Are you saving individual copies of your marketing messages?
The new CCPA law says you should.
If you’re a digital marketer, or work in compliance, operations or customer care, chances are you’ve heard a lot about the California Consumer Privacy Act that went into effect at the beginning of 2020. CCPA as it’s commonly referred to, was modeled very closely on GDPR, the European Union data privacy act that became law in 2018. The primary intention and purpose of both laws is to give consumers more visibility and control into how companies use their data.
What you may not know, is that while both laws are similar, CCPA requires companies to provide copies of all unique marketing messages (such as email, SMS and direct mail) sent to a subscriber in the preceding 12 months, upon request. This is a significant difference from GDPR, and if you’re operating under the assumption that following GDPR policies means you’re in the clear for CCPA, read on, because there are a few additional requirements your business will need to meet from an operations perspective.
How CCPA compares to GDPR.
Both laws include a right to access clause, which is meant to provide consumers with context on how a company is using their data. In the case of GDPR, the right to access clause is high-level, covering how a consumer’s data may be used.
With GDPR, you need to tell consumers:
- The purpose of any data processing
- The categories of data being processed
- How long the data is expected to be stored
- Whether the data has been used in automatic decision-making, for instance, customer scoring and profiling purposes
What you don’t need to do with GDPR is retain and provide specific copies of marketing messages sent to subscribers.
CCPA goes much further than GDPR. Here, the right to access clause has a very broad definition of Personal Information you must provide to subscribers. With CCPA, Personal information is defined as any information “capable of being associated with” a consumer or a household, whether structured, such as consumer scores in databases, or unstructured, such as emails you’ve sent, images stored in social media profiles, and other types of data.
In practical terms, it means you must be able to provide any data or content relating to a consumer that your business holds or has processed in the preceding 12 months upon request. To do this, you will need to find a way for your marketing and customer care teams to easily store, access and manage individual customer marketing messages (for instance, using a tool like Sageflo Archiver or similar).
Shoot, that doesn’t sound fun. My business doesn’t have any presence in California. Do I need to follow these requirements?
If you’re a brand marketer in the B2C or D2C space, you are almost certainly impacted by this. Any company, regardless of where they are headquartered, has to comply if they:
- Collect personal data from California residents, and
- Meet any one or more of the following criteria:
- Buys, sells, or shares the personal information of 50,000 or more consumers or devices.
- Has gross annual revenue of more than $25 million.
- Derives at least 50% of their annual revenue from the sharing of personal information.
There is no cap on fines for CCPA (unlike GDPR which has a ceiling on penalties at 4% of a company’s revenue), and the fines can be quite steep – $7,500 per subscriber record. Ignoring the law and hoping for the best is not an option.
And CCPA is just the beginning. In 2019, over 20 states introduced and/or passed privacy laws to protect and give consumers more control over their data and how it’s used. Like it or not, this is the new norm for digital marketers and operations teams. The best thing we can do is prepare ourselves.
Okay, I get it. We can’t skip or ignore CCPA. In practical terms, what do I need to know and plan for with regards to right to access requirements?
- Establish a process to verify subscriber identity. Before you can fulfill a request from a subscriber, you’ll need to use a “reasonable” method to verify their identity and avoid requesting any additional information, unless you cannot verify their identity from the information you already maintain.
- Put a process and systems in place to fulfill right to access requests. This will require operations and customer care teams to retain and easily access the required subscriber data. You should also work on having a standardized format for providing copies of such data so that every request isn’t a massive drain on time and resources within your company. Implementing a solution like Archiver makes this easy.
- Ensure data can be provided to the customer within 45 days. Thankfully, this is an improvement over GDPR, which requires requests be fulfilled within 30 days.
- Check your privacy policy. If your company maintains or processes data on 4 million or more consumers, you may also be required to include the following metrics in your privacy policy: the median number of requests to access, delete and opt-out of subscriber records that you receive annually, as well as the average number of days it took to respond to such requests. This portion of the law is still in draft state.
Further reading.
With a high-level overview of the right to access portions of the law, we’ve barely touched the surface of CCPA in this article, and how it differs from GDPR. Other major differences between CCPA and GDPR include: detailed privacy notice requirements, the ability for subscribers to specifically opt-out of the sale of their data, the age definition for children (13 for CCPA, 16 for GDPR) and parental consent requirements, as well as provisions that must be included in contracts with 3rd party data processors.
We encourage you to fully explore the CCPA law and how it differs from GDPR in more detail, and be sure to include legal counsel in your decision making process when determining your approach to CCPA compliance.
Good luck!
We can help! Our Archiver solution can solve for both GDPR and CCPA “right to delete” and “right to access” requirements for marketing and operational messages. Contact us for more information.
