The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, giving California residents additional rights with respect to their personal information. The privacy law is the first of its kind in the United States and is often compared to the European Union’s General Data Protection Regulation (GDPR).
While the industry has been buzzing about the CCPA for months, there are still questions around how the law will be interpreted. In fact, the California Attorney General continues to make changes to the regulations. As brand marketers grapple to understand the CCPA, its requirements, and other impending changes to the privacy landscape, knowledgeable partners become essential to the mix.
What does it cover?
Under the CCPA, California residents have the right to:
- Be informed of the types of personal information collected and the purposes of its use.
- Access the personal information collected about them.
- Request a business to delete the personal information they hold relating to them.
- Opt-out of a business’ sale of personal information.
The CCPA defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This can include contact information like name, username, phone number and physical address and online behavioral data like browsing history and geolocation data.
According to the CCPA, selling is: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
It’s important to note that while the CCPA defines these and other terms, many entities consider the law’s definitions too broad and ambiguous, leaving room for interpretation.
Whom does it affect?
The CCPA applies to any for-profit entity doing business in California that collects California residents’ personal information and that satisfies any one of the below requirements:
- With annual gross revenue in excess of $25MM+.
- That derives 50% or more of its annual revenue from selling consumers' personal information.
- That annually buys, receives, sells, or shares the data of 50,000 or more consumers, households or devices.
How is it manifesting in the marketplace?
The first action for major brands across industries has been to update their privacy policies. Next, many brands who are not in the business of selling data in the traditional sense are adding opt-out/do-not-sell my personal information (DNS) links to their websites in response to the CCPA’s broad definitions of sale and personal information. While the law only covers California residents, some brands like The Home Depot are enabling any U.S. residents to opt out of the sale of their personal information. Others like Walmart, however, are providing the DNS links on their sites for California residents only.
The CCPA’s broad definition of what constitutes a “sale” has led brands to different interpretations. According to Reuters, a spokeswoman from Amazon has stated, “we do not plan to put a ‘Do not sell’ button on our website because Amazon is not in the business of selling customers’ personal information and it never has been.” The Wall Street Journal reported that Facebook is telling advertisers that it does not need to make changes to its web-tracking services, a key component of Facebook's ad targeting capabilities, stating that these activities do not constitute a “sale” of consumer personal information under CCPA.
The importance of working with a trusted privacy partner
Epsilon is a trusted marketing partner and here to support our clients. How do we do it? With four key pillars:
Privacy by design
Epsilon practices the principle of Privacy by Design. This means that Epsilon proactively builds privacy protections into our products and services, and our business model, right from the start. The effect is to minimize the unnecessary collection and use of personal information by our systems and to give consumers power to exercise greater control over their personal information.
Providing transparency & choice
Epsilon strives to deliver transparency by providing consumers with notice about how their personal information is used. In addition, we maintain tools to allow consumers to request access to or deletion of their personal information and to opt out of a sale under CCPA.
Privacy industry participation
We actively participate in industry initiatives that help shape the privacy landscape. Our partnerships include:
- Board of Directors at the NAI
- Board of Not For Profit Alliance
- Advisory Council at the DAA
- Advisory Committee and Privacy Committee at the IAB
- Steering Group and Privacy Task Force at the IAB EU
Respecting choice over time
Our identity is people-based, not cookie-based, which allows us to persist and respect a consumer's opt-outs over time, versus just over the short-lived life of a cookie.
Epsilon understands and respects consumers’ rights to their personal information, and is here to be a trusted privacy partner in this time of regulation change.