Busting 5 Common Myths About the California Consumer Privacy Act (CCPA)

At Retina, we model the customer data of our clients to derive predictive lifetime value (LTV) insights. We live and breathe in petabytes of customer data, and as such, have gone to great lengths to protect that information.  

In recent months, we’ve received an increasing number of questions related to the California Consumer Privacy Act (CCPA), a law protecting information that identifies California residents.  Much like the General Data Protection Regulation (GDPR) in Europe, CCPA is expected to dramatically alter the way American companies process data and, in many cases, is forcing many to reexamine their current practices.    

Many of our customers are confused about CCPA’s impact and whether it applies to them. For entertainment’s sake, I’d like to examine five CCPA myths that have come up regularly in our discussions with customers, and provide some recommendations about how to tackle them. So buckle up!

Myth #1: We can just let our umbrella insurance handle CCPA.

Fact: No, you really can’t. Your company can be fined up to $7,500 per customer. If you have one million customers, you’d need a $7.5 billion insurance policy. Plus, private damages might also be awarded — meaning the sky’s the limit on penalties.

Best Practice: At up to $7,500 per intentional violation, do you really think it makes sense to press your luck when it comes to CCPA? Imagine if the California Attorney General decides to make an example of you and imposes the maximum penalty on your company. I think you’d rather not risk it. Instead, post a direct “Do Not Sell My Personal Information” link on your homepage, letting consumers opt out of the selling of their personal information to third parties.  You should also update your privacy notice, revise your website interfaces, rewrite all your customer and vendor contracts, and build out tech and processes for complying with requests from consumers regarding their personal information.

Myth #2: There’s no rush…we can wait until the dust settles and figure this out in a few years.

Fact: You may be liable for how you handle data starting January 1, 2020.

Best Practice: If you have not begun to prepare for compliance with the CCPA, you should. Get your act together and jumpstart your compliance efforts ASAP. Build a CCPA-focused data mapping exercise now. Consider hiring a data protection officer (DPO). Get your overpriced attorney on the phone and discuss CCPA compliance with him or her immediately. The deadline is only six month away, and let me tell you, the law’s various obligations will take time to implement

Myth #3: We’re not headquartered in California so CCPA doesn’t apply to us.

Fact: Ignorance is not bliss. Nobody is exempt from the CCPA! Nobody! Nobody!!! (Insert sinister laugh here.) But for real, you should have alarm bells going off if you’re:

  1. Doing business in California
  2. Collecting personal information about California residents; and
  3. Pushing more than $25 million in revenue, have more than 50,000 consumer records in your database, or derive more than 50% of your revenue from selling consumers’ personal info.

Best Practice: Err on the side of caution and become CCPA compliant. Lots of other states are also introducing similar laws (see below), so you might as well comply with the strictest regulations in the country from the get-go.

Myth #4: We don’t meet the CCPA thresholds so we’re off the hook.

Fact: Wrong. You may be obligated to comply with the CCPA indirectly through an agreement with one of your customers.

Best Practice: Here’s a doozy for you. In order to comply with the CCPA, you will need to ensure your third party service providers use information in a way that allows you to be compliant. For example, they will need to delete information as requested or use the information only as permitted — or you are also liable!

Myth #5: The CCPA is the only U.S. privacy law we have to worry about.

Fact: More than 10 states, including the big boys like New York, Massachusetts, and Washington, have drafted consumer privacy protection laws similar to the CCPA. They are going live in 2019 and are just as scary in terms of breadth and potential impact. Also, keep in mind that being GDPR compliant does not make you CCPA compliant — there are still additional steps you need to take.

Best Practice: Go big or go home. Cover your bases and make yourself fully compliant with the strictest domestic legislature in the country, as it will likely serve as a benchmark for a federal privacy law which is soon to come.

In closing, at Retina, we use data science and machine learning to model the customer data of our clients. Detailed per-customer data is essential to getting the best results from our models.  Our team has decades of experience handling marketing technology and its intersection with privacy law, and we use that experience to work closely with our customers to ensure that they can preserve the value in their data, and our models, while keeping compliant in an ever-changing legal landscape.

Contact us at [email protected] if you’d like to learn more, specifically around how the CCPA relates to advertising attribution and CLV.

Legal Disclaimer: We are not attorneys. Please do not construe our recommendations as legal advice. Refer to the original legislation and consult with the appropriate legal counsel.