California Consumer Protection Act: Five Things Market Researchers Need to Know

Earlier in the year, there was a ton of focus put on GDPR, the European Union’s new consumer data privacy law that went into effect earlier this year, and now a similar type of law is going to commence on January 1^st of 2020.  The new California Consumer Protection Act (CCPA) is expected to go into effect less than 2 months from now.  Some have said this is the American version of GDPR. 

Since we are so close to it being enforceable, here are the five things you need to know:

1. CCPA allows consumers broad access to the information companies collect on them.

The new law allows consumers to request and see all the information an organization has collected on them, including a full list of any third-party organizations the information was shared with (or sold to).

What remains to be seen is how this applies to survey data. Can they request segmentation classifications they belong to?  Will they be allowed to see what validation methods were utilized?  What about information pertaining to their zip code? 

2. CCPA has a broad definition of “Personal/Sensitive Information”.

The CCPA considers sensitive information to be fairly broad compared to GDPR.  The information covered includes:

• Name
• Alias
• Postal Address
• Unique personal identifiers (Created by the company)
• Online identifiers:
  • IP Address
  • Email address
  • Account name
• SSN
• DL Number
• Passport number
• Similar government identifiers
• Characteristics of protected classes under California or federal law
• Internet activity
  • Browsing history
  • Search history
  • Info regarding website interaction, application, or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information
• Education information, defined as information that is not publicly available, as well as personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
• Any inferences drawn from of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

3. You’ll have to comply, even though your organization isn’t in California.

While this is California law, it does impact all organizations.  According to the law, an organization falls under the CCPA enforcement if it meets any one of the following requirements:

• Serve California residents
• Have at least $25 million in annual revenue
• Have personal data on at least 50,000 people
• Collect half of your total revenue from the sale of personal data

With this being said, pretty much everyone in the market research industry or at least any quantitative research provider is going to need to be compliant.

4. Enforcement can be two-pronged.

CCPA enforcement has the potential to be two-pronged.  The first enforcement option is the California Attorney General to file charges and fine a company $7,500 per violation.  If the Attorney General declines to fine the offending organization, consumers have the option to sue the organization for $100 to $750 per violation. While marketing research companies will not be the initial targets of fines, it is important to comply as soon as possible to avoid these fines.

5. You need to have your processes in place by January 1, 2020.

Part of the CCPA indicates that when a consumer requests their data from an organization, the organization is required to provide 12 months of data within 45 days of the request.  This means that your process to pull consumer data from the myriad of systems that houses it, and how to pull from any third parties, needs to be in place by the start of next year. 

We are working to ensure we are compliant with CCPA and other privacy legislation in other states. If you want more details on the CCPA, you can read the full bill here.

The Insights Association has also released a CCPA checklist, you can review it on their website. (Note: You will have to be an Insights Association member to read it.)