California's Consumer Privacy Act Heats Up the Privacy Conversation

The conversation around consumer privacy continues to heat up: California’s Attorney General Rob Bonta recently announced the first enforcement settlement based on the California Consumer Privacy Act (CCPA), which went into effect in 2020. And the U.S. Federal Trade Commission (FTC) recently filed suit against data broker Kochava Inc. for violating the FTC Act by selling geolocation data that is not anonymized.

Considered along with several recent EU privacy rulings related to the General Data Protection Regulation (GDPR), it’s becoming increasingly clear that the consumer privacy landscape is shifting. Enforcement will be top of mind for many states and countries.

In the recent action by the California AG, beauty retailer Sephora was fined $1.2 million for violations such as not properly disclosing the sale of personal information and failing to offer an opt-out option such as a “Do Not Sell My Personal Information” link. The settlement sets a clear precedent: The use of cookies and other automated technologies to collect and share personal information in exchange for services from third-party vendors is considered a sale under the CCPA. Considering how ubiquitous cookies have become, this could have wide implications for businesses. 

The rules around cookies and analytics are far from the only thing the California Attorney General is enforcing, however. Let’s take a look at what’s been going on in the world of the CCPA and how it could affect your business. 

How Did We Get Here?

The CCPA was signed into law in 2018 and went into effect on January 1, 2020. The law provides many “rights” to consumers, including the right to know what information about them is being collected and sold, the right to opt-out of the sale of their information, rights for minors and a right to non-discrimination. 

The CCPA applies to for-profit businesses that collect and process data and information about California residents and that meet certain thresholds, such as revenue of $25 million or more. It doesn’t matter where you are based – if you do business with Californians, the law may apply to you. Considering California is home to nearly 12% of US residents, there’s a good chance you do. 

With a grace period of six months, enforcement of the law actually began in July of 2020. The Attorney General’s office immediately began sending out citations, giving businesses 30 days to cure the offense. 

A year later, the Attorney General’s office released its first list of enforcement actions. Most of the violations were for failing to provide consumers with adequate notice of their rights or explicit notice that the business sells personal information. The companies that received notices ran the gamut of industries, from an online dating platform to a game developer to a toy distributor.

The message was clear: No one is safe from the impact of data privacy laws

What's Next?

Whether you do business with Californians, Europeans or leverage the data of Americans in your marketing, it’s becoming increasingly clear that a proactive stance on consumer privacy is essential to business operations. Enforcement sweeps of the CCPA are becoming more common, and European countries are cracking down. And it won’t stop here: The California Privacy Rights Act (CPRA) is set to come into effect on January 1, 2023 and will significantly expand the protections provided by the CCPA. 

Among the changes, the CPRA creates a new party to whom your business could transfer personal information. Where the options were previous “Service Providers” and “Third Parties,” there will now be a “Contractor” category. A Contractor is defined as “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.”

The CPRA also contains stricter definitions of data sharing and targeted advertising. Perhaps most importantly for B2B businesses, the law states that if you do not audit your service providers and contractors, you lose the presumption of innocence: “a business that never … exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that [they intended] to use the personal information in violation of the CCPA.”

Enforcement of the CPRA will begin in July 2023 – now is the time to prepare.

Where Do We Go From Here?

The recent actions from the California AG and the FTC make it clear that if you haven’t reviewed your privacy policies, now is the time. One of the items that will likely be targeted is contracts: Sephora was called out specifically for not having proper service provider agreements. But for large agencies and businesses, hundreds of contracts are hard if not impossible to manage. 

At BOL, we use SafeGuard Privacy, a privacy management platform that is independent of any privacy tool or service providers. SafeGuard Privacy helps us satisfy the legal obligation to audit our vendors and streamlines the entire compliance process. With the help of SafeGuard Privacy, we’re also taking the following steps: 

  1. Classifying our vendors.
  2. Make sure we have the right contracts for the right types of vendors.
  3. Have vendors complete SafeGuard Privacy’s JumpStart assessment, which we will then review and approve.

In addition to compliance obligations for your contractors and vendors, there are other aspects of the CPRA to consider. Before you know which parts of the law apply to you, you’ll need to determine:

  • Whether your business is subject to the CPRA
  • Whether you collect or use sensitive personal information
  • Whether you sell or share sensitive personal information
  • Whether you are a high-risk business

From there, you can determine which parts of the law apply to you. For example, if any part of the CPRA applies to you, you’ll want to update your personal database and, if you haven’t already, create a way for customers to correct and limit the use of personal information. You’ll also want to incorporate the law’s collection, use and retention limitations. Finally, don’t forget to update your internal privacy training.

Data is essential to your marketing strategy – but it must be compliant. BOL is well ahead of the game in this area, and we’re ready to lend you our expertise. As our SVP of Performance, Rob Griffin, says, “Just because you can doesn’t mean you should. Privacy is one of the most critical changes that will dictate digital marketing winners and losers going forward.” Contact us today for industry-leading advice and strategies to be at the forefront of consumer privacy, instead of lagging behind.