The California Consumer Privacy Act and the Increasing Pressure for a New National Standard

August 13, 2019 | 4 minute read
Brian Sullivan
Strategy Director of Email Deliverability Services, Oracle Digital Experience Agency
Text Size 100%:

First there was the Canadian Anti-Spam Law (CASL), which went into effect in 2014. Then there was the EU’s General Data Protection Regulation (GDPR), which came into effect in 2018. Now, after years of major corporate data breaches and the Cambridge Analytica scandal, stronger privacy and data protection laws are taking hold in the US, with the California Consumer Privacy Act (CCPA) being the most impactful.

Passed in 2018 and due to go into effect on January 1, 2020, CCPA will add significant privacy protections for Californians and place new burdens on businesses. While the law applies only to residents of California, most businesses have customers in the state and collect private information from customers, so it has broad implications for marketers nationwide.

CCPA is the most sweeping consumer privacy legislation ever passed in the US and gives consumers broad control over personal information collected by businesses. The law is not specific to any one digital channel, but spans all channels where personal information is collected, stored, and used by marketers.

Californians will have the following rights under the law:

  • Right to know what personal information is being collected and whether it is sold or disclosed and to whom

  • The right to say no to the sale of personal information

  • The right to access their personal information

  • The right to equal service and price when privacy rights are exercised

How CCPA Impacts Marketers

The California Consumer Privacy Act will enact several requirements that will directly impact how marketers interact with consumers in California and manage their personal information across a broad range of marketing media. These requirements include:

  • Inform customers at the point of collection what personal information will be collected

  • Allow consumers free access to their personal information and make the information available in a portable and readily usable format that can be transmitted to another service

  • Delete a consumer's personal information on request

  • Disclose on request personal information collected, the purpose for collecting or selling personal information, and any third parties with which personal information was shared

  • Honor consumers' requests to opt-out of having their personal information sold to third parties

  • Provide a prominent "Do Not Sell My Personal Information" link on the homepage to facilitate the consumer opt-out process

  • Provide the same level of service and price even when a consumer chooses to exercise their rights under the Act

When the CCPA goes into effect in 2020, marketers must be ready to comply with new procedures, processes, and customer-facing tools. Companies will also need to decide if they will treat California consumers differently from those living outside of California.

The law will be enforced by the Attorney General of California, and the CCPA creates a Consumer Privacy Fund to offset costs of enforcing the law. Consumers will also have a private right of action if companies fail to adequately protect their personal information under the requirements of the CCPA. Penalties for data breaches are also laid out in the Act.

Actions by Other States

As the most-populous state, with more than 12% of the US population, California is the most important state to push for stronger privacy and data protection laws. But it is not the only state to do so:

Now that two states—California and Nevada—have passed privacy laws, pressure is mounting on the federal government to consider a new national privacy law that creates a single standard in order to avoid a patchwork of state laws that will make compliance more complicated and expensive for businesses. If more states, especially large ones like Texas and New York, pass their own laws, pressure for Congress to act will grow exponentially.

Regardless of how this evolves, the bar on privacy and data protection is undeniably set to rise in the US so that it’s more in line with Europe and Canada. Marketers should study this new legislation and start planning now on how to comply with the Nevada and California laws. Businesses that are not ready to comply may be subject to penalties if they don't meet the requirements of the laws. The £183 million fine levied against British Airways under GDPR for a data breach and the record-setting $5 billion fine against Facebook for privacy abuses demonstrate the risks of non-compliance. Marketers should also stay abreast of privacy legislative efforts in other states and at the federal level that may add to compliance requirements.


Need help with data privacy and marketing compliance? Oracle Marketing Cloud Consulting has more than 500 of the leading marketing minds ready to help you to achieve more with the leading marketing cloud, including compliance and data management experts within our Strategic Services Group.

Learn more →


Brian Sullivan

Strategy Director of Email Deliverability Services, Oracle Digital Experience Agency

Brian Sullivan is currently lead deliverability consultant for several high-volume email senders at Oracle Digital Experience Agency. His extensive background in email marketing and focus on deliverability optimization have positioned him to provide expert guidance that helps marketers reach their revenue goals with optimal inbox placement through enhanced messaging strategies that grow and nurture engaged audiences.

Previous Post

The Journey Through the Journey: Using Personalized Email to Streamline Each Customer’s Experience

James Glover | 3 min read

Next Post

Strategic Implementation of Martech Roadmaps

Bruno Chami | 4 min read