I’ve had an opportunity to speak at several user groups and regional community events about GDPR, and the one question that always comes up is:
“When is this coming to the dear old US of A?”
Honestly, the U.S. has been pretty lax compared to the rest of the world when it comes to online privacy regulations.
Heck, CAN-SPAM doesn’t even require opt-in consent (although most ESPs require it of their customers.) My response to the above question has usually been something to the tune of:
“Yeah someday… but don’t hold your breath.”
Color me surprised, though. Last week, a bill quickly made it through the California state legislature that suggests this tide might be changing. (Quickly meaning in less than a week — this thing was fast tracked, big time.)
Why California adopted a “mini GDPR” & what Pardot admins should do next
The California Consumer Privacy Act of 2018 (CCPA) has been touted as a “mini GDPR.” It doesn’t go into effect until 2020, and you can count on all kinds of stakeholders in the business community to push back… so it may evolve in the process of being implemented.
At a high level, the law states that consumers have rights to know and control how their personal data is used. Specifically, it lays out rights of individual consumers to:
- know whether their personal information is sold or disclosed
- require companies not to sell their personal data
- request that a business delete their personal information (with some exceptions)
- be treated equally and without discrimination if they choose to exercise their CCPA-protected rights (i.e. they can’t charge you more or deny service if you assert your right to privacy)
What info is covered under CCPA
GDPR’s definition of “personal data” is sweepingly broad. The fact that my favorite color is green is protected under that legislation.
California’s definition of personal data is also pretty darn broad. Of course, the basics like name, email, SSN, address, etc. are covered. Additionally, things like:
- Browsing history
- Sales data
- Property ownership
- Buying preferences
- Advertising engagement metrics
- …and a lot more is covered.
Any information that is de-identified or publicly accessible is NOT covered under CCPA. The definition of info falling in this category is that which is:
“Lawfully made available from federal, state or local government records or that is available to the general public.”
An interesting twist is that the Act explicitly allows companies to:
“offer financial incentives, including payments to consumers as compensation”
…in exchange for the ability to sell their information. Curious to see how that one plays out.
Who needs to comply with the CCPA
The CCPA covers a much smaller subset of businesses than GDPR. First, it only applies to companies who do business in California. Additionally, business must meet ONE of these three criteria:
- Grosses $25M in annual revenue
- Holds the data of 50K or more people/households/devices
- Makes at least half of its revenue by selling personal data
There are a series of exemptions to this as well:
- Healthcare data governed by HIPAA
- Consumer data covered by the Fair Credit Reporting Act
- Info collected under the Gramm-Leach-Bliley Act (yeah, I had to Google that one. It’s a federal regulation that applies to banks and insurance companies.)
- Anything needed to complete transactions, detect security incidents, comply with state and federal laws, conduct research, etc.
There are also exceptions for “internal” uses of data that are:
“Reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”
Wait, why do I care about California?
California tends to lead the nation in consumer protection. The fact that they’re taking this kind of action means other states are likely to follow suit at some point.
And for course, practically speaking, 36 million people (12% of the US population) reside in California, so many businesses nationwide will be impacted.
What happens if I just ignore CCPA?
Well… it’s up to the California AG to enforce the law for the most part, but there’s a private right of action clause for certain types of breaches. This is reminiscent of the piece of CASL that was suspended last year that allowed individual citizens to press charges against companies violating the law.
For privacy breaches, only the AG can initiate enforcement, and fines are up to $7,500 per violation. The business has 30 days as a “right to cure” to address the issue before fines set in.
For security breaches, the AG or private citizens can press charges, and the fines stipulated are:
“In an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”
Okay, what do I have to do next?
There are 18 months before this goes into effect. So no need to make any rash, sudden movements. But if you’ve been on the fence about actually complying with GDPR… well, there are 36 million more people on U.S. soil that will soon be asserting similar rights.
My near-term recommendations would be to:
- Document your practices for capturing subscribers and managing lists
- Set up an email preference center to ensure you’re sending people things they want
- Evaluate a double opt-in process to ensure your subscriber list is truly engaged and interested in heaving from you
- Implement an archiving strategy to “sunset” people that aren’t engaging with you
- Clearly communicate privacy policies (in actual English, not legalese)
- Consider getting an attorney involved to help you understand your risk/exposure in the geographic areas where you’re doing business
A lot of the CCPA is open to interpretation and will certainly be challenged in court. But the trend here is clear — people want to have a better understanding of how their data is used and why, and have the ability to reclaim control of how it is used.
It’s an interesting time to be in the wonderful world of marketing automation, that’s for sure.
What’s your stance on these new and somewhat vaguely defined compliance requirements? Any reactions or opinions on the new legislation in California?
Let me and your fellow readers know in the comments!