The new law, which goes into effect on January 1, 2020, gives consumers the right to see and control how companies use their personal information. Under the CCPA, consumers will be able to request information from companies about how they’re using their personal info, request that their information be deleted, and opt out of the sale of information to third parties.
If a business doesn’t comply, they face fines from the state — but more ominously, consumers will be able to sue businesses for damages.
Note: The CCPA regulates cybersecurity as well as privacy, requiring businesses to put in place “reasonable security procedures and practices” to protect consumer data. For the purposes of this post, we’re going to focus on the privacy portion of the legislation.
Who’s really affected by the California Consumer Privacy Act?
While the requirements under the CCPA might seem relatively severe, lawmakers took steps to reduce the burden on SMBs that may not have the resources to comply.
To be subject to CCPA regulations, a company must be for-profit, must do business in California (more on that in a moment), and must meet any of the following criteria:
- Annual revenue over $25 million
- Receives the personal information of over 50,000 consumers each year
- 50% or more of annual revenue comes from selling personal information
What does it mean to "do business" in California?
Salted Stone is a proud California-based business (hello from sunny Monrovia!), but you don’t have to be based in Cali to be affected by CCPA regulations. If you sell goods or services to even one California resident, that’s considered doing business in California. Experts estimate that more than 500,000 U.S. businesses will be affected.
But my business doesn’t make $25 million a year…
Does that mean that you can just forget about the CCPA? Not if you want to maintain your customers’ trust.
It stinks that we have to make this distinction, but unlike some laws, the CCPA was actually supported by voters. A recent poll of likely 2020 voters in California revealed a whopping 90% of them want companies to do more to protect their personal information.
What does CCPA mean for marketers?
Even if your company doesn’t meet the CCPA criteria, you should consider taking steps to increase data privacy.
That might give some marketers pause. After all, for the past half-decade marketers have been in the business of data collection, using that data to improve lead scoring, automation, and personalization.
But marketers are also in the business of trust, and relationships, and giving consumers what they want. And it’s clear that (in California anyway), consumers want more data privacy. They want to be able to tell companies to stop selling their data without their permission.
How can businesses increase privacy protections?
Soapboxing aside, there was a reason for the revenue test in the CCPA: implementing a full-scale data privacy program is difficult and expensive (but if that’s what you need to do, a company like Salted Stone can help).
However, you don’t need to spend all that much to improve privacy for your leads and customers. Here are some smaller initiatives you can implement more-or-less immediately:
- Do a cybersecurity hygiene checkup. Make sure you and your employees are following best practices like using two-factor authentication, limiting access to sensitive consumer information, and not using the password “password.”
- Clean up your CRM. Delete contacts that haven’t had any activity for a couple years, contacts from purchased lists that you no longer use, and contacts whose email addresses/phone numbers are no longer active.
- Reconsider what information you really need to collect.
- Send a retroactive opt-in email. An email blast that gives users the option of opting out of communication from your company might seem counterintuitive, but it can actually be a way to re-engage lost leads while removing contacts who don’t care about your business anyway (and might be marking you as spam).
The California Consumer Privacy Act might not apply to your business, but that doesn’t mean you can ignore it’s requirements. 90% of California voters want more data privacy — it’s on marketers’ to give it to them, whether the law requires it or not.