What is The Consumer Privacy Act?
On June 28, 2018, California passed the California Privacy Act. The act creates new standards for consumer privacy rights and business obligations beyond any other state or federal privacy laws.
This new legislation was an effort to beat back a more aggressive California ballot initiative drafted by real estate developer Alistair Mactaggart. That initiative was poised to go before voters in November after it garnered more than 600,000 signatures. But on June 28th—with less than 24 hours remaining before the deadline to rescind any ballot measures expired—California lawmakers hurriedly passed this modified bill and Mactaggart pulled the initiative from the ballot. The Act will go into effect on January 1, 2020.
Does the Act apply to my organization?
The Act applies to “any ‘business’ that does business in California, collects California consumers’ ‘personal information’ (which includes persistent identifiers), and satisfies one or more of the following thresholds:
- Annual gross revenues over $25 million
- Buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more Californian consumers, households or devices or
- Derives 50% or more of its revenues from selling consumers’ personal information
Many businesses are subject to the Act, including direct marketers and the companies that collect, maintain, and share the marketers’ customer data with agencies, BPOs, print companies, and lettershops. Depending upon the nature of the work they do, some print companies and lettershops may also be affected by the Act as well.
Will my business be required to share the personal information it has collected?
The Act gives consumers the right to know what personal information businesses collect about them, and your organization must be prepared to disclose this to individuals. Personal information is defined as all data that “is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes virtually any consumer-related information a company might collect or maintain:
- Names
- Social Security numbers
- Biometric identifiers
- Geographic or geolocation information
- Tracking data (like IP addresses, cookies, and identifiers that recognize a particular consumer or device)
- Behavioral and profiling data (like browsing history, search history, information regarding a consumer’s interactions with a website, and purchasing history)
The nature and scope of this data is extensive, and the Act requires that companies disclose all requested info to consumers on-demand.
Can consumers opt out marketing efforts that utilize their data?
Consumers can deny your business the ability to sell, use or hold their personal data. The Act gives consumers discretion on how their personal data can be used, or if at all. Businesses must comply with these requests, which will obviously impact marketing campaigns and data-driven efforts. Marketers will need to have contingency plans for when the Act goes into effect, as it remains to be seen how consumers will react to these newfound data rights. Will they leave marketing lists en masse? Or will the bar simply be raised for marketers to provide value when using personal information? Marketers might be wise to seek out new methods that immediately demonstrate usefulness and relevance to their customers.
Will consumers know how their data has been shared?
Under the Act, consumers can legally request the categories of third parties who have received their personal data. While it will not be required for businesses to share the identities of these third parties, the new stipulations will undoubtedly force businesses to consider the short and long-term effects of sharing consumer data. Will consumers appreciate and benefit from the sharing? Will they see it as a positive decision, and how will those decisions reflect on a company’s brand? This Act could potentially usher in a more consumer-focused mentality in data sharing, rather than one that is chiefly centered on a company’s bottom line.
Will my company be able to prioritize consumers who don’t opt out of our data-driven marketing?
Even if consumers remove their data from a company, businesses will not be able to discriminate between consumers who exercise their privacy rights and those that do not. In certain cases, business are barred from denying products or services, or charging different prices, to consumers who exercise their privacy rights. This details and enforcement of this portion of the Act is still somewhat unclear, but hopefully any final version of the Act will provide additional clarity by the time it goes into effect.
What penalties are possible for companies that violate the Act?
The Act gives the California Attorney General the power to levy civil penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. These penalties are steep and compound quickly in cases involving multiple violations. The Act also establishes the right for consumers to bring civil actions where personal information is compromised in certain data breach scenarios.
What are the best next steps?
While the effective date seems distant, companies will need the time to prepare for full compliance. The Act likely will be revised multiple times between now and the effective date, and marketers should consider engaging an attorney or internal counsel to help guide them through the compliance process.
Additionally, since California is a bellwether state when it comes to legislation, marketers should pay close attention to the impact the Act may have on privacy laws in other states where they do significant business.
SPC will continue to monitor the developments to keep our clients abreast of major changes that affect the data and direct mail marketing industry.
Michael Baig
Vice President of Administration & General Counsel