The California Consumer Privacy Act (CCPA) has been put into effect by California Assembly member Ed Chau as a compromise between tech companies and advocates for data privacy. The law went into effect on January 1, 2020, granting new consumer rights relating to the access, deletion of, and sharing of users’ personal data that is collected by companies. Roughly a year following GDPR, the United States is long overdue for legislation outlining the protection of citizens’ personal information, and with the CCPA serving as the strictest data privacy law the United States has ever seen, we’re expecting massive changes in the way marketers use data in 2020 and beyond.
What are users’ rights? (Retrieved from the CCPA website)
– Right to know all data collected on them, including what categories of data and why it is being acquired, before it is collected, and any changes to its collection
– Right to refuse the sale of their information
– Right to request deletion of their data
– Mandated right to opt-in before the sale of information of children under 16
– Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired
– Enforcement by the attorney general of the state of California
– Private right of action should breach occur, to ensure companies keep their information safe
Who is required to be CCPA Compliant?
– Companies with over $25 million in annual revenue
– Companies that collect the personal information of 50,000 people or more every year
– Companies that derive 50% or more annual revenue from selling consumers’ data
– Nonprofits are exempt
What makes the CCPA groundbreaking is the type of data users are able to see for the first time, this includes smartphone locations, voice recordings, logs of online activities, physical locations, ride routes, facial data, ad-targeting data, and information on how they’ve used this data to make inferences upon intelligence, behavior, attitude, socioeconomic standing, and numerous other factors. Users’ data requests must receive a response within 45 days, and those wanting to prohibit the sale of their data are advised to prominently display a notice stating, “Do Not Sell My Data”. At the surface, these regulations appear straightforward, but there’s a lot to unpack here, particularly what it means to “sell” data.
The nuances of the CCPA aren’t universally understood, and industry-wide, companies are taking a stand against what it means to “sell data”. The very companies that have most poignantly affected the way we look at data privacy (namely Google, Facebook & Amazon) have taken the stance that they do not sell personal data. Amazon’s privacy page discloses “We are not in the business of selling our customers’ personal information to others.” Yet just a few lines down they acknowledge, “Third-party advertising partners may collect information about you when you interact with their content, advertising, and services. […] We provide ad companies with information that allows them to serve you with more useful and relevant Amazon ads and to measure their effectiveness.” Similarly, Peloton makes the claim that they do not sell data “as we understand it,” then recoil at the statement by pointing out that California law hasn’t clarified what constitutes a “sale of data”. Indeed on the other hand has asked opt-out users to outright delete their accounts.
Clearly, there’s an industry-wide disconnect on how to approach the new law, and technology leaders with the greatest foothold on our data are challenging the CCPA with their own interpretations.
For every record of an unintentional violation, companies will be fined $2,500, and each intentional violation will be fined $7,500. According to eMarketer, only 27% of companies are expected to be CCPA compliant at some point in 2020. They also found that cost is the greatest roadblock in becoming compliant, with estimated initial costs potentially reaching $55B. In the short run, the CCPA will constrain smaller firms far worse than the well-prepared (and lawyered) conglomerates, but industry experts are expecting this imbalance to level with the emergence of third-party solution providers.
Cost of compliance aside, the root of marketers’ anxiety lies in the imminent loss of valuable data. Matt Voda, CEO of OptiMine Software, told Marketing Dive, “The consumers’ right to be forgotten and not have data be sold has downstream, negative impact around certain forms of marketing measurement.” He also adds that this could pose “significant problems” for multitouch attribution (as if MTA measurement tactics weren’t challenging enough). Others have called to question whether the CCPA may lead to privacy becoming the premium option, similar to how AT&T up-charged customers hundreds of dollars annually for opting-out of behavioral targeting. For now, the pervasive effects are unknown, although it’s safe to assume the CCPA will provoke widened awareness and public interest in data privacy as well as intensified pressure on government officials to homogenize these standards across the United States.