Is Your Digital Marketing Strategy Illegal Under the California Consumer Privacy Act (CCPA)?
Updated: Sep 12, 2019
The California Consumer Privacy Act (CCPA) is the first comprehensive data privacy law in the country. And mobile app companies, consumer-focused SaaS products, online bloggers, online stores and any other business using digital marketing or collecting consumer data online need to know whether this important law applies to them.
With GDPR-like qualities, the CCPA was specifically designed to restrict the unfettered monetization of personal data without consumer consent. This includes collecting consumer data for digital marketing purposes and using third-party cookies on your company’s website. Come January 1, 2020, certain businesses doing business with California residents, regardless of the business’s physical location, will be required to provide California consumers with rights over the handling of their data.
What’s at Stake
The CCPA is definitely not a law to be ignored. The law grants the California Attorney General authority to levy fines of up to $2500 for each violation per California resident affected and $7500 each for intentional violations. Just to put this in perspective, a single violation that affects 1000 California residents may have a potential fine of up to $2.5 million dollars and $7.5 million if it is deemed intentional. To say the least, non-compliance can be quite costly.
Significant Online Presence? The CCPA May Apply to You
The CCPA applies to businesses doing business in California, and distance may not be a barrier when it comes to who it applies to. Both the California Tax Code and Corporations Code suggest that an out-of-state company may be "doing business in California” if it repeatedly engages in transactions remotely or online with California residents for monetary gain.
So, if a Georgia business (this includes solo-preneurs or any for-profit entity) is doing business in California and collects, or has collected on its behalf, personal information of California residents, the CCPA may apply if the business:
Makes over $25 million per year;
Receives, buys, shares or sells for commercial purposes, the personal information of 50,000 or more California residents, households or devices; or
Derives 50% or more of its annual income from selling the personal info of California residents.
Criteria #2 is particularly noteworthy because it’s under this criterion that out-of-state small businesses with a significant online presence may end up having to comply with the CCPA. At first glance, 50,000 people, households or devices may seem like a massive number. But it may be easier to reach than you initially think.
Under the CCPA, the definition of personal information is quite broad. And collecting just the IP addresses of California consumers may be enough to cause the CCPA to apply. Basically, a Georgia-based mobile app, B-to-C SaaS product, online blogger, online store, online game, or any type of website for that matter, may hit the 50,000 threshold by having 137 California unique visitors a day visit their site over the course of a year.
And, if each California resident happens to visit a company’s site or use its mobile app with 2 different devices, then the company may reach the 50,000 threshold even faster.
The fundamental purpose of the CCPA is to give California residents certain rights over the data companies have on them, especially when companies gain benefits or make money off that data. Businesses who fall under the CCPA must provide those rights, some of which include:
Right to Know and Right of Access: Upon request, a business must disclose to a California resident, the categories and specific pieces of data it has collected on the resident, the sources of where the data came from, the purpose for collecting or selling the data, and the categories of 3rd parties the business shares the consumer’s data with.
Right of Deletion: Unless an exception applies, a business must delete a California resident’s data when requested by the resident and then instruct its vendors to do the same.
Right to Opt-out of Data Monetization: Under the CCPA, California residents can opt out of their data being sold. Selling is defined very broadly under the law and includes the transfer of personal data in any way, whether orally or in writing, for monetary gain or for any other benefit. A business who gains any benefit for transferring data to a 3rd party is required to disclose these practices and have a Do Not Sell My Personal Information button on its website homepage. In order to keep up with and respect the rights of all the Californians who opted out, the business will need to set up an appropriate back-office process.
Children Opt-in: Before monetizing any personal data of a minor, a business with knowledge of a child’s age is required to get permission to do so from minors ages 13 through 16 and from the parents or guardians of minors under 13.
Right to equal service: A business cannot discriminate against or penalize consumers who exercise their CCPA rights by denying them services or goods or charging them different prices. But (although it seems contradictory) the law permits a business to reward consumers who allow the business to use their personal data with an amount reasonably related to the value of the consumer’s data.
Data Security: Businesses are required to implement and maintain reasonable security procedures and practices to safeguard the personal information of California residents. Notably, the law now provides California residents a private right of action to sue businesses for data breaches caused by data security failures.
Tips to Prepare
The CCPA is a complex law that requires businesses to implement the right processes and technology in order to be fully compliant. The law goes into effect January 1, 2020, which is a little over 3 months away. Because of the risk of steep fines, compliance should not be ignored if the law applies to you. Here are some tips to start you on your compliance journey:
Know your data and landscape – Gain a thorough understanding of the data you collect, store and transfer. Map the flow of that data throughout your organization. Create a data map, data inventory and a GDPR-like records of processing document. If you’ve already done this for GDPR, update the documents for CCPA. Also identify the data of California residents, households and devices in your possession.
Develop your processes for providing California rights – This includes implementing a toll-free number and website address for California residents to use. You’ll also need a process for verifying identities, keeping track of consumer requests and honoring them.
Implement Technology – Put a “Do Not Sell My Information” button on your website if required. Implement the technology needed to facilitate compliance.
Get help – Seek out legal advice from a competent data privacy lawyer on whether the CCPA applies to your company and then have a compliance readiness gap analysis done. A gap analysis will analyze your current state of operation and determine what needs to be done to comply with the law. The gap analysis should also provide you a roadmap for compliance. You may want to also get the help of an attorney or consultant to help you implement the compliance roadmap.
If the CCPA applies to your company, the biggest key is to get started as soon as possible, even if you are already GDPR compliant. Any work you did to comply with GDPR will go a long way in speeding up the process, but it will not get you all the way there. There are significant differences between the two laws that will need to be addressed for your company to be fully CCPA compliant. And, depending on the complexity of your infrastructure, it may take the rest of 2019 to get it all done.
AdoLisa Ezeagu, Esq., CIPP/US is the managing attorney of Ezeagu Law Firm LLC, a boutique data privacy and cyber risk law firm. AdoLisa helps companies comply with privacy and cybersecurity laws and build legally-defensible programs. She can be reached at email@example.com.
NOTE: The contents of this legal blog post are for informational purposes only and should not be interpreted as legal advice.