The California Consumer Privacy Act (CCPA) is only six months away and yet only 14% of companies say they are fully prepared. If Europe’s GDPR is any guide, less than half of organizations will be ready on time. This is a significant issue, considering that 20% of privacy professionals expect their organization to pay over $1M to become compliant.
The ground-breaking law gives consumers broad new privacy rights and mandates how companies must manage, store and use customer data. Due to its broad scope and the state’s important role in the US economy, the CCPA will impact marketing organizations across the entire US and beyond if they manage data on California residents.
What’s about to change?
Inspired by GDPR, the CCPA will require organizations to manage the personal data of 12% of Americans in a whole new way. Consumer data collection will become much more complex and data privacy will become a significant issue. Beginning in January 2020, new obligations will require companies to:
- Disclose to consumers what data they collect and with whom it is shared or sold,
- Stop selling data if the consumer requests it,
- Delete data if the consumer requests it,
- Obtain explicit data collection opt-in for minors under the age of 16,
- Obtain parental consent for minors under the age of 13,
- Provide an easy mechanism for consumers to exercise their rights, including a free phone number and a prominent mechanism on their website explicitly labeled “Do Not Sell My Personal Information.”
Under CCPA, if consumers choose to exercise any of these rights, companies may not charge a higher price or offer a lower level of service (within reason).
Failure to comply with consumer requests can lead to large fines by the state attorney general, up to $7,500 per incident. In a state with a population of almost 40 million people, those penalties can quickly add up to many millions of dollars. Non-compliance is not a good option.
Which companies must comply with CCPA?
Regardless of where data is kept or the company is located, the CCPA applies to organizations with data on consumers in California that meet one of three criteria: have annual revenue of at least $25 million, buy data on 50,000 households, individuals, or devices, or generate at least 50% of their revenue from consumer data.
You May Also Enjoy:
- How CMOs Can Comply with California’s New Data Privacy Law
- GDPR One Year In: How are Marketers Doing?
- Why GDPR and Stronger Regulations Can Improve Your Email ROI
This captures a large number of marketing, technology, services and media companies, and many more. Certain exemptions are allowed, such as for healthcare providers and select others already covered by industry-specific data privacy requirements.
Data breach penalties can cost hundreds of millions of dollars
Under CCPA, companies can incur even more significant penalties for data breaches than for failure to comply with privacy rights. Consumers will now have the right to sue for data breaches, with a minimum of $100 per incident.
While that may not seem expensive, it can quickly add up to tens of millions of dollars, or even more. For instance, the Wall Street Journal reports that Quest Diagnostics recently experienced a data breach affecting some 12 million people. Had CCPA been in effect, it would have cost the company at least $144M in fines. The infamous Target data breach of 2013, which cost the company $18.5M at the time, would have been almost half a billion dollars under CCPA.
Uncertainty about the new CCPA rules
The CCPA is, without question, one of the most significant privacy regulations in the United States. Businesses and technology companies have raised concerns about uncertainties in the law and have actively sought to make amendments or exceptions to it. To date, none of the proposed changes have been incorporated. With only a few months left before the CCPA comes into force, it looks less and less likely that any significant updates will be made.
In addition, a number of other states are also considering their own versions of CCPA, setting up a potential hodgepodge of state privacy and accountability regulations across the nation. While there is some discussion of harmonizing rules through a comprehensive federal privacy law, the current political realities and coming presidential elections in the United States make it unlikely that any new federal regulations will be passed in the near future.
For better or for worse, companies must prepare for a set of complex regulations that give greater power to the consumer while holding organizations more accountable.
How marketing leaders can lead the way
Studies show that almost three-quarters of companies surveyed plan to invest in technology solutions to help them prepare for CCPA and seven in ten anticipate costs in excess of $100,000 to become compliant.
Rather than seeing CCPA as a mere compliance requirement, marketing executives seeking competitive differentiation can take advantage of the new law. A business can set itself apart by being proactive and transparent, increasing consumer trust and building greater loyalty. Companies can achieve this by:
- Proactively educating their customers about the law and their new rights,
- Updating privacy policies and providing a user-friendly summary up front,
- Reviewing information security and data collection practices. Consider deleting unnecessary data, and encrypting sensitive or personally identifiable information,
- Asking customers to explicitly consent (opt in) to having their data shared, perhaps by offering some sort of discount or incentive,
- Reviewing their experience with GDPR as a useful guide to preparing for CCPA.
Organizations that are more transparent and proactive have the unique opportunity to set themselves apart in the coming era of data privacy.
Abdul Rastagar is director of product marketing at Veeva Systems.