The California Consumer Privacy Act (CCPA) has many companies in the U.S. scrambling to figure out whether and how to comply when the law goes into effect on January 1. It explicitly covers for-profit companies doing business in California or with California residents.
The plain language of the statute says one or more of the following conditions must apply to companies for them to be covered by the privacy law:
- Has annual gross revenues in excess of $25 million;
- Possesses the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue from selling consumers’ personal information
This would appear to exempt companies that don’t fall into these relatively clear categories. However, that may not necessarily be the case. I asked several companies and experts for their responses to the question, “Which (types of) companies can confidently ignore CCPA?”
Some probably can but shouldn’t, was the consensus.
Questions for agencies
“One area where the verdict is still out is how CCPA will impact large agencies because of the issue of data ownership,” said Noah Jacobson, SVP of Corporate Development, TapClicks. “Does the responsibility rest on the shoulders of agencies themselves or their clients? For example, a brand might fall under the CCPA threshold and would not have to meet any of the new regulatory requirements, but if an agency has multiple accounts like this, the volume of customer data can quickly surpass the 50,000 threshold. Will that agency then, along with all the clients/brands it represents, have to take action in order to comply?”
CCPA is the beginning
“With CCPA looming in 2020, many companies large and small are evaluating if it applies to them and, if so, how they will be complying with the law,” said Justin Scarborough, programmatic media director, PMG. “The short answer is that any organization that collects any amount of personal data from California residents — be it as innocuous as a cookie or device ID or as robust as customer information — and does any business in the state of California or with California residents will almost assuredly be subject to the regulation.”
“Additionally, our point of view is that CCPA is only the first step in a journey toward more GDPR-style regulation at a national level. Nevada already enacted a similar measure and numerous other states will be addressing comparable legislation in 2020,” said Scarborough. “These state laws will likely pave the way for federal regulations that will apply to all US residents, not just those of a single state. This is why we are urging our partners and customers to have a long-term vision and strategy for handling and processing customer data beyond CCPA. We believe it is important to consider long-term, scalable solutions that address this issue beyond 2020 and across all markets.”
If your business is online at all, pay attention
“The only companies that can confidently ignore the CCPA are businesses with no online footprint whatsoever, no loyalty program, no email marketing, no system of digital record-keeping — nothing,” said Cillian Kieran, CEO and founder, Ethyca. “If you’re a dog walker that posts local flyers to reach clients, if you’re an independent mom and pop corner store that processes credit cards manually, maybe you can afford to completely ignore CCPA. Otherwise, even if you fall below certain threshold criteria, you have to look at how the wind is blowing.”
“The public frustration, the regulatory energy, and the proliferation of tools to help you comply all point to the same thing: the penalties for getting privacy wrong will grow and the equity gained from employing good privacy practice will also grow,” Kieran added. “In the end, I don’t believe that regulators will be the strongest enforcers of privacy compliance. I believe customers will vote with their feet.”
Massive cultural, regulatory shift
“I don’t think any companies should ‘ignore’ the CCPA because privacy is not a trend that is going away. As an experienced CMO, and as any experienced executive should see, I believe there has been a massive shift in the landscape around privacy and companies must pay careful attention to the law as well as to the overarching cultural climate,” said Norman Guadagno, CMO of Acoustic. “This is not a time for any business to ‘ignore’ this issue or the regulations emerging.”
“Instead, brand marketers – whether or not they’re currently doing business in California – should be putting their own systems in place that are transparent and respectful of customer privacy as opposed to taking a wait-and-see approach when it comes to privacy issues,” said Guadagno. “Trying to circumvent the CCPA now will ultimately be fruitless as future privacy regulations, many of which are already under review with other state legislatures, are inevitable.”
“As consumers become more educated on where their data lives, they will begin to, as they already have, invest in brands that respect their privacy and are transparent about how they use personally identifiable information,” Guadano predicts. “The brands that will succeed in a future where data and privacy are top-of-mind for customers are the ones that are already being proactive and updating outdated privacy policies, whether or not they’re legally required to do so.”
Guadano went on to say that, “Despite the air of uncertainty from the marketing and advertising industries, I actually believe the CCPA will benefit marketers by forcing them to find new ways to drive loyalty without jeopardizing customer privacy. According to Acoustic’s own research, privacy regulations are pushing brands to have an increased focus on list hygiene and higher-quality subscribers, thus improving email marketing campaign targeting and increasing success rates.”
He noted that Acoustic’s 2019 Benchmark Report found open rates climbed 14% and click-through rates increased by 19% between 2014 and 2018, “which indicates to me that privacy regulations are benefitting marketers already, even though the first U.S. privacy law has not even come into effect yet. I predict even more beneficial changes once these regulations begin to roll out, beginning with the CCPA in January 2020.”
Think “privacy forward”
Studies in Europe have shown that adherence to GDPR privacy rules has not hurt firms doing business in the EU. In fact, it appears to have had the opposite impact — helping them outperform their non-compliant peers. By extension there could be a similar benefit for CCPA-complaint companies in the U.S.
However, whether or not CCPA technically applies to your brand or agency, comprehensive federal privacy legislation is probably coming. As the perspectives above indicate, companies should be “privacy forward” in their thinking and recognize this will be critical for any company dealing with customer data, as well as potentially integral to their marketing, in the future.