Retention.com for B2B is here! Try it out today
California took a big step this year, passing the first consumer privacy act in the country. It’s the only state to give its residents similar protections to what you’d find in the General Data Protection Regulation (GDPR). The Act allows them to see how their information is being used and gives them more control over the sharing of their data.
The California Consumer Privacy Act (CCPA) of 2018, Assembly Bill No. 375, went into effect in January 2020. That has left many brands wondering what that means for them and their consumer base. Not only do the companies want to ensure they are being compliant, but they also want to do it quickly.
To help you with that, here’s what we will cover in this guide:
Let’s start with the basics of the Act — what it is and isn’t — and how it could affect your brand.
As the name suggests, this bill is focused on protecting consumer privacy. That includes how companies use and/or sell their personal information and data, giving consumers more control over how that’s handled.
The bill grants consumers the right to:
The main point of the bill is to give any California consumer the right to demand to see the information a company has saved on them. It also allows consumers to see a full list of the third parties that data is shared with.
Here’s the timeline for the California Consumer Privacy Act:
We have passed that grace period, so companies need to get on the fast track for becoming compliant.
The CCPA impacts all companies that serve California residents and have at least $25 million in annual revenue. It also affects companies of any size that have personal data on at least 50,000 people — or that collect more than half of their revenues from the sale of personal data. Your brand doesn’t actually have to be based in California to be included in this bill. It only matters if you reach people who live in the state and also fall in a covered category.
The CCPA doesn’t apply to:
If any of the criteria above fits your company, you’ll need to take steps to become compliant now — because this law is already being enforced.
The bill describes personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a specific consumer or household. Here’s the list shared in the bill of what all that includes:
Don’t let that list overwhelm you. Here are a few specific examples pulled from that of what is considered personal information:
If you’re using any of that information and fit the criteria for businesses included in this bill, you will need to become compliant right away if you aren’t already.
You’ve probably heard of the EU’s GDPR by now. The CCPA was put into place to protect consumer information, so in that respect, it’s similar to the GDPR. Here are a few other similarities the two share:
However, that’s about where the similarities end. The GDPR regulates what disclosures companies can make to data subjects. It also oversees the procedures for data breach notifications, data security implementation, and more. It also includes additional rights for the data subjects, like the right to rectification, be forgotten, and not to be a subject of a decision based on automated processing.
https://www.youtube.com/watch?v=agdv3Z4Ay40
On the other hand, the CCPA is more limited and mainly focuses on consumer privacy rights and disclosures made to consumers. While it is less comprehensive than the GDPR, that doesn’t mean it has a narrow scope or can be ignored. This Act still requires companies to make some major changes to become compliant.
Another major difference between the two is how they approach opt-ins and opt-outs. With the GDPR, users must opt-in to give their consent. However, with the CCPA, companies can simply include an opt-out (Unsubscribe) option in their messages — instead of having to earn the opt-in to begin with. Businesses can’t sell personal information after they receive an opt-out request unless the consumer gives you authorization allowing you to do so again. Also, companies have to wait at least 12 months before asking a consumer to opt back into the sale of their personal information.
Remember: Being GDPR-compliant doesn’t mean being CCPA-compliant, or vice versa.
https://www.youtube.com/watch?v=KZnLFBjr91g
The California Consumer Privacy Act is light on requirements for security and breach response compared to the GDPR. However, the Act does give fines (more on that below) for companies that expose consumer data because of a security lapse or breach. It also allows courts to offer “injunctive or declaratory relief,” or, “any other relief the court deems proper.”
Companies aren’t required to report breaches under the Act, requiring consumers to file complaints before fines are possible. So, the best course of action to improve security is to know what data the CCPA defines as private and take steps to secure that.
Unfortunately, there isn’t a magical switch that you can flip to ensure all of your consumer data is compliant with the CCPA. So, we’ve put together this overview to show you how to comply from start to finish.
In addition to covering your bases with the collected consumer data, there are other actions companies are required to take by the Act. Businesses must make two or more designated methods available to consumers that allow them to submit requests for information. That includes, at minimum, a toll-free telephone number and a website, if the company has one.
Companies must also disclose and deliver the required information to the consumer free of charge within 45 days of receiving a verifiable request from the consumer. You can extend that time period by an additional 45 days, when reasonably necessary. But, you must provide the consumer with a notice within the first 45-day period. You can’t require a consumer to create an account with your business to make a verifiable request.
Staying CCPA-compliant is a continuous process, just like it is to add new consumers to your database.
[And a side note for Retention.com’s customers: As long as you make the appropriate privacy policy adjustments as we’ve covered here, Retention.com is CCPA compliant.]
https://www.youtube.com/watch?v=2qxyErp7fyQ
If you receive a consumer request, there are a few things you will need to do. The specifics will depend on their request, like if they want you to disclose the information on their data vs. they want to be deleted.
But generally, there are a few steps you can start with after receiving a request:
Again, this is why it’s important to properly classify consumer data from the start. Yes, it takes extra effort at the beginning, but it will save you greatly in the future if/when you receive requests.
Companies will have 30 days to comply with the Act once regulators notify them of a violation. From there, if they don’t resolve the issue, the company can face a fine of up to $7,500 per record. Unintentional violations are subject to fines of up to $2,500 per violation.
Also, companies that are affected by a data breach because of unreasonable information security can be ordered to pay fines between $100 to $750 per California resident involved with the incident — or damages, whichever is greater — in a civil class-action lawsuit. Remember that with statutory damages, the consumer doesn’t have to prove they incurred an actual financial loss. They just have to show the company violated the law.
Companies who aren’t compliant are risking significant fines when you factor in each impacted customer and/or non-compliant action.
With little leadership on the matter on the federal level, it’s not much of a surprise that California created its own privacy law. More states are sure to take note of what the Golden State is doing. So, even if this Act doesn’t affect your business now, something similar might soon.
Companies need to make smart decisions about how they handle their data security and privacy practices. If the past few years have taught us anything, it’s shown companies they should constantly monitor their systems for possible threats.
While this bill might not be as much of a burden on security as the EU’s GDPR, at least in some areas, things can always change. The true effects of the CCPA might not be seen for years. But, it’s clear consumer privacy will continue to be a hot topic across the country and beyond.
This is the first question we get when talking to any Enterprise customer, so I decided to create a blog post about it.
For the best and most comprehensive results, use both BounceX and Retention.com simultaneously.
#1: Retention.com gets you contacts who are NOT already on your list.
This is the most important difference between the two. And yes, it’s legal to email them in the USA.
BounceX’s matching technology is fantastic, but at the end of the day, you’re sending more emails to people who are already on your list.
Retention.com is a source of new, fresh leads using Email-Based Retargeting.
It’s legal, and CAN-SPAM and CCPA compliant.
#2: Retention.com also gives you postal records. You can trigger automated postcards from website visits.
BounceX isn’t going to give you postal records.
This is a major difference.
Direct mail is a substantially less crowded channel than it used to be, and we can pass you hyper-targeted lists of website visitors by landing page.
#3: Retention.com is affordable, and easy to get started.
Pricing starts at around 25¢ per record.
You pay for the record once, and can market to them until the customer opts-out.
You can get our code on your website and integrated with your ESP in under five minutes.
BounceX...not so much.
#4: Retention.com only gives you contact records once a day.
BounceX has the advantage here, as a real-time triggered-email solution.
Retention.com sends contact records to your ESP or CRM once a day, at around 11 am EST.
We recommend you set up an automation in your ESP that nurtures and builds trust with these website visitors, and gently nudges them down your marketing funnel.
It’s different than mailing someone on your list.
#5: Retention.com is self-serve.
BounceX is a full-service marketing agency. They’re going to design and execute all of the campaigns for you.
Retention.com is a lightweight SaaS application that identifies people on your website, then sends the contact records to your ESP, CRM, or Direct Mail automation system for you to do the marketing.
#6: Retention.com is CAN-SPAM compliant, but NOT GDPR compliant (but our database of contact records is only from the US)
The second most frequently-asked question we get is, “Is this legal?”
The answer is yes. Click through to our legal section. Retention.com is US CAN-SPAM and CCPA compliant, but it’s not GDPR compliant.
BounceX is.
Retention.com gets you contacts who are NOT already on your list. BounceX sends more emails to people you’ve already been emailing.
Retention.com broadens your audience by sending you opted-in contact information of people that visited your website. With postal records.
Questions? Let me know: adam[at]retention.com
