July 6, 2018

Is the California Consumer Privacy Act of 2018 the American GDPR?


A ripple of fear always reverberates throughout the email industry when new legislation is passed that could limit the distribution of commercial email and the use of data. The California Consumer Privacy Act of 2018 (CCPA) is no different. Originally proposed as a statewide ballot by real estate developer Alastair MacTaggart, the core focus of the CCPA is to provide additional control over consumer’s data and how it can be collected, stored, and used by corporations. At the final hour, the state of California put forth a similar piece of legislation and MacTaggart’s bill was replaced. This legislation passed by unanimous vote in both the state’s House and Senate, and signed by Governor Jerry Brown on June 28, 2018.

This new legislation brings together several pieces of privacy law previously missing in the United States, but present in other countries. Companies will now need additional transparency regarding how they utilize the personal information of their clients. This includes things like the categories of information collected, its source, its purpose, any third parties accessing it and specific pieces of information the business collected about the consumer. The CCPA will come into effect on January 1, 2020, so businesses requiring time to update their processes and policies will have the next 18 months to identify the changes required to comply with this new law.

Does this all sound familiar? It should, thanks to all the recent news coverage of the General Data Protection Regulation (GDPR), which went into effect in the European Union 30 days prior to this law being passed. It’s even similar to parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

This legislation targets five key concerns when personal information is collected:

  1. Right to know what personal information is being collected
  2. Right to know whether personal information is sold or disclosed, and to whom
  3. Right to say “no” to the sale of personal information, including deletion of data
  4. Right to equal service and price
  5. Right to access their personal information

While this legislation has several similarities to GDPR, it’s not exactly the same. Here are some important differences:

California is a driving force in the world of digital, and the potential impact of this legislation would cement many ideals of GDPR, the OECD privacy framework, and digital rights for consumers in America. With the fifth largest economy in the world, California gets to carry a big stick and drive changes forward in America.

“Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information”
THE CALIFORNIA CONSUMER PRIVACY ACT OF 2018 – Sec 2 (1)

The CCPA also requires businesses to include an easy-to-find way for consumers to “opt-out” of data-sharing, and a link on a company’s homepage to a page titled “Do Not Sell My Personal Information.” If a consumer navigates there and requests his or her information is kept private, the business must suspend any selling of that consumer’s information for 12 months and obtain clear consent authorizing the sale of their data in the future (after the year is over).

The CCPA mandates a series of penalties for businesses, starting with referring intentional violations not resolved in a satisfactory time frame to the Attorney General ($7,500/per violation). The legislation also allows for limited class settlements in the case of data breach ranging from $100-750 per incident, following a grace period in which the Attorney General could take action first.

What does this mean for digital marketers?

It is time to evaluate your business’s data collection and usage needs, especially if you’re reselling data or buying data from a third party. Consider what you need to disclose, how should it be disclosed, and how to manage consumer requests spurred by CCPA.

Hopefully your GDPR preparations answered many of these questions for you already. For example, during 250ok’s GDPR preparations we built self-service tools for our clients to manage requests to delete, export, and ignore future tracking of specific individuals by request into our systems. These tools are available in your account, and if you require help accessing or using these, please contact your account manager. These tools should help you manage the requests you could receive under CCPA, so get comfortable with them, as you’ll want to be in compliance here just as much as you want to be GDPR-compliant.

*Editor’s note: This is an opinion and should not be construed or understood as legal advice. Contact your legal representation for guidance on this matter.*

Author: Matt Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

Poorly designed emails could cost you millions of dollars. But what does that really mean?

We partnered with the smart folks at Lab42 to research what people really think about marketing email. Do they like how they look on their preferred device? Do they prioritize the same design elements you do? If you’re not aligned with your recipients, you could end up sending unwanted, unsatisfying email. You know what that […]

Email Year in Review: 2017

Can you believe it? The year 2017 is coming to a close and what a year it has been in the email ecosystem. Email’s staying power continues to flex its muscles as a dynamic channel that can adapt to the ever-changing landscape of digital marketing. This past year saw many changes, trends, and announcements that […]

How the top 500 internet retailers collect email sign-ups (2017).

We’re back for year three of How the Top 500 Internet Retailers Collect Email Sign-ups (2017), where we analyze the email sign-up process of retailers, including how they incentivized sign-ups, what personal data they collected, and more. Included in this blog will be trend comparison over last year’s How the Top 500 Internet Retailers Collect […]

Ready to get started?