There is a lot happening in the world of data compliance.
Being a content-centric lead generation platform for B2B marketers, my team and I are responsible for capturing, filtering, scrubbing, and dynamically fulfilling millions of fully-permissioned data-points on a daily basis. As a result, we go to great lengths to keep ourselves up-to-date on every legislative matter surrounding data privacy and its potential impact.
Before we continue, let’s establish one thing: I’m not a lawyer—#ImADataMarketer.
Now that I’ve disclosed this, let’s talk about data compliance.
As I’m sure you can imagine, data compliance in 2019 is remarkably complex. So to simplify life for ourselves just a bit, I’m going to focus on the newest data compliance subject in the U.S.: CCPA.
What is CCPA?
CCPA stands for the California Consumer Privacy Act. The act created new consumer rights in relation to how businesses collect, access, delete and share the personal information of California residents. Signed into law on June 2018, CCPA is currently the most comprehensive privacy law in the U.S.
Companies should expect California’s legislators to continue to tweak and update the act until its enforcement date. While CCPA goes into effect on January 1, 2020, a six-month grace period gives businesses until July 1, 2020 to become compliant.
The 3 Primary Rights of CCPA
There are three specific protections CCPA provides for consumers in California:
The Right to Access Information
Consumers will have the right to see where their data has been used and who’s acquired it. This information is to be delivered in a straightforward, simple manner in layman’s terms. These requests afford consumers to know:
- What information was collected and sold
- Where the information was collected, with whom it was shared, and to whom it was sold
- Why it was collected
The Right to Deletion
Consumers will have the ability to ask that companies delete the personal information it has collected about them at any time.
3. The Right to Opt-out
Consumers will have the ability to instruct a company to not sell* their personal data to third parties
*In this case, the definition of “sell” in the bill is broader than the sale via a monetary exchange.
Personal Data vs. Business Data in CCPA
CCPA is a landmark bill in the United States defining how consumer data is protected. This is a great thing, though it does create a great deal of uncertainty around how this impacts B2B marketing. Fortunately, the California Assembly has taken a few steps to resolve this dilemma for businesses interacting with California’s nearly 40 million consumers.
There have been multiple bills introduced to amend CCPA, but for our purposes, we’ll focus on Assembly Bill 25 and Assembly Bill 1355.
What is Assembly Bill 25?
Assembly Bill 25 (AB 25) was introduced to amend the definition of “consumer” under the California Consumer Privacy Act. Under this amendment, the definition of “consumer” under the CCPA would expressly exclude employees, contractors, and any associated agents of a business. California Governor Gavin Newsom signed AB 25 into law on October 11, 2019.
Why Does AB 25 Matter to Marketers?
Since the word “consumer” is found quite a bit in CCPA, California Assemblymember Ed Chau wanted greater clarity on its interpretation.
On April 23, 2019, Chau presented the amendment to the Assembly’s Committee on Privacy and Consumer Protection, which they voted unanimously to advance.
Days after presenting the amendment, Chau shared with the National Law Review that the intended effect of AB 25 was to clarify where CCPA rights apply and where they do not. “[Where] the person’s ‘employee hat’ is on, the CCPA rights do not apply,” Chau said. “Where the same person’s ‘employee hat’ is off, the CCPA applies.”
In addition, Chau indicated that AB 25 also exempts data collected and used solely in the context of a business-to-business relationship (think: employee data collected by a customer and transferred to a business performing outsourced job functions).
Despite the fact that each of these clarifications is meaningful to the interpretation of the bill, the line marketers need to understand is highlighted by attorneys Joseph J. Lazzarotti and Jason C. Gavejian (emphasis mine):
“[A] natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”
While AB 25 helped to clarify some of the language of CCPA, AB 1355 (another addendum approved by Governor Newsom on October 11) has further defined this bill for B2B marketers specifically.
What is Assembly Bill 1355?
Assembly Bill 1355 (AB 1355) excludes B2B communications from a certain portion of CCPA until January 1, 2021. It was approved by Governor Newsome on the same day as AB 25.
AB 1355’s exemption applies to Section 1798.145 of the Civil Code and is found on line (l), stating that, “[CCPA] shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”
Why Does AB 1355 Matter to Marketers?
The CCPA’s definition of personal information allows it to “paint” with a very broad brush. To reduce its impact, AB 1355 introduced three important changes:
- The addition of the word “reasonably” before the word “capable” in the CCPA’s definition of personal information
- The exclusion of de-identified or aggregate consumer information from the definition of “personal information”
- A moratorium on the CCPA’s application to certain B2B communications until January 1, 2021
If AB 1355 is passed, these distinctions would offer tremendous benefit to B2B marketers. However, it’s vital to keep in mind that AB 1355 does not restrict any consumer’s right to opt-out of the sale of their data.
How Does This Affect B2B Marketers?
Understanding these distinctions are important for the health (and compliance) of our businesses. As you might expect with a new law, there are still some kinks to work through. With this in mind, we reached out to Assemblyman Chau’s office to see if we could get additional clarity. (We’ll be sure to update this article if and when Chau or his office provides a response.)
Based on the language introduced in Assembly Bills 25 and 1355, it seems that B2B marketers who rely on capturing first-party data would be exempt from many* CCPA implications. (*Remember, #ImADataMarketer, not an attorney…but that is my and NetLine’s current opinion.) This would include marketers whose businesses collect data from professionals providing as they are actively researching gated content (think eBooks and white papers) as a means of vetting vendors and learning more about solutions specific to their technical and/or business challenges. The data captured during this process is, first-party provided and fully permissioned.
Therefore, it’s not enough to think CCPA means as business as usual for B2B marketers. For example, the question of whether work email addresses and contact information are subject to CCPA is still undetermined.
Clarifying CCPA’s Language
Naturally, NetLine is quite interested in knowing where the law stands on this. Lawyers are trying to gain a handle on this, as well. Here’s a direct quote from attorney David A. Zetooney on the subject.
“Yes, and no. The term “personal information” is defined broadly as including any information that ‘relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular’ California resident.2 The Act also provides a non-exhaustive list of examples of personal information which includes ‘employment,’3 as well as ‘professional or employment-related information.’
The net result is that work email addresses that contain an employee’s name or business contact information, such as the employee’s name, job title, company, business address, work phone number, etc. are arguably covered within the definition of ‘personal information’.
In contrast, generic business names, business addresses, generic email addresses or any other general business information, as long as the information has not been linked to an individual, are arguably not covered within the definition. So, for example, ‘John.Smith@acme.com’ would most likely be considered ‘personal information’ governed by the CCPA whereas ‘firstname.lastname@example.org’ would not, even if the latter is used by the same employee to communicate with the public.”
NetLine’s Chief Data Officer Jayaram Kalpathy had a very straightforward take on this Zetooney’s quote.
“My read on that is that, (from a B2B organization perspective) there are two things businesses need to be aware of:
- Users whose data we collect have CCPA rights, but
- The employees, job candidates, contractors, partners working with a B2B organization would not have CCPA rights. i.e. the info that HR collects is not subject to CCPA.”
7 Steps for Becoming CCPA Compliant
A good portion of these seven steps are things your IT department is likely already doing. However, it’s important that the rest of your team are aware of everything going on in the fight to keep our data safe.
To make sure your business is CCPA compliant, be sure to consider each of the following requirements:
- Ensure data inventory is up-to-date and contains all required information. This includes defining any and/or all business(es) record systems and designated records sets to designated as the authoritative data sets for all CCPA purposes.
- Update all relevant policies, particularly any California-specific descriptions regarding consumers’ privacy rights.
- Update policies to provide for data subject requests, including, but not limited to, a toll-free number or Website address.
- Determine a process for documenting consumer requests. This process must include a protocol for authenticating requests, timely responding to requests, effected a “stop-the-sale-of-information” order; and denying improper or untimely requests.
- Train your employees. Anyone who works directly with consumers must know how your business handles their personal data. They must also be aware of any changes to how the business handles and protects consumer data. Sharing this information with your employees will ensure timely processing, responding, safeguarding, and updating of its data inventory.
- Keep data inventory processes up to date. Considering that your business will continue to collect new- and delete former-consumer information, be sure all data is stored and/or deleted properly.
- Respect the 12 Month Opt-out. Don’t ask consumers who’ve chosen to prohibit the sale of their personal data to re-consent to the sale of their data within one full year of their request.
What’s your perspective on this? I’d love to hear more about your interpretation and how your business plans to work with CCPA. Chime in and offer your evidence arguing another stance or tweet me to start a dialogue there.