The California Consumer Privacy Act: What Brands Need to Know

By Tinuiti Team

If your brand does business online, then you need to be aware of an upcoming law called the California Consumer Privacy Act.

Set to go into effect January 1 of 2020, the law will put stringent policies in place to protect Californian consumers (and their data) from unauthorized sharing, selling and transfer.

Considering California represents a whopping 12 percent of the U.S. population (not to mention a huge share of the overall consumer market), the CCPA should be considered a nationwide regulation that all brands need to adhere to.

What Do You Need to Know?

The California Consumer Privacy Act is a direct result of the 2018 Facebook data breach, which exposed the personal information of more than 50 million users worldwide.

Designed to protect data and safeguard consumer privacy of Americans residing specifically in California, it’s the first of many similar laws that’s likely to come. Several other states have related data protection regulations currently under development.

There are three types of businesses* that must comply with the new CCPA standards:

● Organizations with annual revenues of $25 million or higher
● Data brokers and businesses that buy, receive, sell or even share personal information of 50,000 or more consumers, devices or households
● Companies that get at least half of their revenue from selling consumer information

*Please note these are the specific types of business outlined in the law but because the law is still vague all businesses should take note even if they don’t currently qualify, they could in the future.

In that third category, the definition of “selling” is very broad and implies any transfer of consumer data, be it birthdays, email addresses, phone numbers, IP addresses, geographic locations or even just shopping behaviors and preferences. Trading email lists would fall into this bucket, as would many strategic partnerships between companies.

In that third category, the definition of “selling” is very broad and implies any transfer of consumer data for monetary or “perceived” value.

The definition of personal data has also been broadened in the regulation to include not only birthdays, email addresses, phone numbers, IP addresses, etc. but also geographic locations, shopping behaviors, any and all preferences captured as well as any engagement data within marketing channels. Trading email lists would fall into this bucket, as would many strategic partnerships between companies.

“If you’re not currently collecting location data on all consumers of your product (whether purchasers or not), you should assume the possibility of CA residency and comply with these regulations.”- Stacy Strom, Senior Email Strategist at Tinuiti


How to Comply

There are a few ways to ensure compliance with the CCPA once it goes into effect on January 1, 2020. The first is to have a comprehensive privacy policy in place.

This should spell out:

● Exactly what information you’re collecting from each consumer
● How and where you’re collecting it (cookies and pixels count as data collection!)
● The purposes you’re collecting it for
● The third parties (or categories of third parties) that you’ll be sharing the data with

You should also perform a data inventory audit. What type of data are you currently collecting and storing? What, under your current operation, would qualify as “selling” data? Where are you storing that data? Map out exactly what data points you have and where it’s being held (email server, spreadsheets, Dropbox, local drives, etc.) Have a clear view of the bigger picture.

Next, look at the third party data you’re using. Anything being purchased or accessed from another party would fall under the CCPA and require full compliance. Consider requesting this information directly from the consumer rather than using a third-party source where possible.

Expert note: If you’ll be gathering data on consumers under 16, you’ll also need to get explicit opt-in forms for them to complete.
“If your business model is one that sells to consumers under the age of 16, you will also need to have explicit opt in to allow the sale of personal data. Any consumers under the age of 13 require parental consent for this sale as well,” Strom said.

Tips for Success

CCPA ultimately gives Californians the right to know what personal data is being collected from them, who it’s being sold or shared with, and the purpose behind that data sharing. It also allows them to decline the sale of their personal data, as well as to view exactly the data that’s been gathered on their behalf.



As such, it’s important to have a plan in place for how you will address these requests. If a consumer wants to see the data you’ve collected around them, how will you pull it? How will you provide it? Make sure you have a well-documented process in place and that your employees are properly trained on the matter.

Finally, you should also keep clear and thorough records of any data sales or transfers. CCPA requires you to keep records of all consumer data sales for at least a full year, so have a clear-cut process in place for how you will document your data transfers and where you will store that documentation.

Get More Help

Need more help in understanding CCPA or how it will impact your brand’s data collection efforts? Email [email protected].

Join our webinar California Consumer Privacy Act (CCPA): Countdown to Compliance on July 9th at 11am PT for a live Q&A with our expert Solutions Architect speaker Will Weld.

You Might Be Interested In

*By submitting your Email Address, you are agreeing to all conditions of our Privacy Policy.