On June 28, 2018, the California Consumer Privacy Act (CCPA) was signed into law by Governor Jerry Brown. You’ve likely heard of this act, but may be unsure as to how the CCPA will affect your website(s), your business, and most importantly, your customers.
Worry not! The Tag Inspector team is here to answer your questions and concerns as they relate to tag management and data collection across web properties. Let’s start with a quick guide to everything you need to know about the CCPA.
Note: The information contained in this article is provided for informational purposes only and should not be construed as legal advice.
What Is the CCPA?
The California Consumer Privacy Act affords Californians some basic rights as it pertains to their data and the privacy of personal information that can be collected and used by businesses.
When Does the CCPA Take Effect?
The CCPA goes into effect on Jan. 1, 2020, with enforcement beginning July 1, 2020. There is, however, an important provision in the law regarding access requests and requests about Personal Information collected from users that requires companies to provide the previous 12 months of data collected. As a result, you really need—at the very least—to have your data collection, sharing, and sale outlined and mapped ASAP.
Who Does the CCPA Apply To?
Regardless of whether or not your organization is located or headquartered in the state of California, the CCPA may still apply to your web properties. Simply put, the CCPA applies to businesses 1.) with consumers in California and 2.) that meet one of the following thresholds:
- Annual gross revenues in excess of $25 million;
- Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
If your business meets any of the above three thresholds and interacts with consumers in California, you’re on the hook and need to account for the requirements in the law. Assuming you fall into this bucket, the law will be enforced against any business engaged in the following activities:
- Collecting a consumer’s personal information;
- Collecting personal information about a consumer or about consumers;
- Selling a consumer’s personal information or disclosing it for a business purpose;
- Selling personal information about a consumer to a third party
What is “Personal Information” under the CCPA?
Personal Information as defined in the California Consumer Privacy Act applies to a few explicitly-defined categories. It’s important to note that Personal Information under the CCPA is a much broader definition than what you would traditionally think of as “PII,” or Personally Identifiable Information. The relevant categories of Personal Information for marketing and advertising efforts on your digital properties are the following:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement;
- Geolocation data
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Basically any advertising, marketing, or analytics tag loading on your website is going to be collecting at least one data point that can be interpreted as falling into one of those above categories. For example, if you are using web analytics (such as Google Analytics or Adobe Analytics) to analyze user behavior on your website, you would be collecting “information regarding a consumer’s interaction with an Internet website, application, or advertisement.”
What are the Requirements Outlined by the CCPA?
There are a number of requirements for your business outlined within the CCPA. These all pertain to ensuring you are upholding the new privacy rights for California consumers.
Here’s a quick overview of what you’ll need to cover:
- Transparency: Consumers’ have the right to know what Personal Information is collected from them, how it is used, with whom it is shared, and where it comes from.
- Disclosure at or before the point of collection of Personal Information: Consumers on your website must be made aware that Personal Information as defined in the CCPA is being collected about them. This disclosure needs to be made at the very least on the “homepage” or landing page of the consumer.
- Disclosure in the Privacy Notice: The Privacy Notice on your website must contain some specific information related to the CCPA. This includes the following:
- A description of consumers’ rights to request Personal Information collected/shared/sold.
- A description of consumers’ rights not to be discriminated against for exercising any CCPA rights.
- One or more designated means for consumers to submit requests, including (at minimum) a toll-free number.
- A notice of the consumers’ right to request deletion of Personal Information collected/shared/sold
- Information about the transfer and sale of Personal Information to third parties.
- Specifics about the Categories of Personal Information collected/shared/sold.
- Mechanism to object to the sale of Personal Information: Consumers have the right to opt-out of the sale of their Personal Information. There must be a simple way for consumers to execute this request on your digital property.
What are the Penalties for Non-Compliance under the CCPA?
Penalties under the California Consumer Privacy Act aggregate per violation. A violation can be designated for each individual consumer record, and these compound. From an action handed down by the State of California, a non-intentional violation carries a fine of up to $2,500 per record. If the violation is found to be intentional, the fine can be up to $7,500 per record. The law also gives the right to individuals to file private actions, which can further drive up penalties.
Here’s a quick example to demonstrate the potential magnitude of these fines: Say your organization is found to be non-intentionally violating the law due to collection of Personal Information by an advertising platform running on your website without proper disclosure to your consumers. Assume you have had 100,000 users on your site from whom this information has been collected. This would translate to 100,000 separate individual violations. As a result, your fine for non-compliance could be up to $250,000,000. Many eCommerce websites see this level of traffic easily over the course of a couple of weeks. Simply put, these financial penalties are no joke!
An important note here: your organization, as the website owner, is responsible for all of the platforms collecting Personal Information from your users. This includes third-party tags that may be loading in (or piggybacking) others onto your site. Just because you may not be aware of the behavior today does not mean that you are not responsible. This is why it is critical to start the process with an audit. (If you’d like help with this, let us know—it’s what we do.)
Preparing for the CCPA
As you can see, it’s critical that your organization is prepared and compliant with the CCPA by the time it goes into effect at the start of 2020.
Curious about what to do to start the process of compliance for your web properties? Check out our webinar on May 29; during this session, I’ll walk through everything marketing and advertising professionals need to know about CCPA.
Contact Tag Inspector with CCPA Questions
Interested in getting started with a tag audit or simply want your CCPA questions answered? Contact the Tag Inspector team today.