins as well as general collection techniques. These onsite tweaks are the most public-facing changes to make, but creating processes as well for data requests and deletion will also be key.
CCPA vs. GDPR
Since its implementation in 2018, GDPR has shaken up Europe and fundamentally changed how companies do business across the Atlantic.
Learn more about how Justuno helps retailers comply with the EU regulations here.
Since the CCPA has been widely viewed as the United States’ version of GDPR, it’s an easy comparison to make between the two laws. But it’s worth noting that being GDPR compliant does not guarantee you’re CCPA compliant.
The CCPA has several specific requirements not found in the GDPR and they are fundamental parts to being compliant. Check out the infographic below for some of the bigger differences between these two sets of privacy legislation.
|Who it applies to||-California Residents
-Businesses who meet certain thresholds
|Privacy Notice||-Link on homepage for individuals to opt in for information to not be sold
-Have to provide a way for individuals to contact business to exercise the rights guaranteed by the act
|-Opt in consent required for a legal basis for using or processing data|
|Individual Rights||-Ability to request, access, delete, and opt out of the sale of personal information
-Requires business to respond within 45 days of request
|-Ability to access, delete, correct, and object to information
-Requires a response within 30 days
|Fines||-Civil Fees: $2,500-7,500
-Data Breaches: $100-750/ violation (if reasonable security isn’t maintained)
|-Up to 4% of global turnover or €20M|
|-Information that can identify individual consumers or households
-Information includes traditional info plus online behavior, profiling, etc.
|-Personal data that can be used to identify an individual consumer|
As you can see compliance with one does not necessarily mean compliance with the other, but if you are already GDPR-compliant, you’re one step ahead for being ready for January 1.
Don’t wait around to start getting your website into compliance, with the holidays fast approaching the January 1, 2020 start date will get here sooner than you think. California is home to just under 40 million consumers, making the odd strong that most sizable e-commerce operations will have to take action to bring their data and website into line.
The CCPA will benefit businesses too, between taking a stronger look at your customer data and how it’s stored/used, you’ll learn more about who your customers really are. This can lead to more effective marketing through more targeted campaigns and personalized messaging.
Want to learn more about how Justuno can help you be CCPA and GDPR compliant? Reach out to our sales team below to chat about how we can help your website today.