Starting Jan. 1, 2020, many businesses that serve California residents will need to abide by stricter privacy standards. Here’s what B2B companies need to know about the California Consumer Privacy Act.

(A word of warning, first. We’re a marketing agency, not a law firm. If you’re concerned about your CCPA exposure, call your attorney.)

CCPA for B2B: California State Capitol building

Which Companies Does the CCPA Cover?

Unlike Europe’s General Data Protection Regulation, the CCPA applies only to some companies. Businesses must comply if they:

  • Have gross annual revenues of $25 million or more;
  • Have data on 50,000 or more individuals, households or devices;
  • OR earn more than half their annual revenue from selling consumers’ personal information

In other words, most readers of this post are in the clear. That doesn’t mean you can ignore data hygiene. It just means you’re not covered by the CCPA.

Are B2B Companies Exempt from the CCPA?

No, B2B companies are not exempt from the CCPA.

Well … not exactly.

As with all recent privacy regulations, there is some gray area around the CCPA for B2B companies.

Communications and transactions that “occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from” are exempt from the CCPA until Jan. 1, 2021.

In other words, B2B emails and other communications seem to be fine … for now.

That said, there is no B2B exemption for the CCPA’s requirements around:

  • Allowing individuals to request their information not be sold
  • Ensuring individuals who opt out are not discriminated against
  • Promptly informing individuals of a data breach

So if someone tells you that the CCPA doesn’t impact B2B companies, they’re mistaken. There are some short-term exemptions, but B2B companies with big revenue or big lists are covered.

What Does the CCPA Require?

First and foremost, California’s answer to the GDPR is about giving consumers more control over their personal data.

That means B2C and B2B companies should proactively:

  • Ensure they know exactly what they’re collecting and where it’s stored
  • Inform consumers of what’s being collected and why
  • Be prepared to provide and delete individual records upon request
  • Explore their data security practices
  • Develop SOPs in the event of a data breach or consumer request

Businesses that market to minors have more requirements under the CCPA than B2B firms. However, business-to-business companies that qualify should be ready to:

  • Update their privacy policies to address California residents’ rights under the 2018 legislation
  • Offer individuals an easy way to opt out from data sales
  • (Or just not sell data at all; it’s a bad look)
  • Maintain basic data cleanliness, including email list cleanup and ensuring proper opt-in procedures
  • Make it easy for individuals to opt out of emails
  • Find out exactly where all PII is stored
  • Rapidly inform users of a data breach, and potentially provide compensation to individuals in the event of a breach
  • Make their privacy policy a “clear and conspicuous” link on their homepage
  • Keep track of all individuals who have opted out, and not contact them for at least 12 months

In short, just like GDPR, the key is to be explicit about what you’re capturing and why.

CCPA Penalties & Fines

The CCPA carries governmental fines of $7,500 for intentional violations and $2,500 for unintentional violations. Additionally, California residents may file suit as individuals or classes for violations.

Before penalties accrue, however, offending companies will be given 30 days to “cure” the violation.

The Bottom Line: CCPA for B2B Companies

Look. Just like GDPR, the CCPA isn’t the end of the world for web marketers.

It’s only applicable to large companies, or those with huge lists. So there’s that.

Additionally, much of what it dictates is common-sense best practices. You shouldn’t be spamming people or selling data anyway!

The bottom line: If your gross annual revenues are $25 million or more, it’s worth calling your attorney to make sure you’re OK. They’ll likely request some slight changes to your website and a data audit, and you can go on with your day.

Ultimately, the CCPA isn’t going to turn the B2B world upside-down. Instead, treat this as a wakeup call (if GDPR wasn’t already). Keep your user, prospect and client data safe, and always be up front about what you’re asking for and why.