The CCPA: Time To Freak Out Again!

Good morning everyone, are you ready to completely freak out again?


Well, too bad because boy howdy, do I have news for you!

Remember the GDPR? It’s back this time and 100% ‘Murican and it’s called the CCPA!

That’s right! Just like freedom fries and dumping French wine down the sewer back in the early 2000s, America now has its own version of data privacy laws to make every marketer have to get ready all over again – that is if they weren’t paying close attention to the GPDR.

Oh, and to make it just that much better, just like in the early stages of the GDPR, for some reason almost NO ONE IS TALKING ABOUT THIS.

Yeah, SEO twitter right now is all over this BERT thing Google is doing – yes, that’s good to know but BERT ain’t gonna make your company shutter the business once you get smacked with civil suits from every direction because you’re collecting IP addresses from Cali residents and not telling them.

Let’s dive into this new panic inducing thing that almost no one is talking about but first, just like with my panic inducing GDPR posts, I’ll preface this by saying the following:


Now that that’s out of the way, let’s get into it.

So What IS the CCPA?

CCPA stands for The California Consumer Privacy Act. I strongly suggest you read it in its entirety.

Simply put, this is something that is going to change how you do business if you do business with any residents from the state of California, whether they’re currently residing in that state or not. Yup, in that way, it functions just like the GPDR and applies to residents of the state whether in or out of the state.

Basically, it’s a consumer privacy law that’s supposed to make protections and data privacy stronger for all California residents.

Does The CCPA Effect Me?

By and large, the answer to this question is yes. There are stipulations on certain types of businesses that are NOT effected by the CCPA but if you’re about 95% of businesses with a website out there, you’re going to be effected.

Let’s take a quick look at who needs to tighten up their data privacy. In fact, it’s SO specific, im going to link you to an official document about who this applies to. You’ll find it here. Go ahead, read that and come back.

You see what they did there?

So you don’t make your money selling data. Great.

So you don’t have more than 25 million in profits. Great.

You’re good right?


See the part about how if you collect personally identifiable information from a California resident, it applies? Well, for this purpose, it includes IP addresses, which most websites collect by default. So if you are getting about 150 California residents per day coming to your site within the course of a year – whether its through social media, Google, direct website visits, anything, surprise! You are subject to the CCPA!

This part actually a bit tricky – it says, ‘receives for commercial purposes’, this could mean A LOT of things. I mean, does it mean ‘with the intent to sell this information’ or could it mean to ‘retarget based on this information’?

Does your brain hurt yet? Well, sorry, I’ve got more information for those of us who thought they were safe because, like my day job, are in the non-profit space and we heard that this doesn’t apply to non-profits. Well, buddy, that’s also true and not true.

Check out this little wonder for non-profits.

Yup, we thought we were good too, until we saw the part about either being controlled by or controlling a for-profit, which we do. Guess what, we’re subject to the CCPA!

We literally met no other criteria except the number of California residents coming to our site (and thusly the IP address thing) and the controlled or controlling a for-profit and boom. We qualify. HUZZAH!

So, if you’re a non-profit with the same branding as, owned by, or in a joint venture with a for-profit that meets these criteria, which would probably be all of them if they have the money to operate a non-profit, you’re going to want to look into this.

Yikes! Ok, So What Do We Do?

Well, if your site is already prepared and compliant with the GDPR, you might not have too much more to do. You’ve already got solid data protections in place, cookie notices and things like that but there is a bit of work to be fully in compliance.

One of the biggest things I’ve noticed is that the CCPA will require an opt-in/opt-out box regarding the selling of third-party data when people reach your website. This will most likely be extremely inconvenient and take up real estate on your page but it looks like it has to be done. This part falls into the ‘right to say no’ area of the CCPA law. What this will actually look like will most likely be an actual checkbox saying something to the effect of ‘I do not consent to the selling or sharing of my data with third-party companies’ but as of time of writing, I’m not 100% on it so don’t quote me.

Honestly, with that option available on the website, I literally don’t know one human being on the planet from any state or country who would go, ‘OH BOY! YES! PLEASE DO SHARE AND SELL MY DATA WITH EVERYONE!!’ but you know, it is what it is. You really shouldn’t be doing that in the first place.

Also, don’t forget, the word ‘selling’ in terms of the CCPA includes renting, leasing, giving or anything else you can possibly think of with someone’s data so do yourself a favor and just don’t do it.

You need to update your privacy policies, business practices, inventories and procedures – and yes, you probably will be sending and receiving yet another massive torrent of ‘we’ve updated our privacy policy!’ emails just like you did when the GDPR hit.

Another thing to bear in mind is that you’ll also need to at least two methods of allowing people to submit requests to get all their info out of your systems, so have fun setting that up.

This Is Too Hard! Can’t I Just NOT Sell To California Residents?

Sorry, lazy businesspeople who would prefer to just keep a’spammin’ and a’sellin’, that’s not an option either.

There’s a clause in the CCPA that states you cannot legally discriminate against a California resident for exercising these rights. They are entitled to equal services and no, you can’t pass the compliance costs along to them because they also have a clause in there demanding equal prices as well.

So to everyone who thought they’d just pull a GDPR lazy compliance by just not selling to people in Cali like how you stopped selling to people in the EU, that ain’t gonna work.

The Upside

Ok, so YES this is a lot of work but it’s not as bad as you might think. Again, if you properly got GDPR compliant, then you have a lot less work to do and if you didn’t then this will give you a great reason to work on both. Also, other states are working on their own privacy laws which will probably be pretty similar to this one so you might as well get what you can get done now before everyone hits you from all sides.

At the end of the day, this is a good thing for all of us. Less spam, less trash and more data security is a winning scenario so let’s have less complaining and more doing. If nothing else, this is going to give you a great opportunity to tighten up your digital marketing practices.

If you’re still being janky and buying email lists, those wells are going to dry up big time, forcing you to build your own opted-in lists. If your company is being janky and just randomly giving people’s data away or selling it and not telling people, it’s going to force you to get a better business model – or get sued out of business, whichever comes first.

Moreover, this is going to force your marketing team to use practices that will inspire more trust in your business, stop relying on garbage list vendors and third party data and build real, solution centered opportunities that will end up being better for everyone.

Who Cares? I Got Away With Skirting GDPR, I’ll Get Away This Time!

Yeah, no you won’t.

I’m going to leave you with one sentence that is the telling difference between the GDPR and the CCPA and why everyone out there thinking they don’t have to pay attention to this is wrong.

Completely and totally wrong.

The GDPR relies on the governning body of the EU for enforcement – the CCPA allows random people to sue you for damages.

Read it, back it up and read it again.

That’s right, everyone thinking they don’t have to care! The CCPA will let Cali Joe and Jane SUE YOUR ASS if you violate this law – and then after you lose that lawsuit, THEN most likely the state of California will also come after you for violating that law because then its brought to their attention.

You want to play that game?

You think you’re going to spam people or sell their data and people who are now allowed and encouraged to sue you for some money from that won’t do it?

Yup. Cash damages are on the table to every PERSON you do this to – not just money going to a faceless and probably too busy governing board. I DARE you to play with this one.

Yeah, I thought so.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s