California Consumer Privacy Act aka GDPR Lite: Is the Nation Doomed?

Search Options
Blog Search
Sign up for our monthly marketing trends enewsletter
  • 9/18/2018

    You may recall in a moment of clairvoyance a few months ago we predicted that the European Union’s GDPR would inspire others in the Western World to take up the good fight of consumer data privacy.

    Well, we didn’t have to wait as long as we thought. Enter Sandman! I mean… enter the California Consumer Privacy Act.

    Again with the privacy?!



    ‘Fraid so, mister polar bear. At the end of June, California passed what is now the strictest data privacy law in the United States. Up until now, U.S. marketers really only had some Federal Trade Commission-enforced acts to contend with respecting data, such as everyone’s favorite adorably named law CAN-SPAM.

    2hrne6.jpg

    CAN-SPAM really didn’t give marketers much to contend with. It basically says don’t be a spammer—identify yourself, give us your address and stop emailing people if they ask you to stop. Easy enough.

    The California Consumer Privacy Act, or CCPA, takes a whole new stab at protecting the consumer populace, laying down some rights for consumers that until now seemed an ocean away.

    Straight from the horse’s website, the CCPA aims to help consumers:

    • Own their personal information
    • Control their personal information
    • Secure their personal information
    • Hold big corporations accountable

    All of this is listed under a page with a heading declaring, “Your life is not their business.” Cute, right?

    So, who does this impact? Let me guess… Not just businesses in California?

    Now, you’re catching on! People are calling this law GDPR Lite—only half the calories of regular GDPR. It is extraterritorial in that it impacts businesses outside of California. However—and here’s where the lite part comes in—there are some parameters that may exclude some businesses from needing to comply.

    A company must comply with these new policies if the company does business in California or collects personally identifiable information from California consumers. Sounds a bit like GDPR, eh? However, to be required to comply with the law, that same company must also meet one of the following criteria:

    • Annual gross revenues of more than $25 million.
    • Buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more Californian consumers, households or devices.
    • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

    But don’t pop the champagne yet. The 50,000 parameter will probably snare a lot of smaller and middle-market businesses quicker than they think. If 50,000 people from California visit a company’s website in a year and the company is tracking them (e.g. IP address, cookies, web behavior), that counts even if it doesn’t have 50,000 Californian email subscribers.

    IP addresses and cookies? What else counts?

    The definition of personal information has been significantly broadened with this act. It includes a lot more than the standard social security and credit card numbers.

    The law defines personal information as anything that identifies, relates to, describes or could be associated with a particular person or household. Some of the data affected includes the common stuff that you’d expect:

    Real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number and passport number.

    Some less common stuff:

    Commercial information (records of personal property, products or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies), geolocation data and biometric data.

    And some downright weird stuff:

    Audio, electronic, visual, thermal, olfactory (we’re looking at you Smell-O-Vision!), or similar information.

    But, like GDPR, the biggest impact may come from the following classes of information now deemed personal and identifiable:

    Browsing history, search history and information about a consumer’s interaction with websites, applications or advertisements.

    And, yes, even your analysis of those things:

    Inferences drawn from any of the protected information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

    So, yeah, basically anything and everything. Do you get a scents of the magnitude, now?

    So, I have lots of my customer’s personal information—I get it. What do I have to do?

    The law not only defines what personal information is and who must comply with regulations, it grants consumers expanded and specific rights over their data. These may look familiar if you recall the rights GDPR granted consumers.

    • Right to Know What Personal Information is Being Collected – consumers have a right to know what data is being collected, sold, maintained or transferred about them.

    • Right to Access Personal Information – consumers can request a copy of everything you have about them and ask where you obtained it.

    • Right to Know If Personal Information Is Sold or Disclosed – businesses must tell consumers what personal data they’re selling or sharing and with what third parties. Consumers may also ask for what purpose the data is being sold.

    • Right to Opt-Out of Having Personal Information Sold – consumers can opt-out of a business selling their personal information and businesses must provide them an option to do so on the homepage of their websites.

    • Right to Erase Personal Information – the infamous “right to be forgotten.” Consumers can ask that businesses completely delete their personal data.

    • Opt-In for Minors – businesses cannot sell the data of children under the age of 16 without the consent of the child or parent or guardian. For children under the age of 13, only the parent or guardian can consent.

    • Prohibits Discrimination and Retaliation by Businesses – businesses are not allowed to discriminate against a customer (e.g. stop doing business with them, impose higher rates) because the customer exercised his or her rights under the new act. Though, interestingly, businesses are not prohibited from incentivizing customers to permit the sale of data.

    Rights for consumers in the act are written to be intentionally vague and open to interpretation in order to encourage businesses to follow the strictest guidelines.

    How will California enforce this law?



    Good, old-fashioned fines seem to be the favored way to enforce laws. The act will mainly be enforced by the California attorney general. The fines can rack up quickly at the price tag of up to $7,500 per intentional violation. Even if you have a list of only 100 subscribers that are kept in violation of the CCPA, an unexpected $750,000 can be a tough hit for a small or middle-market company.

    Unintentional violations not corrected within 30 days are subject to a $2,500 fine per violation. The act also gives consumers the right to file for damages between $100 and $750 per incident in the event of a data breach or theft.

    Oh, no!



    But don’t panic. It’s important to mention the act will not become enforceable until January of 2020. But remember how quickly GDPR snuck up on you? This will certainly have a similar effect if you don’t begin preparing yourself and your business now. Most importantly, reach out to your legal counsel to help you determine if the CCPA is going to impact your business.

    Further, it is best to get data and privacy at your business under control now. More states in the country are likely to follow suit just as California followed Europe.

    If you want to read the full text of the law, go for it. But be warned, it’s as long and ponderous as The Grapes of Wrath.

    Need someone to bounce some CCPA questions off of or just a friendly ear to listen? Call us; text us; friend request us.

    DISCLAIMER: All data and information provided in this blog post are for informational purposes only. thunder::tech makes no representations as to the accuracy, completeness, currency, suitability or validity of any information contained herein. We recommend consulting with a legal professional for any legal advice pertaining to California Consumer Privacy Act compliance.

    About the author::Casey Braun is a Marketing Automation Specialist at thunder::tech. He creates and implements data-driven email and marketing automation strategies for our clients. Outside of the office, he's playing piano and singing in his band or rocking to Elton John. #SaveTheManatee
  • Your Content Marketing Strategy Needs a Workflow
  • 995
  • Episode 86 - Don’t “Copy” Me: Unpacking the Copywriting Process
Sign up for our monthly marketing newsletters