Back to blog

California Consumer Privacy Act and marketers: 5 actionable steps to follow

Data privacy & security

Written by

Published August 14, 2018 · Updated January 27, 2022

California Consumer Privacy Act and marketers: 5 actionable steps to follow

The CCPA (California Consumer Privacy Act) is a new California law aiming to regulate the flow of personal data between businesses. The act will expand the privacy rights of California consumers and require businesses to disclose the what, why, and how of the use of consumers’ personal information. It will also allow California residents to forbid companies to sell their data.

People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.

SECTION 1, point (h) of the California Consumer Privacy Act of 2018 (CCPA)

Failure to comply with these new laws could be costly to businesses, with penalties up to $7,500 per violation.

Because information about clients is a marketer’s goldmine, many people operating in the field now fear that the new law will deprive them of valuable customer insights. But is this really the case?

In this post we will discuss the most important aspects of CCPA and present some actionable steps marketers should take in order to prepare for it.

But first, let’s answer some basic questions.

When does CCPA come into effect?

January 1, 2020.

This means that companies have roughly 18 months to prepare for the new law. However, there is a good chance that by that time the act will significantly change its form, considering that:

  • experts have pointed out multiple flaws in the current version of the act
  • there’s no doubt companies will try to lobby legislators in order to protect their own interests

Who will be affected by it?

The law applies to every company processing personal information of California residents that either:

  • has a gross annual revenue greater than or equal to $25 million
  • obtains information of 50,000 or more California residents/households or devices annually
  • generates at least 50% of their annual income from selling the information of California residents

Considering that California is now the fifth-largest economy in the world, it would be no exaggeration to say that the law will affect virtually every mid- to enterprise-size business with a global presence.

What is personal information?

Some marketers may assume that the new California law won’t affect them because they don’t collect users’ personal data. In many cases, however, they will be wrong. That’s because CCPA establishes a very broad definition of personal information. Here’s its precise scope:

  • Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected;
  • All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
  • Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric data;
  • Internet or other electronic network activity information, including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Psychometric information;
  • Professional or employment-related information;
  • Inferences drawn from any of the information identified above; and
  • Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer.

As you can see, the list is really long and covers many different categories of data. Certainly, many of them are the fuel that powers marketing activities. This is particularly evident when we dig deeper into the term unique identifier:

“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

It turns out that, just as in the case of GDPR, tracking cookies and other types of online identifiers are also included in the scope of the regulation.

This means that CCPA covers not only marketers with an arsenal of dedicated tools (like CRMs, customer data platforms, or email automation software), but also everyone who simply captures non-anonymized analytics data and uses it to improve user experience on their website or app.

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

What changes does CCPA bring?

CCPA is one of the most revolutionary data privacy acts in the United States. Many experts claim that it will open the door for the US to make consumer data privacy rights a priority. With that in mind, it’s no wonder that the list of changes it introduces is long and complex.

Among other things:

1) Consumers have the right to obtain a record of the personal information companies have on them (from the last 12 months). Businesses must also disclose:

  • the categories of sources from which the personal information was collected
  • the business or commercial purpose for collecting or selling personal information
  • the categories of third parties with whom the business shares personal information

Besides that, consumer requests should be processed within a 45-day timeframe.

2) People can request to have their data deleted or to stop the sale of their information. Businesses will be required to have a “clear and conspicuous link” on their website’s homepage titled “Do Not Sell My Personal Information.” The link would take users to a page where they can opt out of having their data sold or shared.

3) California residents have the right to sue a company that uses their stolen data or data that was disclosed to them by a data breach. In addition, they can also sue companies that were negligent in the way they handle their data (for instance, data was not encrypted).

4) There is a mandatory opt-in with regards to selling the personal data of minors (under 16 years old).

5) The new law also imposes sanctions on businesses that fail to comply with its provisions. The fines includes:

  • in the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected
  • in the case of a suit by the State Attorney General: $2,500 per violation and up to $7,500 per intentional violation of privacy
gdpr and consent manager

CCPA vs. GDPR: 4 key differences

News about CCPA made the rounds roughly a month after the new European data privacy law – GDPR – came into force. This has inspired people to look for similarities between these two laws.

Indeed, both initiatives are designed to increase transparency in the handling of personal information. They also aim to give people more control over how companies use information about them.

However, there are many significant differences between these two laws. Below is a list of five key aspects that distinguish CCPA from GDPR:

1. Consumers don’t have a way to opt-out of being tracked

CCPA addresses a slightly different problem than GDPR – its main focus is to prevent the sale of consumers’ information to third parties without their consent and knowledge. However, unlike the EU law, California regulation doesn’t give consumers the opportunity to say no to collecting their data.

2. There is no such thing as a right to object to processing

As we’ve mentioned before, although consumers can request the removal of their data from a company’s database and demand it not be sold to other parties, they can’t do anything about the fact that businesses collect their personal information in the first place. This means that companies will be allowed to continue collecting information about a particular individual even after they remove their data from their databases.

Because of this, the California law doesn’t really provide people with an equivalent of the GDPR’s “right to object to processing.”

Another major difference is that under GDPR you need to acquire users’ consent before you start processing their data. In the case of CCPA, companies don’t have to collect consents – it’s on the user to actively oppose their data being shared or sold. However, as we’ve mentioned before, this rule doesn’t apply to minors (in their case an active opt-in is required).

4. No legitimate interest

Under GDPR, there are several legal bases for lawful data processing. One of them is legitimate interest. If a company has enough evidence to prove that the processing of personal data serves its legitimate interest, they don’t need visitors’ consent to process this kind of information. Also, they don’t have to handle data subjects’ requests for deleting, rectifying, or disclosing data. You can read more about it here.

CCPA, on the other hand, doesn’t provide businesses with any similar clause. Companies can’t refuse to delete consumer personal information except when the data is necessary for:

  • fulfillment of a contract with the consumer
  • data security
  • repairing errors
  • scientific and statistical research in the public interest
  • solely internal uses reasonably aligned with expectation of consumers
  • compliance with legal obligations
There are, of course, many more differences between these laws. If you want to explore them yourself, we encourage you to read the text of both initiatives:

How to prepare for the new law?

The new California law continues to stir controversy and many of its provisions will have to be clarified. However, 18 months is really not a lot of time, so it’s worth taking some steps to comply with its provisions.

There are a number of things you can start doing today. For instance, you could:

1) Map your data and its sources

One of your most important tasks is to diligently examine your data inventories. You’ll have to map every piece of personal information about your customers gathered by your marketing and sales tools. Then you’ll have to make sure that the data is well prepared for access, deletion, and portability requests from your clients. That may include checking if your marketing software vendors are up to the task and will help you fulfill these obligations. If not, you may want to consider switching to another, more privacy-oriented vendor.

If you’re interested in a privacy-friendly marketing stack, be sure to check out our product. Piwik PRO Analytics Suite is a collection of secure and capable software that helps our clients comply with the most stringent data regulations around the world, including GDPR, HIPAA, and now CCPA.

2) Check your third-party data sources

Companies that buy customer data from third parties should always make sure that it comes from a legitimate source. The new California law should make you think twice (at least) before you decide to use data from unverified vendors. Under CCPA, operating on stolen or breached data is an offence that can result in hefty fines.

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

3) Come up with a way for handling consumer requests

Under the CCPA, businesses must provide at least two methods by which consumers can make their requests, including a toll-free number and an online form. The link to those forms should be placed somewhere on your homepage, along with the text: Do Not Sell My Personal Information.

Also, you’ll have to think through your internal processes for handling consumer requests. To make this task a bit easier, you might want to use some dedicated tool to automate things.

There are a few solutions available on the market that simplify the process of collecting and handling GDPR data subject requests. Considering that those are almost identical to consumer requests under CCPA, these tools could be used for both purposes.

If you want to learn more about the capabilities of consent management tools, we advise you to visit GDPR Consent Manager page.

4) Update your data privacy policy

Among many other things, the CCPA demands that every business dealing with California residents should update their privacy policy to include a description of California residents’ rights. Make sure you do this before the act comes into effect.

If you need some good examples of what your updated privacy policy should look like, you can seek inspiration on the California Consumer Privacy Act’s official website.

5) Keep your ear to the ground

As we’ve said earlier, the California Consumer Privacy Act will probably evolve owing to lobbying and some fixes to errors in its current version. That’s why it’s extremely important to stay in the loop and see what the future will bring.

California Consumer Privacy Act – some conclusions

We hope that this blog post has given you a decent overview of the upcoming law and provided some actionable advice on how to prepare for it. However, if you want to learn more about the CCPA, we invite you to follow our blog for news and updates.


Karolina Lubowicka

Senior Content Marketer and Social Media Specialist

An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts by this author