July 6, 2018

Is the California Consumer Privacy Act of 2018 the American GDPR?

A ripple of fear always reverberates throughout the email industry when new legislation is passed that could limit the distribution of commercial email and the use of data. The California Consumer Privacy Act of 2018 (CCPA) is no different. Originally proposed as a statewide ballot by real estate developer Alastair MacTaggart, the core focus of the CCPA is to provide additional control over consumer’s data and how it can be collected, stored, and used by corporations. At the final hour, the state of California put forth a similar piece of legislation and MacTaggart’s bill was replaced. This legislation passed by unanimous vote in both the state’s House and Senate, and signed by Governor Jerry Brown on June 28, 2018.

This new legislation brings together several pieces of privacy law previously missing in the United States, but present in other countries. Companies will now need additional transparency regarding how they utilize the personal information of their clients. This includes things like the categories of information collected, its source, its purpose, any third parties accessing it and specific pieces of information the business collected about the consumer. The CCPA will come into effect on January 1, 2020, so businesses requiring time to update their processes and policies will have the next 18 months to identify the changes required to comply with this new law.

Does this all sound familiar? It should, thanks to all the recent news coverage of the General Data Protection Regulation (GDPR), which went into effect in the European Union 30 days prior to this law being passed. It’s even similar to parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

This legislation targets five key concerns when personal information is collected:

  1. Right to know what personal information is being collected
  2. Right to know whether personal information is sold or disclosed, and to whom
  3. Right to say “no” to the sale of personal information, including deletion of data
  4. Right to equal service and price
  5. Right to access their personal information

While this legislation has several similarities to GDPR, it’s not exactly the same. Here are some important differences:

California is a driving force in the world of digital, and the potential impact of this legislation would cement many ideals of GDPR, the OECD privacy framework, and digital rights for consumers in America. With the fifth largest economy in the world, California gets to carry a big stick and drive changes forward in America.

“Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information”

The CCPA also requires businesses to include an easy-to-find way for consumers to “opt-out” of data-sharing, and a link on a company’s homepage to a page titled “Do Not Sell My Personal Information.” If a consumer navigates there and requests his or her information is kept private, the business must suspend any selling of that consumer’s information for 12 months and obtain clear consent authorizing the sale of their data in the future (after the year is over).

The CCPA mandates a series of penalties for businesses, starting with referring intentional violations not resolved in a satisfactory time frame to the Attorney General ($7,500/per violation). The legislation also allows for limited class settlements in the case of data breach ranging from $100-750 per incident, following a grace period in which the Attorney General could take action first.

What does this mean for digital marketers?

It is time to evaluate your business’s data collection and usage needs, especially if you’re reselling data or buying data from a third party. Consider what you need to disclose, how should it be disclosed, and how to manage consumer requests spurred by CCPA.

Hopefully your GDPR preparations answered many of these questions for you already. For example, during 250ok’s GDPR preparations we built self-service tools for our clients to manage requests to delete, export, and ignore future tracking of specific individuals by request into our systems. These tools are available in your account, and if you require help accessing or using these, please contact your account manager. These tools should help you manage the requests you could receive under CCPA, so get comfortable with them, as you’ll want to be in compliance here just as much as you want to be GDPR-compliant.

*Editor’s note: This is an opinion and should not be construed or understood as legal advice. Contact your legal representation for guidance on this matter.*

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?