adimas - Fotolia
California Attorney General Xavier Becerra will enforce the California Consumer Privacy Act regulation come hell, high water or coronavirus.
That was made immediately clear on July 1 when Becerra announced CCPA enforcement of the law would begin as scheduled, despite its final regulatory language being subject to a 90-day review by the California Office of Administrative Law. The review process began on June 1 and will likely be finalized by the end of August. More than 30 trade associations and businesses sent a letter seeking an extension on CCPA regulation enforcement due to pandemic-related business disruptions. The law took effect on Jan. 1.
Anecdotal reports passed on through trade associations claim that some companies have already received CCPA violation notices from Becerra's office, which they have 30 days to address or face fines of $2,500-$7,500 per violation. On the civil lawsuit side, 34 complaints cited the CCPA regulation through July 2, according to law firm Bryan Cave Leighton Paisner LLP, that tracks them.
The law gives California residents the legal right to know what specific personal information about them a company keeps, shares or sells; mandates a company deletes it upon request of the resident and allows customers to opt out of data sales; and it prohibits companies from discriminating against consumers who exercise their rights.
There are some exceptions: Companies with gross annual revenue under $25 million that buy, receive or sell information for fewer than 50,000 customers and derive less than 50% of annual revenue from selling consumers' information are exempt from CCPA. Nonprofits and government offices are also exempt.
But for most people working in sales, marketing, customer service and e-commerce -- if they're located in California or have customers in the state -- CCPA enforcement is in effect, Constellation Research analyst Liz Miller said.
"If we're thinking about security as an operational checklist, we're doing it wrong," Miller said. "The reality is that our customers expect that when they finish a transaction online with a brand they trust, give a credit card number and give a home address, that we are going to do the most we possibly can to make sure that that information is used for good and does not fall into nefarious hands."
Salesforce an early CCPA defendant
For now, Becerra's office handles CCPA enforcement. A ballot initiative Californians will vote on in November, the California Privacy Rights and Enforcement Act of 2020, would establish the California Privacy Protection Agency to handle enforcement. This law would strengthen the CCPA and add layers that affect adtech platforms, among other technologies.
One of the first CCPA lawsuits is a class-action complaint filed against Salesforce e-commerce customer and children's clothier Hanna Andersson, stemming from a 2019 data breach. Salesforce, which is also named as a defendant in the suit, declined comment on the case for this article; attorneys for the plaintiffs did not respond to inquiries.
Cloud software vendors such as Alyce, which manages promotional gift and video lead-generation campaigns, are watching both the California Attorney General's Office to determine enforcement patterns and the civil suits to see who is awarded damages. It could take more than a year to understand what CCPA violations draw fines, said Andy Dale, Alyce general counsel.
While Alyce was already CCPA-compliant, Dale said, the company is tweaking features on its platform to make CCPA compliance more straightforward in the user interface. One example is making data deletion easier so an Alyce user can quickly honor customer requests to do so.
Alyce integrates with Adobe Marketo and Salesforce, among other popular platforms. Dale said that the company is paying close attention to the Hanna Andersson and Salesforce suit.
Liz MillerAnalyst, Constellation Research
"It definitely hits our radar," Dale said. "All I can do is watch and see what happens and see how they respond."
Marketers and other CX professionals need to be vigilant when selecting cloud companies for their campaigns and enlist help before entering into contracts with vendors to make sure those service providers align with their company's data-use and security policies. While marketing automation tools have proliferated over the last decade, and marketing teams built their own tech stacks, these new privacy compliance mandates spell the end of trial-and-error lead generation campaigns.
"You have to have your CIO and CISO involved in the conversation if something's going to hook into your system or touch your customer in any way," Constellation's Miller said. "The days of 'random acts of marketing technology purchases' have to be over."
That said, Miller added, the CCPA regulation is creating "Christmas for lawyers," and she expects a large number of initial lawsuits connected to data breaches that won't necessarily be successful, because it puts too much onus on the plaintiffs to prove companies knowingly flouted the law.
National privacy law may be next
The CCPA regulation is the first state consumer privacy law of its kind; New York, Oregon, Washington and Nevada followed with their own.
More could come as legislators consider bills in Massachusetts, Hawaii, Virginia and Maryland -- Illinois already has a law protecting biometrics information, and a proposed consumer privacy bill in the works that would reinforce it. These different state laws prompted Microsoft to make the stringent CCPA its national standard to streamline compliance efforts.
Several privacy bills have been introduced at the federal level. Should one pass, privacy compliance will be less of a state-by-state patchwork for cloud software vendors and their users.
"I think both sides see the merit in having something, so someday we may get there," Alyce's Dale said.