Internet business models that make it digitally easier to connect with customers and prospects have run into a new reality called consumer privacy. However, marketers would do well to consider this an opportunity to build trust with their audience, demonstrating that personal data won’t be used for the wrong purposes. This is what consumers want, after all. A recent survey by Tealium found that 97% of respondents were somewhat or very concerned about protecting their personal data. The message is unavoidable: Privacy isn’t a trend, it’s rapidly become a geographic mandate.
The European Union’s General Data Protection Regulation (GDPR) and now the California Consumer Privacy Act (CCPA) are being joined by other data protection regulations that make privacy a fact of life for marketers. Nevertheless, the US is following what happened in the EU—many companies aren’t prepared. The CCPA ruling went into effect on January 1, 2020. Some stats peg the percentage of firms that aren’t ready for this significant new regulation from 56% to as many as 88%. Whether companies are non-compliant because of a wait-and-see approach, lack of funding or confusion about the law, there are compelling reasons to take action. For marketers, who are most impacted by privacy regulations, it’s wise to internalize some simple truths about CCPA.
1. CCPA likely impacts your company if you have California databases.
Not being physically located in California by no means gets you off the hook for CCPA compliance. If you hold data on even one California resident, you must comply with the regulation. Keep in mind the qualifications for CCPA oversight: annual gross revenues of $25 million or more; buying or selling more than 50,000 individuals’ data; and making more than half of annual revenues from selling customer data. This throws a long shadow across many companies.
2. It’s unwise to wait until CCPA enforcement goes into effect on July 1, 2020, to begin compliance.
CCPA sets in stone a new way of handling data, and such a large change takes time to implement. Now you’ll need to disclose what information you’re collecting and reveal how personal data is being used for your social media campaigns, email surveys and any other marketing programs. Also, you’ll need to give consumers the right to opt out of having their data sold to third parties and you’ll need to let them see what information has been gathered and allow them to delete it if desired. Implementing such new processes is time intensive.
Other articles you might enjoy:
- On Privacy Regulation: Insights for Marketers on CCPA Compliance
- CCPA: Consider It a Blessing, Not a Burden
- GDPR One Year In: How Are Marketers Doing?
3. Do the math on what kind of penalties might be waiting for you.
The CCPA states that companies can be penalized $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. This is for each record but a company could have hundreds, thousands or even millions of data records. For this reason, waiting to see what enforcement looks like could be regrettable. It’s true that enforcing the CCPA, like the GDPR, will take a bit of time to hit its stride but it will inevitably grow. So, playing it safe through compliance makes business sense.
4. GDPR compliance doesn’t ensure compliance with the CCPA.
Yes, there are some similarities between the two privacy regulations beyond the focus on EU versus California customers. But there are also some notable differences with greater impact on marketers in the CCPA. It goes beyond the scope of GDPR in that it: includes household information as part of what’s covered; gives consumers absolute opt-out rights; requires stricter privacy notices; and is much more focused on direct marketing companies or digital advertising companies. While the GDPR covered government entities as well as non-profit organizations, the CCPA puts its focus on for-profit businesses, which makes it a bigger deal for many marketers.
5. Take a savvy approach toward implementing CCPA compliance.
Privacy regulations have now been around long enough that best implementation practices have emerged. Begin with a thorough data inventory and know where all data resides, building compliance into development cycles rather than being bolted on at the end. In fact, data protection should be part of every new product or service from the beginning of development, with sensitive personal data tracked across an entire product lifecycle. Work with the teams that have the best insight on data infrastructure. When it comes to data records, shift from renting to owning because this not only ensures less-expensive, less-outdated data but is safer in the long run and prepares your company for the important step of rebuilding customer trust by collecting and applying data in the most transparent way.
Shane Nolan is senior vice president of consumer and business services for IDA Ireland.