The Impact of CCPA on Direct Marketing
Privacy concerns and legislation continued to play an important role in modern direct marketing after 2020. The CCPA is a bill meant to enhance privacy rights and consumer protection for residents of California. The bill was passed by the California State Legislature and became effective on January 1, 2020. The CCPA will impact marketers nationwide who do business in California. It will be important to be aware of what the CCPA is, how to comply and the potential consequences for modern direct marketers.
What is the purpose of the CCPA?
To provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request that a business delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
Who does the CCPA apply to?
The bill applies to any for-profit business that collects consumers’ personal data, does business in California and meets at least one of the following criteria:
- $25 million or more in annual gross revenue.
- 50,000 or more records of consumers, households or devices.
- Earns 50% or more of its annual revenue from selling consumers’ personal information.
What is the impact on direct marketing?
If your company does business in California and you meet the criteria above, there will be some immediate impact and long-term issues that will need to be addressed.
On or before the January 1, 2020, deadline, there are some organizational and website updates that include:
- Implement processes to obtain parental or guardian consent for minors under 13 years.
- Include a “Do Not Sell My Personal Information” link on the homepage of the website of the business that will direct users to a web page enabling them to opt out of the sale of the user’s personal information
- Designate methods for submitting data access requests such as an email, web form or a toll-free telephone number.
- Update privacy policies with newly required information, including a description of California residents’ rights.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
What does this mean for your customer database?
From direct mail to email, your database and lists are critical to the success of the campaign. If your lists are records that your business has collected over time from customers you may be better prepared to comply with the bill. If you rely on third-party list purchase or rental, you will likely feel more of an impact. As a marketing team, you will need to identity all the lists being used and the source of those records.
Unless you have a real understanding of your third-party list source and accuracy it may be best to avoid California records in rented lists. Your company will be responsible for the records on purchased lists meeting the qualifications of the CCPA. This may prove to be difficult for less reputable list providers. Even the major list providers with strong reputations may struggle to meet the requirements of the bill. Be sure to address the CCPA implications when purchasing or renting lists.
What are the consequences?
If businesses are found to be in violation of the CCPA, the following sanctions and remedies can be imposed:
- Companies or activists can be authorized to exercise opt-out rights on behalf of California residents.
- Companies that become victims of data theft or other data security breaches can be liable to pay damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater.
- Fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
If you are doing business with California residents it will be important to stay informed and diligent about the impacts of the CCPA on your marketing and data sources. Other states will likely follow California with legislation of their own, and consumer data privacy should become a part of every direct mail, email and other marketing campaign planning process.