The California Consumer Privacy Act (CCPA) is scheduled to be enforced on July 1, 2020, and it will affect how brands collect consumer data and launch targeted marketing campaigns.
Here’s what you need to know.
What is the CCPA?
The CCPA is an act submitted by the Office of the California Attorney General to the California Office of Administrative Law.
According to the CA.gov website, “CCPA grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt out of the sale of personal information that businesses collect, as well as additional protections for minors.”
As Wired reported, it’s the first U.S. law to propose a comprehensive set of rules for handling consumer data.
Didn’t the CCPA go into effect on January 1, 2020?
Yes, it did officially. But it doesn’t become enforceable until July 1, 2020.
Does the CCPA apply to my business?
The CCPA doesn’t apply to all businesses. It only applies to business that:
- Operates in California
- Generate a gross annual revenue of $25 million+
- Handles personal information of 50,000+ customers
- Brings in 50%+ of its revenue from selling user data
So, if I’m a small business, I don’t have to worry?
Not necessarily. The CCPA is a big step towards regulating and normalizing data privacy disclosures. National enforcement could come next, and other states like Vermont and Nevada already have their own privacy laws. All businesses should prioritize transparency and compliance to keep consumers properly informed and comfortable working with your business.
And it’s only for California residents?
Yes, but California is the most populated state in the US and home to the world’s fifth-largest economy, surpassing the UK. Unless you operate a hyper-local business, chances are you reach California consumers and audiences with online content or e-commerce.
What steps can I take to comply with the CCPA?
Here’s what you can do:
- Notify customers of when, where, how, and why you collect and sell their data. This can be done with site banners, privacy notices, and clear disclosures.
- Invite customers to opt-out of having their data sold and request for their data to be deleted.
- When asked, be prepared to provide customers with the data you’ve collected from them.
- Revamp agreements with third-party partners who help you collect and sell data.
- Keep this information updated as your data strategies change.
Is the CCPA like the GDPR?
The General Data Protection Regulation (GDPR) went into effect in 2018, creating a standard data privacy law for business and consumers in the European Union. So if US companies have audiences and customers in the EU, they should already be compliant with the GDPR.
The CCPA and GDPR are similar, both providing increased data protection and privacy for consumers and restrictions for how businesses use that data. There are, however, certain differences between the the two, including:
- The GDPR applies to all businesses in the EU, while the CCPA applies to businesses that meet certain criteria.
- The GDPR allows users to opt out of having their information collected. The CCPA allows users to opt out of having their information sold.
What about CCPA 2.0?
CCPA 1.0 isn’t even enforced yet, and lawmakers are already working on getting CCPA 2.0 on the November 2020 ballot in California. This new act would increase restrictions for how businesses collect data, including “sensitive personal information,” such as information about people’s health, finances, and precise locations. It would also establish a government agency specifically to implement and enforce these new standards.
If CCPA 2.0 is on the ballot and approved in November 2020, it wouldn’t be officially enforced until July 1, 2023.