July 1, 2019 

A Marketer’s Quick Guide to the CCPA

Q: The CCPA (California Consumer Privacy Act) is focused on preventing the collection and sharing of consumer data without the knowledge or permission of consumers. A big question regarding the CCPA for marketers is whether we will still be able to collect the data necessary to create targeted ad campaigns?

A: This will depend largely on marketing companies taking the necessary steps to make sure that they, or their data providers, have all the CCPA-required disclosures and opt-out options on their websites and that they not only post but follow the CCPA-required privacy notices.

Essentially, the CCPA requires that companies disclose what personal data they are collecting and the purpose for its collection at the point of collection. It also requires that companies give California consumers the option to opt out of having their information sold and to request deletion of their information. Given these rules and the expanded definition of personal data included in the CCPA, it is highly unlikely that data collection for targeted ad campaigns, as currently run, will be compliant.

Taking the approach of “privacy by design”—in which marketers become proactive as opposed to reactive regarding privacy—can make CCPA compliance not only simpler but decrease privacy compliance costs for marketers in the future. Marketers should begin looking at how they collect and share data in the creation and deployment of a targeted campaign—consumers’ interaction with websites, apps, and ads is considered protected personal information under the CCPA. In the wake of the CCPA and Europe’s GDPR, this appears to be the direction that other state, and potentially federal, laws are headed. A company that deploys a marketing strategy first while considering consumer privacy as only a secondary concern is going to find itself unable to adapt to the changing privacy landscape.

Q: It is my understanding that there may be the option to skip the deletion of certain data—even under request. Is this an accurate claim, and does it give the potential to push the boundaries of data collection and/or sharing a little?

A: It is correct that companies do not necessarily have to delete all consumer information when requested to do so. In fact, some commentators have expressed the opinion that the exemptions may swallow the rule, making it a rule of data use limitations rather than data deletions.

Some examples of deletion exemptions under the CCPA include data needed:

  • to complete the transaction for which the data was collected,
  • to provide a service requested by or perform a contract with a consumer, and
  • to fulfill legal obligations (for example, when a business is required to maintain certain records for a
  • statutory period that has not yet expired when the deletion request is received).

For marketers that are handling third party or non-client data, the situations in which these exemptions could apply are going to be more difficult to establish. One of deletion exemptions most relevant to marketing companies may be the maintenance of information to detect security incidents or to protect against fraudulent or illegal activity.

While a company is not required to delete all data for every request depending on the applicable exceptions, any company considering ‘pushing the boundaries’ should be wary. The CCPA has serious consequences for violations, and those consequences increase if a violation is deemed intentional. For a more complete description of exemptions to data deletion requests, click here.

Q: Are there aspects of the CCPA that are particularly applicable to marketing companies?

A: Because marketing companies potentially interact with consumer data at every stage of its collection, storage, processing, and use, they may be engaging in activities that would qualify them as not only businesses but also as service providers and potentially as third parties under the CCPA.

For example, a marketing company that directly collects consumer information and also decides how to process or otherwise use it is a business under the CCPA if it meets the other thresholds (see the free quiz here to find out if you need to comply as a business under the CCPA). Being a business under the CCPA carries with it the highest CCPA burdens of full compliance.

Companies that only collect information on behalf of clients may qualify solely as service providers if they have a written contract prohibiting them from processing or otherwise using the data for any purpose other than the specified contractual one. Service providers are not, under the CCPA, required to follow all aspects of the law (for example, they need not provide consumer opt-out buttons on their websites). However, they are required to enter into contracts in which they bind themselves to adhere to deletion and do not sell requests that are sent to them by the companies they service.

Finally, marketing companies may be treated as pure third parties if they do not have CCPA-compliant service provider contracts in place and are buying consumer personal information (keep in mind that the CCPA’s definition of “selling” is very broad.) If a marketing company has or uses data that was sold to it, the company cannot resell that information unless the consumer has received explicit notice and the opportunity to opt-out of that resell.

Q: With the potential for fines or penalties that may come with non-compliance, is it fair to say that any small dents in annual revenue will be outweighed by avoiding such fees?

A: Compliance is definitely the smarter choice although the dents to annual revenue may not be as large for some companies as for others. Those companies whose main revenue source is consumer data will certainly be hit hardest since their potential data sources will shrink if a significant portion of California consumers (a large population) begin requesting data deletions and they and their partner companies must enter into new compliance regimes to account for CCPA requirements.

Potential fines for noncompliance are among some of the highest marketing firms could face. The more data a company has, the higher potential damages could be.The cost for noncompliance is not one a company should court, particularly since any violation deemed intentional carries the highest penalty of $7,500 per violation, which could be counted on a per consumer basis. For CCPA violations related to security breaches, consumers also have the right to pursue actual or statutory damages, whichever are greater. Statutory damages range from $100-$750 per consumer, per incident. Facebook, for example, has an estimated 24.6 million California users. An intentional violation of the CCPA could result in a rough maximum penalty of $184.7 billion ($7,500 per user) being imposed by the AG’s office while a CCPA security violation could result in a rough minimum penalty of $2.4 billion ($100 per user).

For some, the greatest threat to revenue will come in the form of clients choosing to go elsewhere if a marketing company is non-compliant. A compliant business will hesitate to work with a non-compliant marketing company that could threaten its compliant status. If marketing companies are not CCPA-compliant, either with the data they themselves collect or in their capacity as service providers or third parties, they are likely to see a drop-off in business as their clients look for other companies that will operate within the strictures of the CCPA.

Q: Is it accurate to say the CCPA is an anti-spam law? And if not, what are the differences?

A: CCPA is not an anti-spam law although there are some similarities. Unlike anti-spam rules, the CCPA focuses on consumers’ control of all of their data, not only the ability to opt-out of mailings. Under both laws, companies are required to adhere to opt-out requests from consumers. Anti-spam legislation requires things like transparency in the header, sender, and subject-line information in emails and clear unsubscribe options in email footers. The CCPA will require covered businesses to have an opt-out of sale button on their homepages and to provide consumers with information regarding what categories of personal information are being collected, how personal information is used, and its business purpose. Under the CCPA, once a consumer requests that their data not be shared, the company cannot request permission to share the data again until a year has passed.

Q: So how do we toe the line between remaining CCPA compliant and still collecting the data necessary for our campaigns?

A: A privacy plan is necessary for every company that deals in consumer data, and that need will only grow as other states and potentially the federal government pass their own versions of the CCPA. If a marketing company is operating without one, it should do an assessment and get started. The first thing to do is determine your goal in data collection. In the past, “more is better” has, for many companies, been the rule of thumb in data collection. That is not going to work anymore. Companies need to have a reason for the data they collect.

Wholesale, purposeless collection and storage doesn’t work under the CCPA—it complicates compliance and makes it more difficult for a company to use the data it does need to collect. Once a company has determined its purpose in collection, it should begin its CCPA compliance by creating a data map. When that exercise is complete, companies may want to consider ending some of their collection practices that bring in extraneous information. Having a lean, purposeful collection practice will both simplify compliance and lower compliance costs. As a value-add to the business, it will also help a company find ways to more purposefully and efficiently use the information it does have (a shocking number of companies do not even know the types of information they have been collecting, storing, and never using until they engage in the data mapping exercise). Click here to see how SixFifty can assist you with data mapping.

Given that there is some suggestion that similar bills will eventually be introduced in many other states — and a similar privacy law (the GDPR) is already in place in Europe — it seems like it is a good idea to become compliant, regardless of whether or not you already do business in California. Is that true?

Becoming compliant now could help companies in several ways. Marketing companies, in particular, deal in data. A company that does not currently meet the threshold number of 50,000 consumers or households could easily reach that number long before it approached $25 million revenue mark. Currently, there is no guidance on how long a company will have to come into compliance once it meets one of the CCPA applicability thresholds. Preparing now for future compliance needs is a safe approach that a company could also use as a positive marketing technique with clients. The knowledge that your marketing firm is compliant could help potential clients feel more confident in the knowledge that the consumer data they want and need to collect will be protected at all stages, even if your company has a small enough annual revenue and/or California footprint to avoid compliance if it wished.

It seems like there is a lot to get done before the law goes fully into effect? Realistically, is there enough time to get everything in order before then?

That is where SixFifty comes in. A company using our tools can go through the documentation and consumer request management portal in as little as a day. The CCPA-required training can roll out to their employees the next day through our portal, and our data mapping tool can quickly organize your data into information easily linked to CCPA disclosure, opt out, and deletion requirements. Click here for more information on how SixFifty can help you comply with the CCPA.