Why Marketers Should Be Concerned About New Data Privacy Laws
In January 2020, the California Consumer Privacy Act of 2018 (CCPA) goes into effect. Despite having more than two years to prepare for the arrival of the CCPA, about 50% of businesses aren’t ready.
Some executives may assume that the CCPA doesn’t apply to their business because it’s a small firm, or it’s not located in California. But that’s a potentially disastrous assumption, especially for marketers that base their strategies on consumer demographics and online behavior.
What the CCPA Means for Businesses
Similar to the European General Data Protection Regulation ( GDPR) that took effect in May 2018, the CCPA applies to businesses collecting data on California residents, even if the business isn’t located in that state.
An organization that does business in California and meets the CCPA’s definition of a "business" must comply with the CCPA if it meets any of the following criteria:
Has annual gross revenues in excess of $25 million
Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Alone or in combination, shares, exchanges, receives, sells, or buys, the personal information of 50,000 or more consumers, households, or devices
(Note the text “alone or in combination” – that’s important for marketers, because it could create liability for agencies that are collecting and analyzing data for clients that have California subscribers, customers, or employees).
The fines under the CCPA are $2,500 per violation, or $7,500 per each intentional violation. That may not seem like a lot of money, but if you have 15,000 people in your database, an (unintentional) data breach could become a $37.5 million-dollar problem. The CCPA also gives consumers the ability to sue a company that’s responsible for the breach of their personal information.
In the third quarter of 2019, Facebook’s average revenue per user (APRU) was $7.26. That’s money Facebook earns by selling user data to advertisers and marketers – and that’s also why Facebook doesn’t need to charge user fees.
Wyden’s law would allow Facebook to continue selling data for users of its free platform. But it would also require Facebook to create another interface that protects user data privacy in exchange for an annual fee, not to exceed Facebook’s current APRU – approximately $29 per year. The law would prohibit Facebook from charging that fee for any user that qualifies for the federal Lifeline program (which lowers costs for communications technology).
Going After the Major Players
In July 2019, the Federal Trade Commission fined Facebook $5 billion for user privacy breaches. That’s the biggest fine the FTC has ever imposed for privacy violations. But for Facebook – a company that earned $16.91 billion in the fourth quarter of 2018 – the fine wasn’t a burden. U.S. Sen. Ron Wyden, D-Ore., thinks the penalties should be much higher.
On Oct. 17, Wyden announced his new legislation – the Mind Your Own Business Act of 2019 – which would apply to Facebook and other large tech companies. Under this law, company executives could face 10 to 20 years in prison for lying about data privacy to regulators.
This act would empower the FTC to create a national “Do Not Track” system that would prohibit companies from marketing to people based on their personal information. Companies that violate provisions of the law would be required to pay a fine equal to 4% of their annual revenue, for a first-time offense.
Wyden’s law would apply to tech companies that have an average annual income of $50 million and possess the data of 1 million or more people or consumer devices. It would also apply to data brokers. The impact of this law, however, is almost certain to affect marketers – from large agencies to boutique operations – if consumers exercise their enhanced rights to data privacy.
As business leaders prepare for CCPA, they may want to take a look at the latest version of that legislation – The California Privacy Rights and Enforcement Act of 2020 (CalPREA), which will be on California’s November voting ballot.
CalPREA is essentially an add-on to the CCPA. It would enhance protections for personal data such as driver’s license and credit card numbers, and it would add new requirements for marketing and geolocation. If voters approve the ballot initiative in November, the law would be effective in January 2021.
While the original CCPA is effective as of Jan. 1, 2020, enforcement won’t begin until July. In July 2020, the California attorney general’s office may charge companies with CCPA violations dating back to Jan. 1, 2020. The law also contains a 12-month “look-back” provision, meaning companies could be held accountable for CCPA violations that occurred in or after January 2019.
The push for data privacy protection is gaining momentum. In 2019, at least 25 states had new consumer privacy-related bills on their agenda. Every company should be scrutinizing their own processes for collecting, managing, and protecting data.
Read the CCPA text here:
Read the “Mind Your Own Business” text here: https://www.wyden.senate.gov/imo/media/doc/Mind%20Your%20Own%20Business%20Act%20of%202019%20Bill%20Text.pdf