Apr 25, 2023
If you haven't yet heard about the CCPA, this is your chance to get caught up. The closest thing to GDPR in the U.S., the California Consumer Privacy Act (CCPA) has actually been in effect since January 1, 2020 but many people are still unsure of the full effects of it.
The CCPA is a landmark bill that aims to protect consumer privacy rights. Large technology companies like Google and Meta have less freedom with data harvesting, and consumers will have greater control over the personal information that these companies collect, store, and share.
California has made its name as the cradle of tech since even before the internet boom in the 1990s, with Silicon Valley as the beating heart. While startups have been flourishing in other parts of the world, Silicon Valley is still the epicenter of tech and innovation.
Now, any company that deals with the data of California residents will have to review their practices. It is in fact the most restrictive state privacy law passed anywhere in the U.S.
Over the past few years, there has been a litany of data leaks and consumer privacy scandals, leaving consumers feeling wary about sharing personal information online.
The Cambridge Analytica debacle that revealed Facebook had compromised 87 million user accounts was the major headline. Amazingly, after a lengthy court battle, the social media giant has escaped with a paltry fine of £500,000 ($645,000).
Yahoo was not so lucky. Multiple breaches between 2012 and 2016 ended up costing the company $117.5M in a class-action lawsuit. LinkedIn, Capital One, Equifax, and Uber have all found themselves in hot water in the past few years, bringing the data-driven age under question.
As technology evolves and the world’s data reserves grow, so too does the threat of cyber-crime and data breaches. Research by Visual Capitalist found that 75 data records are compromised every second.
In the online world, much of 2018 was dominated by the hype around the European General Data Protection Regulation (GDPR). The changes enacted by the GDPR laws forces companies to take more responsibility with consumer data and to inform consumers about the practices and processes involved in data collection.
In its first year, TechRepublic reported that there were over 200,000 cases of breaches and complaints, and over $60 million in fines issued.
Top tip: even if you are not located in the EU, if you're doing business with EU citizens you need to pay attention to GDPR. Read our full checklist for marketers.
While the GDPR came from the top-down, by comparison, the CCPA started from the bottom-up, beginning as a grassroots initiative driven by a collective led (and funded) by wealthy real estate developer, Alastair Mactaggart. The coalition called themselves, "Californians for Consumer Privacy," and began their battle in San Francisco and Oakland as a citizen ballot initiative.
Mactaggart summarized the proposal as follows:
“Tell me what you know about me. Stop selling it. Keep it safe.”
In the wake of the Facebook scandal, the initiative built up a head of steam, defeating all opposition from the companies it would impact the most.
Google, Facebook, Comcast, Verizon, and AT&T created a fund to try and derail the CCPA, and are expected to continue their opposition in an effort to water down the new laws.
24% of C-suite members claimed the GDPR changes caused frustration with customers due to the extra steps needed to opt-in.
So just how is the CCPA different from the GDPR?
Well, whereas the GDPR applies to all companies, the CCPA only applies to larger companies, specifically those that satisfy these three conditions:
It’s understandable why the digital giants above are so opposed to this act, but there is another critical difference from the GDPR that may actually be the saving grace for these companies:
When the CCPA bill passed on May 29, 2019, many consumer protection groups celebrated, viewing this as a significant victory,
We live in a data-driven age, where companies leverage consumer data for personalized marketing, automated customer service, and laser-focused sales techniques.
This is a double-edged sword for consumers, as you can benefit from sharing more, but you run risks when companies aren’t taking care of your personal information.
“The Consumer Privacy Act will allow consumers to take control of and make informed choices about their own data, control that fosters a healthy relationship to technology and overall digital wellbeing,”
Under the CCPA, consumers have several fundamental rights:
Ultimately, the CCPA gives consumers more transparency from companies so that they can have more control over their personal information.
So, if your company fits the bill in satisfying the three aforementioned conditions above, it would be expected to adhere to the CCPA regulations, which are:
With these new restrictions placed on companies, it's easy to see why big corporations haven't been so keen on the CCPA. It's clear that the act is designed for consumers.
But what about the companies? Can the CCPA benefit companies too?
All companies in California have to be in line. Therefore, the playing field in California is, technically, level, with no businesses holding any advantages over another.
Some may worry that they're losing an edge on their competition for business outside of California, but here’s the thing:
California is not just one of the fifty states in the United States - it’s actually the fifth largest economy in the world.
Data protection is a global movement, and consumers all over the world want to know their personal information is kept safe. Companies who take steps towards greater compliance will be viewed as more trustworthy by consumers both in California and further afield.
Furthermore, with the CCPA clamping down on data selling, companies must rely on first-party data. By working harder to collect their consumer data, they ensure its integrity and accuracy.
In the long run, having more accurate data will be a solid foundation for any data-driven marketing strategies. It’s feasible that the CCPA may bring companies and consumers closer together, fostering greater trust and understanding between them.
The Attorney General (AG) of California is set to enforce a $7,500 penalty for intentional violations of the California Consumer Privacy Act. Also, if a company gets hacked, individual consumers may sue for $100-$750 per event, or possibly more if the damages cost more.
When you compare that to the GDPR, which gives EU regulators the power to fine companies over US$23 million, it’s quite easy to imagine a lot of businesses bending the rules of the CCPA.
Despite its best intentions, there are some grey areas in the CCPA - most notable is the inclusion of a controversial "cure" provision. This provision effectively lets a company off the hook, providing they take certain steps to amend their data violation.
Many critics of the bill believed the California AG office would not be adequately prepared to police the CCPA law, and that companies might skirt the law, knowing they can rely on the “cure” loophole should they ever get caught.
A leading figure in a prominent privacy class-action firm, Jay Edelson, gave a damning review of the CCPA:
“Our view is that this is a disaster of a law because it scares the bejesus out of businesses and costs them a ton of money in compliance. But to us, it's totally toothless."”
So many companies are not affected, due to their size. But what about big companies that deal with California residents? Their digital marketing team needs to be in line with it. Digital marketers should be establishing processes for collecting and storing data, with strategies to deal with data release requests from consumers.
Data protection is now central to any digital strategy. Our digital marketing strategy course will not only cover the fundamentals of strategy but explore automation, analytics, budget, digital channels, leadership, and much more. Enroll today to get started!