Are you ready for CCPA? Tips for complying with California’s new data privacy law

By Chuck Leddy

In an era of emerging data privacy regulations, as embodied by GDPR (with its focus on permission) and the new California Consumer Privacy Act/CCPA (with its focus on transparency and disclosure), consumers have more rights and enhanced choices. They will reward B2B companies that show thoughtfulness and transparency about the collection and use of customer data. As CCPA takes effect on January 1, 2020, brands that embrace its new data privacy protocol and its underlying principles will prove that they’re providing a customer experience that’s consistent with what consumers want. Such actions build trust and ongoing customer permission, paving the way for better marketing too.

The general direction of these new data privacy regulations is to give consumers more control over how companies collect, store, and use the data they provide. In general, the emerging regulations are moving away from putting the burden on consumers to opt-out/unsubscribe and instead placing burdens on companies to provide more transparency and/or gain explicit consent from consumers for data collection and use.

Let’s explore the specifics of CCPA and how they may impact your B2B marketing, with some Q&A below. 

What is the goal of CCPA?

In a word, transparency. CCPA gives California residents the right to know about, and have more control over how their data is collected, stored, and used. The law gives California consumers, among other things, the right to: 

  • know what data companies have collected from and about them; 
  • stop companies from selling or transferring their personal information to 3rd parties;
  • receive equal treatment from companies even if a consumer opts-out of data collection; and
  • assert “the right to be forgotten,” meaning they can ask companies to delete data on them.

Who does CCPA apply to?

Companies don’t need to have a “physical presence” in California (a headquarters, office, warehouse, etc.) to be covered by CCPA, but must simply be doing business (online or offline) with California residents. In other words, online sellers are covered. CCPA applies to all entities who collect personal information about California residents, who “do business” in the state, and who meet certain thresholds: it applies to businesses with annual gross revenues over $25 million, or possesses the personal information of 50,000 or more consumers, or earns more than half of its annual revenue from selling consumers’ personal information. CCPA will thus apply to most major nationwide brands.

What data is covered by the CCPA?

CCPA covers a wide range of customer data, including names, addresses, Social Security numbers, biometric data, geolocation, employment information, metadata, as well as buying and browsing history.

What are B2B companies required to do by the new California data privacy regulation?

Under CCPA, affected B2B companies must: 

  • provide detailed disclosures regarding the personal information they have collected, sold and disclosed in the last twelve months; 
  • give assurances that California residents have disclosure, access and opt-out rights concerning their data; 
  • reveal the categories of personal information being collected and the purposes associated with each category; and 
  • include a clearly displayed link on their website allowing individuals to opt-out of the sale of their personal information to 3rd parties. 

What are the penalties for non-compliance with the CCPA?

While CCPA enforcement begins on January 1, penalties go into effect on July 1. For each violation of the CCPA deemed intentional, the maximum fine is $7500. For violations deemed unintentional, the maximum fine is $2500 per violation. Impacted consumers can file lawsuits against violators, and are required to inform the California Attorney General.

What should you be doing now to comply with CCPA requirements?

Here are a half-dozen suggestions for CCPA compliance:

  1. Shift your focus to be more proactive in providing notifications to customers for your data collection and engagement/marketing efforts, especially with California residents. At minimum, add a field in your Eloqua forms asking customers to specify the state in which they have residency to facilitate CCPA compliance. As a general rule, design your messaging strategy to foster transparency and long-term customer trust. 
  2. Add clear opt-in language to all your forms and NOT pre-check this box. CCPA does not require explicit opt-in but it’s a good practice in any jurisdiction. For example, you should ensure that all Eloqua forms have the field for capturing opt-ins.
  3. Map out and adjust your data management processes and tools so you can ensure CCPA compliance around disclosures and CCPA-related consumer requests. For example, you should adjust your Eloqua forms to allow people to opt-out of having their information sold if they are California residents (so “Do Not Sell My Personal Information” should be a check box on forms). CCPA will also require you to better manage/segregate data you have from 3rd party vendors.
  4. To drive compliance, build an in-house data privacy team that understands new regulations like CCPA and what they require your B2B business to do. This data privacy team should be cross-functional, including professionals from marketing, martech (such as your Eloqua experts/power users), IT, legal, and beyond.
  5. Build close partnerships with IT and external experts/consultants to drive CCPA compliance. You’ll need both technical skills and legal analysis to get things right, which may require tapping into some outside expertise from your vendor partners and consultants.
  6. Be ready for more data management/ data privacy compliance challenges in the future, because they’ll surely be coming. The trend towards giving customers more control and transparency over their data will not be stopping anytime soon, so you’ll need to be prepared for more change. This requires your organization to build a level of agility into your data management processes, people, and technology. You’ll also need to keep asking “what’s the impact of our actions on gaining/maintaining customer permission?” As consumers gain more transparency and control over their data, that question may be the most important compliance tool of all.

Do you have more questions about complying with California’s CCPA in your B2B marketing? Feel free to contact us directly.


Note: This blog post and the linked content, is not intended to include, nor should be construed to include, any legal advice or business solution addressing the content, interpretation or application of the California Consumer Privacy Act (CCPA) generally or specifically to any client’s or potential client’s circumstances. Sojourn Solutions advises all parties to seek qualified legal counsel regarding the applicability of CCPA to their processing of any personal data, including and especially through any third-party products and/or services.