Marketing and the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act or CCPA is a new law that went into effect on January 1, 2020. It is designed to enhance privacy rights and consumer protection for residents of California, United States. As with GDPR, this new regulation makes significant changes to how channel programs can email partners.

Maria Korolov states, writing in CSOOnline.com: “The California law doesn’t have some of GDPR’s most onerous requirements, such as the narrow 72-hour window in which a company must report a breach. In other respects, however, it goes even farther.”

To be clear, we are not lawyers, and this is not legal advice. We do want to help give channel managers an overview of the new law to help guide you as you market.

What is CCPA?

The CPPA, or California Consumer Privacy Act is the most comprehensive privacy law in the US. The CCPA creates new consumer rights around how businesses collect, access, delete and share the personal information of California residents.

Signed into law on June 2018, the CCPA goes into effect on January 1, 2020. A six-month grace period gives businesses until July 1, 2020 to become compliant. As with other laws, there have already been some amendments to the law since then, and expect there to possibly be more until it’s enforcement date.

Main Points of CCPA

As reviewed by Pillsburylaw.com:

The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.

  • The right to request disclosure of your business’ data collection and sales practices in connection with the requesting consumer, including the categories of personal information you have collected, the source of the information, your use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;
  • The right to request a copy of the specific personal information collected about them during the 12 months before their request (together with right #1, a “personal information request”);
  • The right to have such information deleted (with exceptions);
  • The right to request that their personal information not be sold to third parties, if applicable; and
  • The right not to be discriminated against because they exercised any of the new rights.

Does this Apply to my Business?

The law applies to any companies that conduct business in the state of California, and have one of the following criteria:

  • Has revenue of $25 million or higher
  • Receives information of over 50,000 consumers, households, or devices annually
  • Derives 50% or more of its annual revenue from selling consumers’ personal information

The law also encompasses both brick and mortar and e-commerce businesses that collects data on residents living in California.

What This Means for Channel Marketers

The further removed you are from the collection of data, the higher the risk of non-compliance becomes. For example, running marketing campaigns on behalf of your partners has greater risks associated with it because you need to ensure your partner got permission specifically to have you contact them and for what purpose (and has a clear audit trail) for you to email that prospect, not just permission for the partner to send email to that prospect.

In addition, giving your partners marketing automation tools within your channel portal increases your risk because you are enabling the email marketing without holding the consent audit trail.

Because of this, it is recommended that channels focus on tried and true through-partner marketing strategies: support your partner’s campaigns with planning, content, and funding, and enable easy deal registration.

You create and manage your own marketing campaigns to generate opt-in leads and distribute these leads to your partners. Each party is then responsible for their own consent documentation, lowering your risk of violating the CCPA and GDPR.