GDPR In California, The Future Of Marketing Will Be REGULATED!
It was just a matter of time. In this article, published on April 12 of this year, we predicted the U.S. would start considering, and certain states would likely be passing, GDPR-related regulations and legislation.
While we hate being right when it makes all our jobs more challenging, regulation and legislation are coming. You had better be prepared, or you run the risk of taking at least a few steps back on lead generation and support of your sales efforts.
As marketers, we have to take some responsibility for this. We harassed, over-marketed and took advantage of the tools and data provided to us.
We used data we were not supposed to use to market to people who never asked to be marketed to.
We spammed people and continue to spam people we don’t know.
We shared personal data for money and didn’t properly protect the personal data of the people who shared their information with us.
We became infatuated with our own content and acted as if we didn’t care whether anyone was interested in it or not.
We took short cut after short cut in the name of revenue. Instead of earning people’s attention, we interrupted them. Now we’ll have to get much smarter and more scientific about how we approach marketing.
The California Legislation
Governor Jerry Brown signed the California Consumer Privacy Act of 2018 on Thursday, June 28, immediately after the state assembly and senate approved it.
The law, which takes effect in 2020, will give consumers far more control over who has access to their personal data and what those entities (such as Facebook and Google) can do with it. Consumers will have the right to know what information companies are collecting and why, as well as who they are sharing it with. Children under 16 will have to opt in to allow companies to collect their information at all. And once the data is gathered, consumers can bar tech companies from selling it. For more on the legislation, click here.
The new legislation is complicated, as you might expect, and has some loopholes as well. For a more detailed explanation and review of the actual law, click here.
Here are some highlights.
The new law protects the privacy of Californians in their roles as consumers, but also in all the other roles they play, such as employees, patients and tenants. So an individual's internet protocol address would be protected, as would their web browsing history and purchasing tendencies, even if no names are associated with the data as stored.
And the new law defines the term "personal information" equally broadly, including "any information that ... relates to ... a particular consumer or household." This means that data can be protected even if it does not relate to a single individual, since households are covered. For example, data about a household's energy consumption would be protected.
Is This Something You Need To Be Prepared For?
Even if you're not based in California, you will have to comply with the new law if your business receives personal data from California residents and if it exceeds one or more of three thresholds:
- You have annual gross revenues of $25 million
- You obtain personal information of 50,000 or more California residents, households or devices annually
- 50 percent or more of your revenue comes from selling California residents’ personal information
Note that the definition of "business" includes parent companies and subsidiaries using the same branding, even if they themselves do not exceed the applicable thresholds. For more details on the specific requirements for compliance, click here.
How Do You Start Thinking About Compliance?
This probably sounds a lot like GDPR, and if you’re already GDPR compliant this might be a non-issue for you. In fact, a lot of experts are calling GDPR much more comprehensive and much stricter in terms of what you need to do to be compliant.
But here's a list of some action items to start working on now:
- Prepare data maps, inventories or other records of all personal information pertaining to California residents, households and devices.
- Consider alternative business models and web/mobile presences.
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Provide a clear and conspicuous “Do Not Sell My Personal Information” link on your homepage, sending users to a web page that will allow the consumer to opt out of the sale of their personal information.
- Fund and implement new systems and processes to comply with the new requirements.
- Update privacy policies with newly required information, including a description of California residents' rights.
- Determine the age of California residents and implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years.
What Do The Penalties Look Like?
According to the new California law, companies can be ordered to pay penalties of up to $7,500 per intentional violation. For unintentional violations, if the company fails to cure the unintentional violation within 30 days of notice, they can be assessed $2,500 per violation.
Companies that become victims of data theft or other data security breaches can be ordered to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater.
These penalties are enough to get at least some of our attention.
Practical Examples For Your Digital Advertising Agency Partners
If you’re working with a digital marketing agency or doing digital advertising with an agency, you should be aware of the nuances in the law.
In an article from Digiday, we found some very interesting analysis, including comments from Ron Camhi, managing partner at law firm Michelman & Robinson, who says the law contains “broad sweeping definitions of personal information.”
As noted above, the law covers IP addresses and geolocation data as well as shopping, browsing and search histories. It also includes consumer profiles based on inferences from personal information. Since ad tech firms use unique identifiers to anonymously track people around the web, they'll need to give people an option to ask the company to delete the information collected through cookies, and also ensure those cookies aren’t exposed in a data breach.
On the other hand, the law includes a loophole for any personal information that is “de-identified or in the aggregate consumer information.” If the personal information can’t be associated with a particular consumer, then it would be de-identified, said Camhi. But it’s not clear whether the types of identifiers used by online advertising are subject to the law, since they often aggregate that data into anonymized pools.
Here is a practical example. If you buy data from a third-party company for ad targeting, and that data is totally aggregated, you might be fine. But if you use cookie IDs to match aggregated data to your own audience data, such as names and email addresses, you’re now subject to the new law, even if you somehow remove the cookie-based identifiers from the process.
What Should YOU Do?
If you’re marketing to people in California, you don’t have to do anything differently today. This law comes into play in 2020, plenty of time for the law to be finalized and for you to make sure you're compliant.
However, now is the perfect time to start tightening up some of your practices. If you’re GDPR-compliant, you’re probably close to being California-compliant, too.
The way we market to people who don’t know us is changing, and it’s going to continue changing rapidly over the next few years. You need to be aware of the legal basis of those changes, comply with them and start tailoring your execution to make sure you don’t create any unnecessary legal, financial and compliance challenges going forward.
Square 2 — Building The Agency You’ll LOVE!