The CMO Club Virtual Roundtable, California Consumer Privacy Act, Are you Ready? addressed the topic and what it means for marketers. It was led by Odia Kagan, partner and chair GDPR and international privacy at Fox Rothschild LLP and Brian Philbrook, privacy counsel at OneTrust.
The California Consumer Privacy Act (CCPA) went into effect on Jan. 1, 2020. Kagan said enforcement by the California attorney general begins after the draft regulations, proposed in October, become final – this is expected in July 2020.
“That’s the deadline that companies need to work toward,” Kagan said.
CCPA is unique because it is a comprehensive privacy law and not sector specific, focusing on information that identifies people that reside in California. “Personal information” is defined in a very broad way, she said.
In the business world, CCPA applies to for-profit organizations that collect consumers’ personal information online and offline, and do business in the state of California, Philbrook said. If a business meets these criteria, then they must also meet one or more of the following, he said:
- Annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Meeting one of these bulleted criteria means an organization must comply with CCPA, Philbrook said. It’s important to note the business headquarters do not need to be located in California if the organization is doing business in California. Consumers, under the law, are California residents and those who are not will not be covered under CCPA.
“You may not have any physical presence in California, but you can still be subject to the law’s requirements,” he said.
CCPA gives five types of rights to the consumer:
- The right to know – the right to receive disclosure about what’s being collected, why, and who is it being shared with.
- The right to access information – the right to get information about the data collected from the consumer.
- The right to delete – the consumer’s right to request that any information a company holds about him/her be deleted or anonymized. There are certain exceptions to this, Kagan said.
- The right to opt out of a sale – businesses must notify consumers regarding what information they’re selling to the third party, and give the consumer the right to opt out of the sale.
- The right to not be discriminated against – if a consumer has exercised his or her rights, the business cannot degrade the quality of the product to that consumer.
It’s important to understand that a “sale” does not necessarily mean money is exchanged, Kagan said. For example, the easy definition of a sale is if you buy leads or share leads, or sell a list of emails. In this case, you need to give people a notice to opt out. It gets more complicated when the “sale” is about value add, she said, such as ad networks or targeted advertising.
Philbrook said companies are choosing to take one of three approaches with respect to compliance. The narrow approach involves doing the minimum necessary for compliance, he said. But most are in the mid-range, viewing CCPA as a catalyst for privacy program maturity.
“You can leverage CCPA as an opportunity to drive program maturity across the organization,” Philbrook said. “We anticipate that more laws like CCPA will be coming.”
He then laid out a six-step guide to preparing for the CCPA that includes:
- Understand the scope. Every organization, before implementing the law, must figure out if it applies to them and to what degree, he said. From there, the other five steps follow.
- Streamline Consumer Rights.
- Meet the “Do Not Sell My Personal Information” Requirement.
- Enable Location Specific Cookie Banners.
- Track Verifiable Consent.
- Map the Flow of Personal Data to Perform Key Consumer Rights Requests.
Come July, CCPA becomes fully enforceable, Kagan emphasized, and, it’s important to recognize that California is just the beginning. The states of Washington, New Hampshire, Florida and others are working on similar laws. These laws will not be identical, so there will need to be education on a state-by-state basis, she said.
“And, the companies more invested in marketing and brand recognition are going to be under more scrutiny,” she said. “If a consumer asks for their information to be deleted, can you prove that it’s been deleted?”