What marketers need to understand about fines under the new California Privacy Act

Businesses operating in California (physical location or not) and generating $25 million or more annual revenue are expected to comply with the law.

It did not take long for the Golden State to borrow a page from the European Union’s consumer privacy rule book. And because of this, marketers need to take note about what’s happening with changes in data protection right now.

It was only a few months after Europe adopted the General Data Protection Regulation in March 2018, that California Governor Jerry Brown approved Assembly Bill 375, commonly referred to as the California Consumer Privacy Act.

These two jurisdictions are more than 5,600 miles apart, but their views on consumer privacy happen to be very similar.

In early February 2019, many GDPR skeptics in the United States started seeing messages in their email inboxes about privacy policy updates. Since such notifications tend to be routinely ignored, there is a chance that your average citizen is still unaware of the GDPR reach beyond the EU.

The reason brands suddenly revised their privacy policies earlier this year can be traced to a massive fined imposed upon an American internet advertising giant: Google.

Violation fines

For many legal analysts focused on the IT sector, learning about the $57 million fine imposed by European Data Protection Supervisor was something to be expected. When regulators want to send a message and set an example, what better way to do it than going after a major player? In this specific case, Google’s problems started in France, where privacy regulators noticed that the search engine giant made users jump through hoops to confirm whether they consented to data collection and storage policies.

Could Google also become the first internet giant to be slapped with a fine for violating the California Consumer Privacy Act (CCPA)? There are doubts in this regard, but only time will tell. In the meantime, it is important for American business owners to understand the implications of these regulations.

GDPR versus CCPA

While GDPR is currently in effect, the CCPA will not go into effect until Jan. 1, 2020. A major difference between the laws is that GDPR is a transnational measure while CCPA is a state law. Generally, GDPR can be said to have a stronger effect because its regulatory intent goes further and has a global reach. However, both measures seek to give consumers more power over their data for the purpose of avoiding situations such as the scandalous Facebook and Cambridge Analytica affair, from which we have not yet heard the last word.

With the above in mind, there are four differences and one strong similarity between the two laws. Let’s get the similarity out of the way:

Data encryption

Both GDPR and CCPA mention data encryption in the context of liability reduction. Let’s say a search engine optimization firm based in Los Angeles with clients located in France and The Netherlands suffers a data breach. If the affected data was protected with encryption measures, the company could expect some regulatory relief from both Europe and California. The CCPA does not make encryption mandatory, and neither does GDPR, but the EU dedicated an entire article of the regulation to encryption recommendations.

But the differences are significant:

Understanding the rights of consumers

GDPR takes a highly individual approach to data privacy at the consumer level, while CCPA goes a step further by making household entities covered by the law. The GDPR is more encompassing in its definition of personal data because it mentions third-party providers such as marketing research firms that sell mailing lists, for example. The CCPA mostly focuses on data specific to individuals and not so much on third-party providers.

Monetary penalties

Data breaches and GDPR violations may result in financial penalties equivalent to four percent of the company’s annual revenue or approximately $20 million. In the case of CCPA violations, companies can expect a maximum of $7,500 per incident, but there is no limit on the number of violations that can be assessed.

In California, incidents are considered to start at the time data is breached. In Europe, they can begin with a determination of companies engaging in risky practices, an example being the aforementioned Google fine.

In an attempt to circumvent GDPR-lated geoblocking, many Europeans have resorted to various tactics to unblock websites, such as changing their DNS or using a VPN. These technologies enable visitors to access geo-restricted content, circumventing GDPR or CCPA restrictions. Notably, though, many of these services themselves violate GDPR data protection laws and have drawn scrutiny from European regulators.

Exemptions to the laws

The GDPR comprises a very large scope. Any business in any part of the world that processes data referring to EU individuals is expected to comply. GDPR does not exempt small businesses. A boutique digital marketing firm in the United States, for example, should be mindful of GDPR compliance if it works with European clients, employees, partners, vendors or even prospects.

As for the CCPA, businesses operating in California (don’t have to be physically located there) and generating $25 million or more in annual revenue are expected to comply. Moreover, companies that are dedicated to the sale of personal electronic records such as marketing lists also fall under the purview of the CCPA.

Enforcement and the future of data privacy

Analysts following these new laws predict that EU information commissioners will increase oversight and enforcement starting this year, but they will not make too many amendments to GDPR rules. In California, consumer privacy advocacy groups are already complaining that the CCPA does not go far enough, and they are pushing for California to set an example for other jurisdictions since the state is known to be a pioneer in technology innovation.

Final thoughts

In the end, business owners whose operations may be impacted by the CCPA should learn from their European counterparts and start taking a proactive approach as soon as possible. Companies with legacy technology systems are bound to find CCPA compliance to be challenging. And business owners who recently implemented GDPR compliance should not blindly trust that their systems will automatically cover all aspects of CCPA.

The bottom line is that right now is a good time to start evaluating compliance software solutions, starting with GDPR now and CCPA next year.


Opinions expressed in this article are those of the guest author and not necessarily Marketing Land. Staff authors are listed here.


About The Author

Sam Bocetta is a former security analyst for the DoD, having spent 30-plus years bolstering cyber defenses for the Navy. He is now semi-retired and educates the public about security and privacy technology. Much of his work involved penetration testing Navy ballistic systems. He analyzed networks looking for entry points, then created security-vulnerability assessments based on findings. He also helped plan, manage and execute sophisticated “ethical” hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems.

Marketing Land – Internet Marketing News, Strategies & Tips

(6)