CCPA entered the alphabet soup of laws for marketers to follow on New Year’s Day. But what they need to follow isn’t yet set in stone — even though penalties for not following the rules will likely be retroactive, an attorney specializing in the California Consumer Privacy Act tells Target Marketing.
Asked by Target Marketing about the data privacy law that took effect on Jan. 1, Mary Ann Wymore — an officer and member of the Privacy & Data Security Practice Group at Greensfelder, Hemker & Gale, P.C. — said on Dec. 18:
“The comment period ended roughly two weeks ago. We’re awaiting issuance of final regulations.
“Whether or not the rules are issued prior to Jan. 1, the CCPA will go into effect in January.
“Attorney General enforcement cannot begin until six months after the final rules issue. That does not mean CCPA violators will get a free pass for non-compliance after Jan. 1 but before enforcement can begin. The AG likely can enforce prior violations retroactively.”
As for B2B marketers who may be confused about how the law applies to them, Wymore says they’re right to be befuddled:
“Much ambiguity remains as to how the CCPA will be interpreted, as to B2B. Best practice at the outset suggests taking a broad application of the rules. This should be reassessed when final rules are issued.”
Wymore, whose law firm is headquartered in St. Louis, is a California-licensed lawyer. She says marketers need to know that the CCPA “applies to any entity that collects personal data from California consumers.”
While other thought leaders commenting on the law say the CCPA is not as strict as GDPR — the data privacy law regarding E.U. citizens — Wymore says CCPA applies more broadly and will have significant repercussions for U.S. companies.
She says of CCPA:
“This is an extremely broad statute, and there are ticking time bombs for businesses that are not diligent with compliance,” Wymore says. “This encompasses data, such as phone numbers; physical descriptions of consumers, and information such as race, ancestry, sex, gender identity, marital status, etc.; insurance policy numbers; financial information including payment account numbers; and biometric data.”
On Dec. 18, the Digital Advertising Alliance (DAA) announced to marketers its tool that lets Californians opt out of marketing from publishers, brands, agencies, adtech providers, and more.
In its announcement, DAA says:
“The DAA’s CCPA Opt-Out Tools provide consumers a clear and recognizable mechanism to express cross-industry choices around the sale of their personal information.”
It’s still possible to reach Californians, though, says Uberall:
“As a result of these new regulations, location marketing must fundamentally change. Instead of relying on push marketing, which can be invasive and not as data-driven anymore, marketers need to shift to pull marketing (creating marketing experiences for consumers seeking out products and services). For location marketers moving to a pull marketing approach, this means a stronger focus on ‘near me/ and content marketing.”
Wymore adds that marketers who haven’t done so yet must inventory and map the types of consumer personal information they are collecting and maintaining. Also similar to the GDPR process, they then need to determine how they should respond to consumers’ requests for that information.
Marketers also have to watch for consumer fraud, because some consumers will opt others out of marketing, will request information on other consumers in the name of those consumers, and so on.
“Before they even receive their first consumer request for information, companies need to map all entry points of data — from whom, how they are collecting it, how they are using it, and how they are disclosing it,” Wymore says. “The goal is to make sure that consumer data is being protected by an organization, but businesses also must be cognizant of consumers’ right to know who has their data and how they can access it, as well as consumers’ right to have their data forgotten (discarded).”