Our marketing wiki for brands reeling from Covid-19  ‣
Growth

CPRA and CCPA Compliance: What you Need to Know

Wesley Duckett
Wesley Duckett

UPDATE (Nov 5th): On Election Day 2020, California voters passed Prop. 24, the California Privacy Rights and Enforcement Act (CPRA). This builds on the consumer rights established in 2018 by the California Consumer Privacy Act (CCPA), which we describe in our original post.

CPRA won’t take effect until Jan. 1, 2023, though it applies to data collected starting Jan. 1, 2022. We’re monitoring this new law closely and will provide more details as they come, but for now, these are the key things ecommerce businesses should know.

Changing who’s affected

CCPA: Any business that “buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices,” OR that derives 50% or more of its annual revenues from selling consumers’ information.

CPRA: Any business that “buys, sells, or shares the personal information of 100,000 or more consumers or households” OR that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Perhaps the most notable change here is the removal of ‘for commercial purposes’—now, even if you’re not profiting from the use of data, the law will apply to you. CPRA also raises the applicability threshold from 50,000 to 100,000 (but counts only consumers and households, not devices), and adds data sharing as well as selling to the law. That’s because many companies claimed they weren’t selling data, they were just sharing it with vendors in order to serve ads. CPRA explicitly includes cross-context behavioral advertising in its definition of data sharing.

Closing the “business purpose” loophole

CCPA includes exceptions for consumer data used for “a business purpose” by “service providers.” This was intended to keep online transactions easy while reining in targeted ads, but Big Tech simply argued that targeted advertising counted as a “service,” and brands argued that it constituted “a business purpose.” CPRA eliminates the term “service providers” and states that targeted advertising is not a business purpose under the law.

Defining sensitive personal information

In addition to the usual suspects (Social Security numbers, login details, race/ethnicity, sexual orientation, etc.), the CPRA includes “precise geolocation” as sensitive personal information subject to the new regulation. 

Protection for loyalty programs

CCPA took a hard line on retaliation: If a consumer opts out of data sharing, the business cannot charge them higher prices or provide lesser service. CPRA cracks this open in two ways. First, it specifies that loyalty clubs or rewards programs that use shoppers’ information to offer perks are not prohibited. Second, it allows businesses to charge people different prices (or to provide different quality goods and services) based on their privacy choices, “if that difference is reasonably related to the value provided to the business by the consumer’s data.” Of course, how that value will be calculated is anyone’s guess.

Why California's new privacy law is an opportunity to build trust and improve consumer experiences

Amid headlines about data breaches, hacks and security threats, Americans are more pessimistic than ever about how their data is used—and feeling more resigned to a world with diminished privacy protections. According to a recent Pew study, 62% of Americans believe it’s “not possible” to go about daily life without having their personal data collected by companies.

As strategists, we rely on data to develop and refine our ideas, and we encourage our clients to do the same. We believe that smart data practices can result in better marketing, better service, better experiences and better communication between brands and consumers. But none of this works unless you’ve earned your customers’ trust, and if customers don’t trust you with their data, ultimately, they don’t trust you.

On January 1, 2020, the California Consumer Privacy Act (CCPA) will take effect. Created in response to concerns about how consumer data is gathered and used, CCPA is the first legislation of its kind in the U.S. Even though it’s a state law that covers California residents only, CCPA will impact businesses far beyond the Golden State—and experts say it’s just a matter of time before more states pass similar legislation, or band together to push for federal consumer privacy laws.

Yes, new regulations present compliance challenges. We suggest looking at CCPA from a different perspective: It’s an opportunity to audit and improve your data policies and the ways in which you communicate these policies to your customers.

So gather your legal, IT and marketing teams, and let’s walk through CCPA 101.

Does CCPA affect me?

California’s new law applies to any for-profit entity that collects, shares or sells California consumers’ personal data and meets any one of the following criteria:

What counts as "personal information" under CCPA?

According to the law, personal information is any piece of information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (see subdivision 1798.140(o)(1)).

How to treat personal information under CCPA - it's classified

That means stuff like names, email addresses, IP addresses, physical addresses, phone numbers, geolocation data, biometrics, purchase history, account names, usernames, Social Security numbers, license numbers, search or browsing history and more, including “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” (see link above for the full list).

In other words, if the information can be used alone or in conjunction with other data to triangulate to a specific person or their household, it counts as personal information. And you may be collecting this type of information without realizing it, if you use third-party apps like Google Analytics that track activity on your website, or if your website uses cookies to track users.

So, what do I need to do?

CCPA compliance can be broken down into three broad sections: notification, opt-outs and response to requests.

Notification

It’s time to take a closer look at your privacy policy or terms and conditions page. Make sure it contains the following, in clear and straightforward language:

CCPA states that the above notifications must be “in a form that is reasonably accessible to consumers,” so once you’ve updated your language, make sure your privacy policy/T&C page is easy to find and read on all devices.

Clear language and accessible information doesn’t just help you comply with CCPA: It also creates a seamless experience for consumers as they navigate your site looking for information. (If you ask us, everything on your website should be clear, straightforward and easily accessible.)

Opt-Outs

If you are in the business of selling personal information, you must provide “a clear and conspicuous link” on your homepage, titled “Do Not Sell My Personal Information.” Clicking this link must take consumers to a page where they can opt out of having their information sold—and you can’t force them to create an account to do so. Again, this is a basic tenet of user experience: Label things clearly, and reduce friction so people can accomplish what they’re trying to do.

Response to Consumer Requests: I Want My Info

If California consumers request information about their personal data from you (like what you’ve collected, and when, and how, and who you’ve shared it with), here are the rules:

Response to Consumer Requests: Delete My Info

California consumers also have the right to request that you delete their personal information. If you receive such a request, not only do you have to delete that data, you must also direct any service providers you use to delete it from their records, too. But there are exceptions! You don’t have to comply with deletion requests if:

OK, what else do I need to do?

Transparency with consumers means you need internal transparency, too. Make sure you’re able to answer these questions:

Is CCPA the same as GDPR?

No, and not just because they apply to different territories.

When the European Union implemented its General Data Protection Regulation (GDPR) in May 2018, businesses and organizations had to make operational, technical and legal changes to ensure compliance. While GDPR and CCPA have the same intention—to increase transparency about data collection, and to strengthen consumers’ rights—their rules are different. So it’s not quite accurate to call CCPA “California’s GDPR,” but the good news is, if your business has already taken steps to achieve GDPR compliance, you’ve got a head start in preparing for CCPA.

The nonprofit Future of Privacy Forum and DataGuidance published this in-depth comparison of GDPR vs. CCPA (pdf warning).

Where can I learn more?
more you know about marketing

You should take the time to read the full text of CCPA, also known as AB-375. Consult an attorney for any specific questions about how this law might apply to your business.

The Future of Privacy Forum provides resources, whitepapers, news and analysis about privacy legislation and emerging technology. The Electronic Frontier Foundation’s Privacy section covers privacy from a citizen’s perspective, focusing on everything from legislative developments to RFID to online tracking. TechCrunch has written extensively about CCPA and its impact on businesses.