california consumer privacy act

Wayin & The California Consumer Privacy Act

Richard Jones gdpr, Zero-Party Data

On January 1st, 2020, the CCPA (California Consumer Privacy Act) comes into effect, leaving businesses a little over half a year to make the necessary changes, enshrined in law, to the way in which they operate and manage risk when it comes to consumer data they use, collect, process and share.

The State Of Play

Although partial data protection regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, the right to privacy, to be forgotten, or to know what data is stored about one’s self as a consumer, is not a fundamental right protected by law.

However, since the enactment of the GDPR (General Data Protection Regulation) in Europe and previous legislation east of the Atlantic with more teeth than its U.S. counterparts, businesses stateside have adopted principles from the EU-US Privacy Shield to enable them to more easily receive personal data from EU entities, while adhering to the rights of EU citizens.

Why The Change?

In light of the Cambridge Analytica scandal and other high-profile data breaches, U.S. consumers are more discerning than ever when it comes to their personal data.

Current legislation, an amalgam of various state laws, were adopted long before cloud-based technology for storage, use and disclosure of personal data, or the rise of social networks and other services that collect and process personal data in huge volumes.

What’s more, the European Union is the largest trading partner of the U.S. for both imports and exports, so logic dictates harmonizing, as much as possible, data privacy regulations for future frictionless trade.

The CCPA will modernize the law, making it clearer where personal data is located, by whom it is being processed and who is accountable for processing it. Although this will only apply to businesses that collect personal information from California residents, whether the business itself is domiciled there or not, it is expected that the law will be embraced in most, if not all of the other 49 states.

Differences Between CCPA & GDPR

For those businesses whose data protection practices are already grounded from an EU perspective they will not only have a headstart when it comes to getting ready for the CCPA, but they will notice strong similarities to the GDPR.

However, there are clear differences worth noting:

  • The CCPA protects data that can be linked to a particular household, not just an individual as the GDPR does
  • The GDPR covers all organizations that control or process data. The CCPA meanwhile has restricted its applicability to for-profit companies have an annual gross revenue of over $25 million, and buy, receive, sell, or share data for commercial purposes
  • Furthermore, this data must belong to 50,000 or more consumers and derive 50% or more of the organization’s annual revenue for it to be applicable
  • The CCPA requires businesses to disclose data sales and activities pertaining to data processing in the last 12 months
  • The GDPR requires organizations to get prior consent from data subjects for data processing and third-party access to their data, the CCPA allows data subjects to opt-out of the sale of their data and requires businesses to have a visible link at the top of their homepage for this purpose
  • The regulatory penalty for non-compliance with CCPA can be up to $7,500 per violation, while liability to an individual consumer is $750 per incident or actual damages, whichever is greater. Whereas, non-compliance penalties of GDPR could lead to fines of up to €20m or 4% of a company’s global annual turnover

What Do You Need To Know?

The CCPA will hand greater control of personal data back into the hands of the individual. Allowing the individual a number of enhanced rights including access to all of their personal data, the ability to withdraw consent and the right to be forgotten.

It also allows consumers to stop the sale of their data to third-parties and empowers them with grievance rights if these laws are not upheld.

The law not only applies to businesses in California, but any organization holding or transporting data relating to persons domiciled in California – therefore it has the potential to impact any business, in any country.

Non-compliance penalties could lead to fines up to $7,500 per violation, while liability to an individual consumer is $750 per incident or actual damages, whichever is greater.

Benefits Of The CCPA For Your Business

As the enforcement of the CCPA edges ever closer, marketers will need to limit campaigns derived from third-party data sets which could see them fall foul of the law.

But rather than ringing the death knell for personalization marketing, the CCPA is an opportunity for marketers to rebuild trust, improve transparency, clear out stale data and deliver an altogether better experience for the consumer.

It is possible for marketers to collect data that is willfully shared directly with them by the consumer. This is zero-party data.

A class of data that a customer intentionally and proactively shares with a brand. It can include purchase intentions, personal context and how the individual wants the brand to recognize them. In essence not what they’ve done in the past, but what they intend to do in the future.

Zero-party data allows brands to build direct relationships with consumers, and in turn, better personalize their marketing efforts, services, offers and product recommendations. As it comes directly from the consumer, there are no intermediaries, no guesswork.

“Zero-party data is that which a consumer intentionally and explicitly shares with your company, and it is gold.” – Fatemah Khatibloo, Principal Analyst, Forrester

To learn more on how the CCPA can help marketers improve transparency, repair trust and build more meaningful connections with consumers watch my interview with Forrester’s Principal Analyst; Fatemeh Khatibloo.

In A Nutshell

If you have not already acted, now is the time, as you will likely need to make changes to business processes and policies, introduce new roles and reporting procedures, and modify the way you engage with customers, and collect and process their personal data.


Wayin has an in-house data protection specialist to ensure that we meet the requirements for CCPA both in terms of personal data we process as part of our business as well as in our role as a data processor on behalf of our customers. With a European heritage, our practices have always put data protection first. We think that’s the standard and are happy to set it.


The Rise Of The Zero-Party Data Economy

Download our latest white paper to learn how collect compliant data ahead of the enforcement of the CCPA