UPDATE (Nov 5th): On Election Day 2020, California voters passed Prop. 24, the California Privacy Rights and Enforcement Act (CPRA). This builds on the consumer rights established in 2018 by the California Consumer Privacy Act (CCPA), which we describe in our original post.

CPRA won’t take effect until Jan. 1, 2023, though it applies to data collected starting Jan. 1, 2022. We’re monitoring this new law closely and will provide more details as they come, but for now, these are the key things ecommerce businesses should know.

Changing who’s affected

CCPA: Any business that “buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices,” OR that derives 50% or more of its annual revenues from selling consumers’ information.

CPRA: Any business that “buys, sells, or shares the personal information of 100,000 or more consumers or households” OR that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Perhaps the most notable change here is the removal of ‘for commercial purposes’—now, even if you’re not profiting from the use of data, the law will apply to you. CPRA also raises the applicability threshold from 50,000 to 100,000 (but counts only consumers and households, not devices), and adds data sharing as well as selling to the law. That’s because many companies claimed they weren’t selling data, they were just sharing it with vendors in order to serve ads. CPRA explicitly includes cross-context behavioral advertising in its definition of data sharing.

Closing the “business purpose” loophole

CCPA includes exceptions for consumer data used for “a business purpose” by “service providers.” This was intended to keep online transactions easy while reining in targeted ads, but Big Tech simply argued that targeted advertising counted as a “service,” and brands argued that it constituted “a business purpose.” CPRA eliminates the term “service providers” and states that targeted advertising is not a business purpose under the law.

Defining sensitive personal information

In addition to the usual suspects (Social Security numbers, login details, race/ethnicity, sexual orientation, etc.), the CPRA includes “precise geolocation” as sensitive personal information subject to the new regulation.

Protection for loyalty programs

CCPA took a hard line on retaliation: If a consumer opts out of data sharing, the business cannot charge them higher prices or provide lesser service. CPRA cracks this open in two ways. First, it specifies that loyalty clubs or rewards programs that use shoppers’ information to offer perks are not prohibited. Second, it allows businesses to charge people different prices (or to provide different quality goods and services) based on their privacy choices, “if that difference is reasonably related to the value provided to the business by the consumer’s data.” Of course, how that value will be calculated is anyone’s guess.

Why California's new privacy law is an opportunity to build trust and improve consumer experiences

Amid headlines about data breaches, hacks and security threats, Americans are more pessimistic than ever about how their data is used—and feeling more resigned to a world with diminished privacy protections. According to a recent Pew study, 62% of Americans believe it’s “not possible” to go about daily life without having their personal data collected by companies.

As strategists, we rely on data to develop and refine our ideas, and we encourage our clients to do the same. We believe that smart data practices can result in better marketing, better service, better experiences and better communication between brands and consumers. But none of this works unless you’ve earned your customers’ trust, and if customers don’t trust you with their data, ultimately, they don’t trust you.

On January 1, 2020, the California Consumer Privacy Act (CCPA) will take effect. Created in response to concerns about how consumer data is gathered and used, CCPA is the first legislation of its kind in the U.S. Even though it’s a state law that covers California residents only, CCPA will impact businesses far beyond the Golden State—and experts say it’s just a matter of time before more states pass similar legislation, or band together to push for federal consumer privacy laws.

Yes, new regulations present compliance challenges. We suggest looking at CCPA from a different perspective: It’s an opportunity to audit and improve your data policies and the ways in which you communicate these policies to your customers.

So gather your legal, IT and marketing teams, and let’s walk through CCPA 101.

Does CCPA affect me?

California’s new law applies to any for-profit entity that collects, shares or sells California consumers’ personal data and meets any one of the following criteria: