First there was the Canadian Anti-Spam Law (CASL), which went into effect in 2014. Then there was the EU’s General Data Protection Regulation (GDPR), which came into effect in 2018. Now, after years of major corporate data breaches and the Cambridge Analytica scandal, stronger privacy and data protection laws are taking hold in the US, with the California Consumer Privacy Act (CCPA) being the most impactful.
Passed in 2018 and due to go into effect on July 1, 2020, CCPA will add significant privacy protections for Californians and place new burdens on businesses. While the law applies only to residents of California, most businesses have customers in the state and collect private information from customers, so it has broad implications for marketers nationwide.
CCPA is the most sweeping consumer privacy legislation ever passed in the US and gives consumers broad control over personal information collected by businesses. The law is not specific to any one digital channel, but spans all channels where personal information is collected, stored, and used by marketers.
Californians will have the following rights under the law:
Right to know what personal information is being collected and whether it is sold or disclosed and to whom
The right to say no to the sale of personal information
The right to access their personal information
The right to equal service and price when privacy rights are exercised
The California Consumer Privacy Act will enact several requirements that will directly impact how marketers interact with consumers in California and manage their personal information across a broad range of marketing media. These requirements include:
Inform customers at the point of collection what personal information will be collected
Allow consumers free access to their personal information and make the information available in a portable and readily usable format that can be transmitted to another service
Delete a consumer's personal information on request
Disclose on request personal information collected, the purpose for collecting or selling personal information, and any third parties with which personal information was shared
Honor consumers' requests to opt-out of having their personal information sold to third parties
Provide a prominent "Do Not Sell My Personal Information" link on the homepage to facilitate the consumer opt-out process
Provide the same level of service and price even when a consumer chooses to exercise their rights under the Act
When the CCPA goes into effect in 2020, marketers must be ready to comply with new procedures, processes, and customer-facing tools. Companies will also need to decide if they will treat California consumers differently from those living outside of California.
The law will be enforced by the Attorney General of California, and the CCPA creates a Consumer Privacy Fund to offset costs of enforcing the law. Consumers will also have a private right of action if companies fail to adequately protect their personal information under the requirements of the CCPA. Penalties for data breaches are also laid out in the Act.
As the most-populous state, with more than 12% of the US population, California is the most important state to push for stronger privacy and data protection laws. But it is not the only state to do so:
Nevada, 32nd largest state by population, successfully amended their existing privacy law by passing SB 220, which has a narrower scope than the CCPA, but goes into effect on Oct. 1, 2019, well before the California law.
Texas, the second largest state, is debating two bills—the Texas Consumer Privacy Act and Texas Privacy Protection Act.
New York, the third largest state, is considering passing the New York Privacy Act.
Massachusetts has introduced consumer privacy bill SD 341.
Washington failed to pass the Washington Privacy Act.
Now that two states—California and Nevada—have passed privacy laws, pressure is mounting on the federal government to consider a new national privacy law that creates a single standard in order to avoid a patchwork of state laws that will make compliance more complicated and expensive for businesses. If more states, especially large ones like Texas and New York, pass their own laws, pressure for Congress to act will grow exponentially.
Regardless of how this evolves, the bar on privacy and data protection is undeniably set to rise in the US so that it’s more in line with Europe and Canada. Marketers should study this new legislation and start planning now on how to comply with the Nevada and California laws. Businesses that are not ready to comply may be subject to penalties if they don't meet the requirements of the laws. The £183 million fine levied against British Airways under GDPR for a data breach and the record-setting $5 billion fine against Facebook for privacy abuses demonstrate the risks of non-compliance. Marketers should also stay abreast of privacy legislative efforts in other states and at the federal level that may add to compliance requirements.
Need help with data privacy and marketing compliance? Oracle Marketing Cloud Consulting has more than 500 of the leading marketing minds ready to help you to achieve more with the leading marketing cloud, including compliance and data management experts within our Strategic Services Group.