The tide of data privacy and security laws that has been sweeping the globe is about to wash ashore in the United States with the CCPA. Are you ready for it?
U.S. email marketers have been subject to CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) since 2004, but the law doesn’t specifically address data privacy and security.
That will change – somewhat – next Jan. 1, when the most comprehensive consumer data privacy law in the United States – the California Consumer Privacy Act (CCPA) – goes into effect.
Even if you – meaning your company and any departments, divisions or subsidiaries – aren’t based in California, you still have to obey the law if you hold data, including email addresses, on California residents.
If this sounds familiar, it’s because your data practices also have to stand up to scrutiny under GDPR (the EU’s General Data Protection Regulation), and CASL (Canada’s Anti-Spam Law), even if you have a US-based company. Both laws apply to companies and other agencies beyond their borders that hold data on their residents.
As a marketer and guardian of company data, take time now to learn how the law affects you and what you need to change in the ways you store, protect and share consumer data.
What is CCPA?
It’s a California state law that focuses on individual consumer rights, governing how data is to be shared, stored and accessed. These four basic rights in the law have marketing implications:
- The right to know. Residents can find out what personal information you have on them, whether you sell or share it and who can access their data by requesting it via phone, email or letter. See the list of covered data in the next section.
- The right to refuse. Residents over 16 can refuse to let you share their personal data. You can’t sell or share data of anyone under 16 without a parent’s written permission.
- The right to be forgotten. They can request that you delete most kinds of personal information, with exceptions including transactions, past business relationships, research, and any data need to exercise free speech or to comply with other state laws.
- The right to equal service. You can’t refuse services, charge higher prices or otherwise treat customers differently if they opt out of sharing or selling their data or want it all deleted.
Two things CCPA doesn’t do: Mandate opt-in as the standard for collecting data such as email addresses or provide a private right of action – an individual’s ability to sue a company directly. As with CAN-SPAM, only a government agency or official can sue over alleged violations.
Does the law apply to you?
Given that California has an estimated 39.8 million residents – roughly 12 percent of the U.S. population – it’s pretty much a lock that you have Californians in your database, whether or not you know who they are. You must comply if your company is for-profit and it meets at least one of the following conditions:
- Your business’ annual revenue is over $25 million.
- Your business receives information of over 50,000 consumers, households, or devices annually.
- At least half of your business’ annual revenue comes from selling personal information.
What data CCPA covers
The law applies whether you paid for the data or acquired it for free. These are some of the data categories:
- Real names or aliases
- Postal addresses
- Account names
- Social Security, driver’s license and passport numbers
- Product or service purchasing, browsing or consumption records or history
- Location data
3 steps to prep for CCPA
Start by reading up on the law. Talk to your IT or legal departments to see what they recommend. Your email service provider should have resources that cover the law and what you should do to be ready for it when it goes into effect on Jan. 1.
Chris Arrendale, with Inbox Marketer, has created an excellent 10-step action list to prepare for CCPA. Here are three from his list that you can begin working now to comply not just with CCPA but with other state laws governing data acquisition, protection, security and sharing:
1. Audit your email data to find location data.
If you don’t have up-to-date location data on your customers, assume for starters that they all live in the Golden State. But try to get a fix on location data, whether you have to combine records, do a little detective work based on IP addresses or other geolocation data or use a permission-based postal append service to fill in the blanks.
2. Add an opt-in form that can serve up different versions to accommodate local requirements.
Your form could require each subscriber to indicate state or country of residence before processing. This would satisfy the need to get an explicit opt-in from residents in EU countries, Canada or other locations that mandate an active rather than passive (pre-checked box) opt-in as well as getting location data that could help you comply with other state privacy laws now being considered.
If you think that could reduce opt-ins, account creation or other acquisition efforts, you could follow up with a request later, even though that could make your efforts less accurate.
3. Prepare for the “right to be forgotten.”
California residents can ask you what data you have on them and to delete some (but not necessarily all) of that data. First, find out what data you can keep. Then, figure how you’re going to handle those requests and what effect removal will have on your business.
Plan on taking a multi-channel approach, using print, phone, email and web forms to manage requests. Post explicit directions on your website, in print and email messages and anywhere else where you request personal data.
Is a federal law coming?
Remember when CAN-SPAM was enacted after a spate of states created their own laws governing commercial email? The same thing is happening now with privacy.
Besides California, nine states including Washington, Massachusetts, Illinois, New York and Texas are amending state laws or creating new ones to cover data privacy and security, especially covering data breach notifications.
Not all of these states have laws that are ready to go into effect. The New York Privacy Act, considered even tougher than California’s, failed to find a state Assembly sponsor in the current legislative session but could return. Nine bills have been introduced in Congress, but none has gone past preliminary committee hearings.