The California Consumer Privacy Act of 2018 is a bill passed by the state of California legislature and signed by its governor on June 28, 2018. The measure is officially called AB-375 and is the product of lead authors Ed Chau, member of the California State Assembly from the San Gabriel Valley, located in Los Angeles County, and Senator Robert Hertzberg, who represents the San Fernando Valley in Los Angeles County.
Beginning Jan. 1, 2020, the bill, in part, would grant a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared. The bill would also require a business to make disclosures about the information and the purposes for which it is used.
The purpose of this article is to introduce marketers to the major concepts of the new California Consumer Privacy Act of 2018 (CCPA). In future coverage, we will provide action steps on how marketers can begin to prepare for these changes that affect any company that collects data of private Californian citizens.
Why does one state’s new privacy law matter? It’s another major signal that unions, countries and states are taking personal data and consumer rights to privacy seriously. And this, as you’ve learned from our ongoing coverage of the European Union’s General Data Protection Regulation (GDPR), greatly affects marketers and companies that collect data on customers and prospects. Further, California won’t be the last public entity to adopt tougher privacy laws — especially if more data-fallout stories like Cambridge Analytica-Facebook come to light, experts told CMSWire.
Related Article: How GDPR Will Help Rebuild Data Protection and Customer Trust
Brief History on California Privacy Laws
To help understand how California arrived at its new privacy act that takes effect in January of 2020, let’s look at some privacy-legislation history over the last 45-plus years. In 1972, California voted to include the right of privacy among the “inalienable” rights of all people. That right gave individuals the ability to control the use, including the sale, of their personal information. The state followed with adopting privacy measures that include:
- Online Privacy Protection Act
- Privacy Rights for California Minors in the Digital World Act
- Shine the Light, a California law intended to give Californians the "who, what, where, and when" of how businesses handle consumers’ personal information.
It wasn’t enough in the Golden State. California lawmakers in the California Consumer Privacy Act of 2018 wrote in the bill that “California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” They cited the “devastating effects for individuals” with loss of privacy and the “misuse” of data by Cambridge Analytica. “California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information,” lawmakers wrote in the bill. “It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.”
To Whom Does the Law Apply?
Businesses that meet one or more of the following thresholds are liable for compliance with the California Consumer Privacy Act of 2018:
- Has annual gross revenues in excess of $25 million
- Annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Get Ready: More Privacy Laws Coming in US
“While GDPR and the CCPA have dominated the headlines to date, marketers should anticipate the pace of regulation accelerating,” said Rob Perry, vice president of product marketing at ASG Technologies. “Already, Georgia is working on its own privacy legislation. As organizations face more and more regulations, it’s essential that marketers understand the ins and outs of each regulation and adjust their tactics and strategies to be compliant.”
Perry suggests marketers, to prepare for these new laws, should first determine what data they have and how it’s being used. “Both GDPR and the California Consumer Privacy Act of 2018 require organizations to obtain consent from individuals to collect and use their data, and then disclose how their organizations will use that data,” Perry said. “Of course, to do this, marketers must know what sort of information they currently have.”
Related Article: Why California's New Privacy Law Signals a Major Shift in the Privacy Landscape
California Citizens Rights to Personal Information Grow
Lawmakers summarize the intent of the new law by bringing to light new data protections for Californians, who now have the right to following:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.
Business Obligations: Informing Consumers, Retaining Data
So what’s on the businesses in terms of compliance with the California Consumer Privacy Act of 2018? Many of the provisions include complying with consumer requests for their personal information. Others require businesses to retain data they collect in certain instances. Businesses must:
- Disclose to a requesting consumer the categories and specific pieces of personal information the business has collected
- At or before the point of data collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used
- Disclose and deliver for free personal information as requested by consumers. Business are not required to provide personal information to a consumer more than twice in a 12-month period.
- Retain any personal information collected for a single, one-time transaction, if the information is not sold or retained by the business
- Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
Related Article: How GDPR and AI Turned Unified Data Into a Business Imperative
Deleting Consumer Information: When You Have to, When You Don’t
Businesses and marketers collecting data from California residents must also be ready to wipe out that data upon request. According to the new law, consumers can request that a business delete any personal information about the consumer which the business has collected from the consumer. Not only must the business comply with the consumer’s request to delete personal information from its records in many cases but also direct any service providers to delete the consumer’s personal information from their records.
The business does have some protections here. It does not have to delete consumer information if it needs the consumer’s personal information in order to complete a transaction for which the personal information was collected or provide a good or service requested by the consumer. The business also doesn’t have to delete the consumer information if it proves to be valuable in detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity or prosecuting those responsible for that activity.
Businesses can skip deletion despite a consumer request if that data is needed to:
- Debug to identify and repair errors that impair existing intended functionality
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest
- Comply with a legal obligation.
What’s the ultimate lesson here for marketers? Prepare, and prepare now. With GDPR already passed (May of this year) and the California Consumer Privacy Act of 2018 coming into compliance in a little more than a year, marketers must prepare for these new consumer rights to unprecedented access to their data. “While the California legislation doesn't reach quite the same scale as GDPR, an overwhelming majority of businesses will be impacted by nature of conducting business in California, and it is inevitable that other states (like Georgia) — and perhaps even the federal government — will follow suit in pursuing similar laws in the 18 months ahead,” said Jonathan Lacoste, Jebbit’s president and cofounder. “While some American businesses could get away with delaying their response to GDPR, they cannot afford to delay here. We’re seeing countries outside Europe and North America catch on, too, like India, which recently introduced a data privacy framework.”
This “privacy parade” is long overdue, Lacoste said, and it is necessary because it will force companies to do what is right and what consumers deserve. “California’s action should provide the impetus companies need to shift their behavior,” he added, “but it will likely be the federal government that will ultimately wield enough power to hold businesses accountable.”