Attention marketers: in 12 weeks, the CCPA will be the national data privacy standard. Here’s why.

It’s called the California Consumer Privacy Act, but the CCPA will effectively be the US national data privacy standard for consumer business and brands when it takes effect on January 1, 2020. (Although enforcement by the California attorney general has been delayed until June 2020, individual and class-action law suits may begin immediately.) As of this writing, that’s precisely 12 weeks, or no more than 55 working days, allowing for the holidays. Given how many companies were radically unprepared for the GDPR given two years for preparation, this implies that lots of companies need to do lots of work lots of fast.

There are three interrelated and inescapable reasons why CCPA-compliant data practices will quickly become the standard across the US, even for companies that don’t do business in California:

  1. The massive California economy: California is the fifth largest economy in the world, after only the US, China, Japan, and Germany. (In 2018 it surpassed the UK, which has over 50% more residents.) It is the home of 40 million people, meaning that one in eight US residents lives in California. Few companies of any substance are going to ignore the California market, or walk away from it on account of the CCPA.
  2. The identification conundrum: Unlike the GDPR, which protects the personal data of anyone physically present in the EU, the CCPA applies to California residents – which is defined, in the first instance, as “every individual who is in the state for other than a temporary or transitory purpose.” That means that any business that intends to apply CCPA rights and protections only to California residents must have an accurate and reliable means of identifying them and sorting them out for special treatment. On the web, you might try using IP addresses – except a) that approach is defeated by the increasingly popular use of virtual private networks (VPNs) and privacy-based browsers such as Brave and b) the CCPA also protects California residents who are outside of the state on a “temporary or transitory” basis. Moreover, businesses would need to be able to identify California residents across every channel or interaction format. Short of asking every consumer if they are Californian – and counting on an accurate answer – the practical solution is to apply the CCPA requirements to all consumer interactions.
  3. The Californication of data practices: Even if you could devise a magical solution to the identification conundrum, it makes little business sense to create and maintain a separate and distinct data processing system – technologies, processes, and training – for California residents. (Let alone distinct systems for the dozens of countries, US states, and municipalities that have recently instituted news laws on personal data.) For the sake of efficiency, productivity, data security – and sanity — companies should operate from a privacy high ground – a single data privacy approach that meets or exceeds all applicable requirements. (Just as most automobile manufactures eventually built all cars for the US market to meet California’s more rigorous emission standards – hence, Californication.)

From a regulatory perspective, the CCPA is the proper template on which to build your data practices (combined with the GDPR, if you do business in Europe). But as I never tire of saying, the real touchstone for data privacy is consumers’ demands and expectations, not (only) regulatory requirements.

Contact TCA if you want to discuss an action plan for CCPA.

*Photo by Scotty Morris from Pexels

Tim Walters, Ph.D.
Tim is a vice president and the privacy lead at The Content Advisory, as well as a member of TechGDPR, and the founder of Zero Theory Solutions. His writing, advising, and public speaking aims to help both enterprises and solution providers come to terms with customer experience management (CXM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "Promise and Permission: The Role of Trust in the New Data Economy," and "The Burdens and Benefits of the GDPR." Previously, he was a Senior Analyst and Advisor at Forrester Research, the director of international marketing and strategy for FatWire Software, and a professor at the University of Rochester and New York University.
Tim Walters, Ph.D. on LinkedinTim Walters, Ph.D. on Twitter


Author: Tim Walters, Ph.D.
Tim is a vice president and the privacy lead at The Content Advisory, as well as a member of TechGDPR, and the founder of Zero Theory Solutions. His writing, advising, and public speaking aims to help both enterprises and solution providers come to terms with customer experience management (CXM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "Promise and Permission: The Role of Trust in the New Data Economy," and "The Burdens and Benefits of the GDPR." Previously, he was a Senior Analyst and Advisor at Forrester Research, the director of international marketing and strategy for FatWire Software, and a professor at the University of Rochester and New York University.