UPDATE (Nov 5th): On Election Day 2020, California voters passed Prop. 24, the California Privacy Rights and Enforcement Act (CPRA). This builds on the consumer rights established in 2018 by the California Consumer Privacy Act (CCPA), which we describe in our original post.

CPRA won’t take effect until Jan. 1, 2023, though it applies to data collected starting Jan. 1, 2022. We’re monitoring this new law closely and will provide more details as they come, but for now, these are the key things ecommerce businesses should know.

Changing who’s affected

CCPA: Any business that “buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices,” OR that derives 50% or more of its annual revenues from selling consumers’ information.

CPRA: Any business that “buys, sells, or shares the personal information of 100,000 or more consumers or households” OR that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Perhaps the most notable change here is the removal of ‘for commercial purposes’—now, even if you’re not profiting from the use of data, the law will apply to you. CPRA also raises the applicability threshold from 50,000 to 100,000 (but counts only consumers and households, not devices), and adds data sharing as well as selling to the law. That’s because many companies claimed they weren’t selling data, they were just sharing it with vendors in order to serve ads. CPRA explicitly includes cross-context behavioral advertising in its definition of data sharing.

Closing the “business purpose” loophole

CCPA includes exceptions for consumer data used for “a business purpose” by “service providers.” This was intended to keep online transactions easy while reining in targeted ads, but Big Tech simply argued that targeted advertising counted as a “service,” and brands argued that it constituted “a business purpose.” CPRA eliminates the term “service providers” and states that targeted advertising is not a business purpose under the law.

Defining sensitive personal information

In addition to the usual suspects (Social Security numbers, login details, race/ethnicity, sexual orientation, etc.), the CPRA includes “precise geolocation” as sensitive personal information subject to the new regulation. 

Protection for loyalty programs

CCPA took a hard line on retaliation: If a consumer opts out of data sharing, the business cannot charge them higher prices or provide lesser service. CPRA cracks this open in two ways. First, it specifies that loyalty clubs or rewards programs that use shoppers’ information to offer perks are not prohibited. Second, it allows businesses to charge people different prices (or to provide different quality goods and services) based on their privacy choices, “if that difference is reasonably related to the value provided to the business by the consumer’s data.” Of course, how that value will be calculated is anyone’s guess.

Why California's new privacy law is an opportunity to build trust and improve consumer experiences

Amid headlines about data breaches, hacks and security threats, Americans are more pessimistic than ever about how their data is used—and feeling more resigned to a world with diminished privacy protections. According to a recent Pew study, 62% of Americans believe it’s “not possible” to go about daily life without having their personal data collected by companies.

As strategists, we rely on data to develop and refine our ideas, and we encourage our clients to do the same. We believe that smart data practices can result in better marketing, better service, better experiences and better communication between brands and consumers. But none of this works unless you’ve earned your customers’ trust, and if customers don’t trust you with their data, ultimately, they don’t trust you.

On January 1, 2020, the California Consumer Privacy Act (CCPA) will take effect. Created in response to concerns about how consumer data is gathered and used, CCPA is the first legislation of its kind in the U.S. Even though it’s a state law that covers California residents only, CCPA will impact businesses far beyond the Golden State—and experts say it’s just a matter of time before more states pass similar legislation, or band together to push for federal consumer privacy laws.

Yes, new regulations present compliance challenges. We suggest looking at CCPA from a different perspective: It’s an opportunity to audit and improve your data policies and the ways in which you communicate these policies to your customers.

So gather your legal, IT and marketing teams, and let’s walk through CCPA 101.

Does CCPA affect me?

California’s new law applies to any for-profit entity that collects, shares or sells California consumers’ personal data and meets any one of the following criteria:

• Has annual gross revenues greater than $25 million USD.
• Possesses the personal information of 50,000 or more consumers, households or devices.
• Earns more than 50% of its annual revenue from selling consumers’ personal information (this provision specifically targets data brokers).

What counts as "personal information" under CCPA?

According to the law, personal information is any piece of information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (see subdivision 1798.140(o)(1)).

That means stuff like names, email addresses, IP addresses, physical addresses, phone numbers, geolocation data, biometrics, purchase history, account names, usernames, Social Security numbers, license numbers, search or browsing history and more, including “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” (see link above for the full list).

In other words, if the information can be used alone or in conjunction with other data to triangulate to a specific person or their household, it counts as personal information. And you may be collecting this type of information without realizing it, if you use third-party apps like Google Analytics that track activity on your website, or if your website uses cookies to track users.

So, what do I need to do?

CCPA compliance can be broken down into three broad sections: notification, opt-outs and response to requests.

Notification

It’s time to take a closer look at your privacy policy or terms and conditions page. Make sure it contains the following, in clear and straightforward language:

• Which categories of personal information you have collected in the past 12 months.
• If you have sold any personal information, which categories of information you have sold in the past 12 months (or note that you haven’t sold any personal information).
• If you have disclosed any personal information, which categories of information were included (or note that you haven’t disclosed any information).
• A notice of consumers’ rights under CCPA.
• At least two ways for users to contact you with requests for information about their personal data, or requests to delete it. At minimum, this should include a toll-free number and a website.

CCPA states that the above notifications must be “in a form that is reasonably accessible to consumers,” so once you’ve updated your language, make sure your privacy policy/T&C page is easy to find and read on all devices.

Clear language and accessible information doesn’t just help you comply with CCPA: It also creates a seamless experience for consumers as they navigate your site looking for information. (If you ask us, everything on your website should be clear, straightforward and easily accessible.)

Opt-Outs

If you are in the business of selling personal information, you must provide “a clear and conspicuous link” on your homepage, titled “Do Not Sell My Personal Information.” Clicking this link must take consumers to a page where they can opt out of having their information sold—and you can’t force them to create an account to do so. Again, this is a basic tenet of user experience: Label things clearly, and reduce friction so people can accomplish what they’re trying to do.

Response to Consumer Requests: I Want My Info

If California consumers request information about their personal data from you (like what you’ve collected, and when, and how, and who you’ve shared it with), here are the rules:

• You have 45 days from receipt of the request to disclose and deliver the required information.
• It’s on you to verify the request. Verification is included in the 45-day time limit.
• If you need more time, you can make a one-time extension of 45 days “when reasonably necessary,” and only if you notify the consumer of the extension before the first 45 days are up.
• The disclosure you provide must cover the 12 months immediately preceding your receipt of the request.
• The disclosure must be in writing. You can deliver it through the consumer’s account with your business (if they have one), or by snail mail or email if they prefer.
• You can’t force someone to create an account in order to make a personal data request.
• You must deliver the requested information free of charge.

Response to Consumer Requests: Delete My Info

California consumers also have the right to request that you delete their personal information. If you receive such a request, not only do you have to delete that data, you must also direct any service providers you use to delete it from their records, too. But there are exceptions! You don’t have to comply with deletion requests if:

• The data is needed in order to complete the transaction for which it was collected, or to provide something the consumer ordered, or to otherwise fulfill a contract between you and the consumer. (If Jane Doe orders a box of widgets from you, then asks you to delete her mailing address before it ships, she’ll never get her widgets.)
• The data is needed to detect a security incident, protect against fraud or illegal activity, or prosecute those involved with such activity.
• The data is needed to debug errors that impair intended functionality.
• The data is an exercise of free speech, or ensures the right of other consumers to exercise free speech, or to exercise other legal rights.
• The data is part of formal research “in the public interest that adheres to all other applicable ethics and privacy laws, when… deletion of the information is likely to render impossible or seriously impair the achievement of such research.” In this case, you’d need to let Jane Doe know her request for data deletion imperils the development of a human habitat on Mars, and give her the opportunity to make informed consent.
• You need the data to comply with a legal obligation. (For example, if you’re in the midst of a lawsuit in which consumer data is evidence, you can’t destroy evidence, even if Jane wants you to.)
• The data is only used internally for purposes that are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” or it’s otherwise used in an internal, legal manner “compatible with the context” in which the consumer provided it. (In other words, Jane Doe can’t reasonably expect her online bank to delete information about her account balances—that’s what the bank is there to maintain.)

OK, what else do I need to do?

Transparency with consumers means you need internal transparency, too. Make sure you’re able to answer these questions:

• Do we know what data we’re gathering, when and how? Are we gathering data through the use of external vendors, service providers or third-party apps?
• Where is this data stored? Are we subject to any mandatory data retention laws?
• How do we use the data we gather?
• What data is essential for our routine business needs? What’s helpful for marketing or strategy purposes? Is any of the data we gather superfluous?
• Who has access to this data? How are we protecting it?
• If a California resident asks us for information about their data, or requests data deletion, who will respond to this request? Who will monitor the timeliness and legality of our responses?
• If a consumer with privacy concerns—whether they live in California or anywhere else—visits our sites, will they feel informed and empowered at every step of the journey? Or are any of our touchpoints unclear, misleading or missing information about data use and privacy?
• If a media outlet contacts us with questions about our use of data, who will respond, and how? How does our perspective on privacy and data collection align with our core values?
• Are we prepared to evolve our data strategy as privacy regulations evolve?

Is CCPA the same as GDPR?

No, and not just because they apply to different territories.

When the European Union implemented its General Data Protection Regulation (GDPR) in May 2018, businesses and organizations had to make operational, technical and legal changes to ensure compliance. While GDPR and CCPA have the same intention—to increase transparency about data collection, and to strengthen consumers’ rights—their rules are different. So it’s not quite accurate to call CCPA “California’s GDPR,” but the good news is, if your business has already taken steps to achieve GDPR compliance, you’ve got a head start in preparing for CCPA.

The nonprofit Future of Privacy Forum and DataGuidance published this in-depth comparison of GDPR vs. CCPA (pdf warning).

Where can I learn more?

You should take the time to read the full text of CCPA, also known as AB-375. Consult an attorney for any specific questions about how this law might apply to your business.

The Future of Privacy Forum provides resources, whitepapers, news and analysis about privacy legislation and emerging technology. The Electronic Frontier Foundation’s Privacy section covers privacy from a citizen’s perspective, focusing on everything from legislative developments to RFID to online tracking. TechCrunch has written extensively about CCPA and its impact on businesses.