Can I use customer data for marketing purposes without violating privacy laws in California? What are the requirements?

Using Customer Data for Marketing Purposes in California

Under the California Consumer Privacy Act of 2018 (CCPA), businesses are required to provide consumers with notice of the categories of personal information they collect and the purposes for which the information will be used ^[1.2](^[1.2]). Therefore, businesses must inform consumers if their personal information will be used for marketing purposes.

Notice Requirements

Businesses must provide consumers with a privacy policy that includes a description of their rights under the CCPA, including the right to opt-out of the sale of their personal information ^[1.2](^[1.2]). If a business sells personal information, it must provide a clear and conspicuous link on its homepage titled “Do Not Sell My Personal Information” that allows consumers to opt-out of the sale of their personal information ^[1.2](^[1.2]).

Opt-Out Requirements

If a business sells personal information, it must provide consumers with a clear and conspicuous link on its homepage titled “Do Not Sell My Personal Information” that allows consumers to opt-out of the sale of their personal information ^[1.2](^[1.2]). Businesses must also provide consumers with two or more designated methods for submitting requests to opt-out, including a toll-free telephone number and a website address ^[1.2](^[1.2]).

Recordkeeping Requirements

Businesses must maintain records of consumer requests to opt-out of the sale of their personal information for at least 24 months ^[1.1](^[1.1]).

Additional Requirements

In addition to the CCPA, businesses must comply with other privacy laws in California, such as the Privacy of Customer Electrical or Natural Gas Usage Data law ^[2.1](^[2.1]). This law requires businesses to obtain express consent from customers before sharing, disclosing, or otherwise making accessible to any third party a customer’s electrical or natural gas usage data. Businesses must also implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the data from unauthorized access, destruction, use, modification, or disclosure ^[2.1](^[2.1]).

Penalties for Non-Compliance

Businesses that violate the CCPA may be subject to civil penalties of up to $7,500 per violation ^[1.1](^[1.1]).

Therefore, businesses must provide notice to consumers if their personal information will be used for marketing purposes, provide consumers with a clear and conspicuous link to opt-out of the sale of their personal information, maintain records of consumer requests to opt-out, obtain express consent from customers before sharing their electrical or natural gas usage data, and implement reasonable security procedures and practices to protect the data. Failure to comply with these requirements may result in significant penalties.

Source(s):

• [1.1] Section 1798.199.40 - California Consumer Privacy Act of 2018
• [2.1] Section 1798.98 - PRIVACY OF CUSTOMER ELECTRICAL OR NATURAL GAS USAGE DATA
• [1.2] Section 1798.130 - California Consumer Privacy Act of 2018
• [1.1] Section 1798.145 - California Consumer Privacy Act of 2018

Jurisdiction

California

• General