California Leads Expected U.S. Data Regulation Cascade
The California Consumer Privacy Act (CCPA) has made implementing new data practices the number one New Year’s resolution for many organizations. We’ve already weighed in here and here about a closely-related piece of legislation, the EU’s GDPR (General Data Protection Regulation). The CCPA is the next large-scale U.S. consumer privacy act to deal with the collection, security and sale of personal data and it almost certainly won’t be the last.
So what do marketers and senior leaders need to know?
CCPA compliance is largely a matter of instituting responsible data policies, specifically on two fronts: security and transparency. And that might actually be a big opportunity.
The GDPR created a lot of fears but in the end, compliance actually built trust and boosted performance for many companies.
The CCPA has similar goals, so there is reason to believe that being transparent and securing data will yield similar benefits.
Here are the basics of the CCPA.
Who is responsible? Anyone collecting, storing or selling personal data.
The CCPA applies to any company that serves any California resident and has at least $25 million in annual revenue OR collects data from 50,000 or more people OR makes more than half of its revenue from the sale of personal data. There are no exceptions for companies based outside California or the U.S.
What should they do? Secure data, have users opt-in to permit the sale of data and provide copies of data collected upon request.
Companies need to make sure they completely understand what data they are collecting, why they are collecting it, and how it is being stored, used or passed on.
Why?
- To respond to requests from users for a copy of the data (and provide explanations of the business purpose for why it was collected).
- To remove the data if the user requests “to be forgotten.”
- To secure the data well enough to avoid breaches.
These are all both technical and governance requirements and they apply to collecting any data in the course of conducting business, such as names or email addresses.
It can get more complicated when a company sells or shares data with a third-party. Users must opt-in to allow their personal data to be sold or shared.
There are a lot of gray areas that should be hashed out with legal counsel. Cookies are an example of a big one. Industry legal experts are mixed on guidance, but wherever your counsel lands, you should update your privacy policy to explain it in plain language.
When? For CCPA, yesterday. For everyone else, start now.
With the law set to go into effect January 1, 2020, we’d hope that any companies seriously impacted by the regulation are already set and ready. Consumers can request 12 months of data, so companies should be prepared to provide data going back to January 1, 2019.
That’s not me, so what do I need to know?
At the moment, organizations serving more than one state are looking at a state-by-state patchwork of slightly different regulations. National advertising groups have called for the U.S. government to step in and pass federal legislation to avoid this. If that happens, we’ll all need to deal with the issues CCPA lays out.
A good first step is to carefully work through the following:
- What information has been collected?
- Where was the data collected from?
- Why did we collect it? (i.e. business purpose)
- How was that information used? (especially if it was sold)
- Who were any third-party recipients of the data and what do they do with the data?
At minimum, privacy policies should be updated to answer these questions. If the answers aren’t clear or you find departments aren’t aligned, you may need to set up a governance board with representatives from sales, marketing, technology, and account management to make sure you can secure every access point and account for data use at each step.
New legislation enacted so far doesn’t mean the end of cookies, targeting, collecting data or even reselling data, but companies will need to be more transparent and give users control over how their data is used.
Updating privacy policies, securing data and allowing users to request copies of data is all helpful. But compliance that seeks to only follow the letter of the law misses the opportunity to take a holistic look at your CX from ad to invoice. You should look for a partner that understands how modern data practices affect advertising, apps, forms, CRMs and all customer touchpoints.
Appearing savvy instead of creepy often comes down to effectively executing more traditional goals like paying off your brand promise in every interaction. Brands that treat CCPA compliance as an opportunity to accomplish that might be able to check off two or three New Year’s resolutions in 2020.