Federal data privacy legislation is currently wishful thinking in the United States. There’s a growing patchwork of state legislation, and with the enactment of the California Consumer Privacy Act (CCPA) on January 1, 2020, there’s mounting pressure for even more states to chime in with new legislation. 

These will potentially end up creating issues for email marketers that are trying to function within this maze of state-by-state regulation.  

The impact of the CCPA?

The CCPA requires disclosure from the marketer, when requested, detailing which parts of a consumer’s personal information might be shared with a third party, the category of the third party, and an explanation of the sharing of information. The CCPA uses an opt-out agreement whereby a business doesn’t need permission to collect personal information, but the consumer can ask to access it, opt-out of its sale, or ask for it to be deleted. With the CCPA, information is likely to be “bought” from consumers, rather than just merely shared, for the CCPA specifically authorizes “businesses to offer financial incentives for the collection of personal information.” 

In the event of a personal data breach, the CCPA also gives consumers the power to sue companies through the state attorney.  This is a game-changer, and it’s potentially expensive: For each consumer data file that’s been part of a breach, or sold without permission, or retained even when the consumer requests deletion, the minimum fine is $2500. That can escalate to $7500 for various reasons. Multiply that times the thousands or even millions of files often involved in a data breach, and you can imagine the costs.

Another wrinkle? The CCPA will be implemented by California, but will travel across state lines – it protects residents of California even when they’re out-of-state. Plus, companies dealing in their data don’t have to have a physical footprint in the Golden State to be subject to the law.

As this affects businesses that market to Californians but are located in other states, different systems will need to be set up in different states with differing guidelines. So in this case, one state’s legislation that’s intended to mitigate confusion only amplifies it, thus causing a cry to Congress to set up a national standard.

Will it affect email marketing?

Up until now when it comes to regulating electronic marketing in the US, emails are regulated by CAN-SPAM, with an opt-out requirement. That means websites can send commercial emails until the consumer decides to unsubscribe, which must be cost-free and easily navigable from the original commercial email. Text messaging is more tricky and involves electronic or written consent. 

Depending on the scale of the company and its marketing reach, its email marketing may or may not be directly affected by the CCPA legislation, but in time will probably indirectly be impacted in one way or another. 

More states are getting in on the act

Amplified and more ambitious, the state of New York is aiming to pass privacy legislation that will include the right for citizens to sue companies autonomously, so the big names in tech have voiced a refusal to work with the state of New York if its privacy act passes with its current terms.  One deviation from the CCPA? Small businesses aren’t big enough to be liable under the CCPA would have to abide by New York’s legislation, which specifies no minimum size.

The New York law is just one of many state regulations springing up across the country, with many others having enacted or contemplating new laws. Some are closer to the CCPA than others, creating an uneven data privacy compliance landscape.

Hidden costs of ensuring data privacy

As if that weren’t enough, according to the Information Technology & Innovation Foundation, privacy rules like the CCPA are not beneficial for the business and the consumer alike. This has to do with “hidden taxes” in costs paid for by the consumers, and a hindrance on innovation that affects both sides. The hidden tax results from companies paying Data Protection Officers and other staffers to ensure the quality and security of their data, costs that are passed along to consumers.

The costs of implementing data compliance within a company will put more pressure on the marketing department and email campaigns, too.  They may lose significant quantities of consumers through opt-outs, for instance, or find it risky to use third-party lists or outside vendors who may not be compliant. 

Another problem with state laws? They may be counterproductive by causing constitutional problems with the Dormant Commerce Clause, the First Amendment, and may in turn cause America to lose footing in the global marketplace. 

There’s also a fear American-style capitalism may be at stake with the emergence of regulations like the CCPA, though this breaks down along partisan lines, as usual. According to CNBC, Some Democrats like Sen. Dianne Feinstein (D.-Calif.) have said they won’t support a federal bill that ‘weakens’ California’s standards, while tech companies and some Republicans favor a national law that would override, and possibly ease, state requirements.”

How can email marketers cope?

There’s a six-month grace period after January 1 before CCPA enforcement measures are taken, but as we’ve shown, there’s a bigger issue at stake due to the lack of cohesive national regulation.  So what are a few basic measures email marketers should consider in dealing with the CCPA and other state data privacy laws, in light of this lack of a nationwide policy?

  • Map your data so you know where it is, where it’s coming from, and where it goes; analyzing this is essential to provisions under some laws regarding the consumer’s “right to be forgotten” and data deletion requests.
  • Make sure you thoroughly audit all your data; you probably have more information than you realize about people, like IP addresses, web form locations, opt-in locations, and more, all of which is behavioral data that might make them subject to these laws. 
  • Review third-party relationships with any of your own contractors or partners who might have access to consumer data; if they’re in violation of a state law, you’re exposed, too.
  • Limit what you collect about consumers; marketers can be guilty of gathering more data points than they’ll ever possibly use about people. Instead, collect only the minimum necessary for use right now or in the very near future. If you want to assemble an email list, don’t ask for snail mail addresses or phone numbers, for instance. 
  • Ask permission from the start from consumers; the new laws may demand you can show proof of permission from each subscriber before you send them anything, so begin obtaining consent at the point of acquisition, and make it explicit to consumers exactly what kinds of emails and messages they’ll be receiving after their opt-in.
  • Set up an internal data privacy review initiative that goes beyond just the marketing department, because they’re not the only ones who have to reckon with CCPA, GDPR, CASL compliance. Sales, Legal, IT and others need to sit at that table and take the right measures together.

~ Casey