How marketers can crack the code on California’s version of GDPR
On the heels of the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018, marketers are now tasked with adhering to U.S. privacy regulations under the California Consumer Privacy Act (CCPA). Beginning Jan. 1, 2020, the groundbreaking legislation will secure new privacy rights for California residents regarding data collection and the sharing or sale of their personal information. According to a Standardized Regulatory Impact Assessment for CCPA regulations, the legislation will protect an estimated $12 billion worth of personal information used for promotional purposes in California each year.
Draft regulations released in October by California Attorney General Xavier Becerra show that under the CCPA, consumers will have the right to request that their data be deleted, as well as the right to opt out of the sale or sharing of their personal information. When a consumer executes these rights, that individual also has the right to non-discrimination in terms of price or service. To abide by these new regulations, businesses subject to the CCPA will be required to disclose their data collection and sharing practices to consumers, and to maintain records of requests and how they responded for 24 months to demonstrate their compliance.
More on Data Security:
- Data Security and Events: Seven Tips for Building a Bulletproof Strategy
- Google Activates ‘Be Internet Awesome’ Campaign at Dad 2.0 Influencer Conference
When it comes to event marketing, the legislation’s impact will extend well beyond California. Indeed, any business subject to the CCPA that hosts California residents either at an event (in-state or out) or on its website, must comply with the new regulations.
As with any new legal framework, navigating the CCPA can be tricky, so we tapped Dr. Iga Kozlowska, Ph.d, privacy manager at Microsoft, to analyze the legislation and how it applies to event marketers. Following are four key insights gleaned from our conversation.
1. NOT ALL COMPANIES ARE SUBJECT TO THE CCPA
The CCPA doesn’t apply to all businesses. Companies are subject to the CCPA if one or more of the following is true: the business has a gross annual revenue in excess of $25 million; the business buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or if the business derives 50 percent or more of its annual revenue from selling consumers’ personal information. But wait, there’s more. Companies that handle the personal information of more than four million consumers will have additional legal obligations under the new regulations.
2. THE CCPA MARKS A TURNING POINT IN U.S. PRIVACY REGULATIONS
The United States has historically lagged behind the EU when it comes to consumer privacy regulations. While there are still no federal-level U.S. privacy regulations in place, the CCPA marks a pivotal shift in the country’s approach to the matter, and other states are following California’s lead.
“This is the first state law in the U.S. that governs, more broadly, how companies are to process personal data within their company and then in how they deal with their third-party stakeholders,” says Kozlowska. “And there are other state-level laws that are in the works in Massachusetts, New York and Washington state. So there’s definitely a lot of movement in this area.”
3. THE REGULATIONS CONTAIN AMBIGUOUS LANGUAGE
Under the California Consumer Privacy Act, businesses are required to permit consumers to opt out of the sale or sharing of their personal information with third parties, but the definition of the term “sale” is still ambiguous.
“What is really interesting about the CCPA is it focuses on the aspect of the selling of personal data, but I think it’s unclear in terms of enforcement,” says Kozlowska. “What would be considered a ‘sale?’ As it is right now, the term is defined pretty broadly as the sale of personal data for money or ‘valuable consideration.’ That broadens in scope a little bit. So right now, companies are still trying to identify scenarios where they have personal data that they may share with a third party that might be construed as either selling or getting some sort of consideration for sharing that data.”
The meaning of “personal information” is also somewhat vague. According to Kozlowska, the CCPA lists “household data” as a form of personal information, but doesn’t distinguish what constitutes personal information related to a household vs. a person.
4. THERE’S A DIFFERENCE BETWEEN SERVICE PROVIDERS AND THIRD PARTIES
The most important step event marketers can take in preparation for the California Consumer Privacy Act is to determine whether they’re in scope of the law, and if so, to determine if they are technically selling the personal information of consumers. It’s a complex piece of the puzzle, particularly for brands hosting events in which they partner with sponsors or exhibitors.
“If you’re sharing personal data for the purposes of hiring a vendor that’s going to help you put on your event, or maybe deliver food, then that’s not in scope because they’re, as the CCPA calls it, a ‘service provider,’ which is actually analogous to the GDPR’s definition of data processor,” says Kozlowska. “So if you’ve done the GDPR work, then [you can say] ‘OK, these are the data processors or vendors that we hired that act and process personal data only on our behalf.’ Then you can exclude that whole piece of it. But if you are placing ads or doing some kind of data collection in your customer relationship management system, and then sharing that data with a third party for targeted advertising or something like that, then that’s definitely in scope.”
No doubt about it—the CCPA will come with a steep learning curve for marketers. But in preparing for this landmark piece of legislation, marketers will be better equipped for what ultimately may be a wave of changes nationwide in 2020… and beyond.
*Editor’s Note: Iga Kozlowska’s opinions are her own, and do not represent Microsoft’s views.
Secondary photo courtesy: Californians for Consumer Privacy