The California Consumer Privacy Act (CCPA), gives the state’s residents the right to learn what data companies collect about them. It also lets Californians ask companies to delete their data and not to sell it.
The law is often compared to the European Union’s General Data Protection Regulation (GDPR), currently the benchmark for online privacy.
Here’s what you need to know about CCPA and how it will affect you and your marketing automation program.
Does this affect my company?
The CCPA applies to “any business that earns $25 million in revenue per year, sells 50,000 consumer records per year, or derives 50% of its annual revenue from selling personal information.” This includes businesses that collect or sell personal information from consumers in California, regardless of where the company itself is located.
What personal data does this cover?
CCPA covers all the data you might expect: your name, username, password, phone number and physical address. It also includes information used by companies to track your online behavior, such as IP addresses and device identifiers and browsing history. This is where your marketing automation system comes into play. Every contact that has clicked on a marketing email link or filled out a website form has a cookie placed on their computer that tracks their behavior in marketing emails and on your website.
How is this different from that other big privacy law, the GDPR?
GDPR applies to companies with contacts in the European Union, and it regulates how companies can collect the same kind of personal information as CCPA does. However, the European law puts some stricter controls on how companies must approach collecting user data.
First, GDPR requires companies to get consent to collect data or to have some other valid reason for collecting user information. Secondly, it requires companies to minimize the data collected. CCPA doesn’t require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.
What should we do?
Even if your company doesn’t fall under the CCPA requirements, you may want to set up a basic data privacy system now. Having a Privacy Policy in place for your users demonstrates that you value their privacy and will reinforce confidence in your company. From a legal perspective, the state of California is often at the forefront of new forms of legislation. Once California passes a law, other states tend to consider following suit. California is the country’s largest market with nearly 40 million residents, and carries a lot of weight. Already, nine other states are considering similar laws, and Maine and Nevada have already passed narrower versions of privacy legislation. Of course, if you market to EU residents, you’ll want to comply with the GDPR as well.
We recommend that you post a privacy statement on your website and have some basic consent mechanisms in place. Read this blog article for more information on Cellerynt’s recommendations.