Is Your Business Ready for the California Consumer Privacy Act?
Brought to you by WBR Insights
We live in an age of unprecedented data gathering and storage, with brands the world over using digital information to gain an ever-deeper knowledge and understanding of the people and markets they serve. Digital information has become so valuable that, for many companies, the buying and selling of consumer data is their business.
(Image source: unsplash.com)
Unfortunately, with the increased prevalence and use of data comes an increase in the desire of criminals to access and acquire this data for malicious reasons. This is leading cybersecurity to become a major issue and a daily concern for brands. Unfortunately, despite their best efforts, several high-profile breaches have occurred recently, putting data security firmly in the headlines.
Between January 1, 2005 and April 18, 2018, there were 8,854 recorded data breaches. 52 percent featured hacking, 28 percent involved malware and 32-33 percent included phishing or social engineering. In the first half of 2019 alone, data breaches exposed 4.1 billion records. Just one such breach, the 2018 Marriott-Starwood incident, compromised the personal information of 500 million consumers.
One must also consider the impact of recent elections on the data security landscape.
Data analysis firms such as Cambridge Analytica were able to harvest the information of some 50 million Facebook profiles and use it to create detailed, targeted ad campaigns. Those campaigns were so powerful, they had the psychological influence to allegedly influence the outcomes of the 2016 US presidential election and the UK referendum on membership of the European Union in the same year. Because of these revelations, concerns about privacy and how our information is used by various organizations went through the roof.
The first major backlash to these breaches and scandals was introduced by the European Union in 2018. The General Data Protection Regulation (GDPR) was a brand new regulatory framework that took existing privacy rights and updated them for the digital age.
The GDPR gave the subjects of data unprecedented control over how their information was handled by organizations. They gained the right to receive a copy of said information, request that it be deleted, be informed of how it was to be stored and used, and much more. The new regulations forced companies to reveal any data breaches within 72 hours and gave the EU the power to implement significant fines for any companies that fail to take reasonable steps to prevent breaches.
While it was implemented by the EU, the GDPR rules apply to any organization which holds information on EU citizens — whether that business is itself located in the region, or not. This meant that almost every website had to be updated with new permissions that users had to accept before being allowed to view any of its content.
Exact figures are hard to track down, but there have been dozens of successful fines enforced by the EU for GDPR failures. The largest to date was issued to British Airways in July 2019 after half a million customers' data had been stolen by hackers last August from its website and mobile app. The fine came to a staggering PS183m (EUR204m, $229m). Before GDPR, the maximum fine would have been PS500,000 — a drop in the ocean to a company as large as British Airways. However, this has now been set at four percent of turnover — meaning the fines scale with the size of the organization.
The California Consumer Privacy Act
Inspired by the success of the GDPR, California has decided to implement its own version of the regulation. Due to come into effect on January first, 2020, the California Consumer Privacy Act of 2018 (CCPA) has the potential to have even stronger repercussions on US companies than the GDPR.
While the CCPA is softer than the GDPR in some regards — it eschews the narrow 72-hour window in which a company must report a breach, for example — in some regards it goes much further. This means that it's not enough for companies to assume that the measures they've put in place for GDPR compliance will be enough to cover them for the CCPA — so they must make sure their business is ready.
However, it seems that, despite the imminent arrival of the regulation, many if not most businesses are not prepared. While some have taken the GDPR as a reason to proactively soundproof their data strategy, others are still hoping that the privacy pendulum will swing back again before it gets too serious. But the recent rise in lawsuits around the ADA (Americans with Disabilities Act) is casting a shadow that makes a rise in privacy class action lawsuits in 2020 likely. Retailers are under pressure to comply and the clock is ticking.
Preparing for the CCPA
Any business that serves the residents of California and has at least $25 million in annual revenue will have to comply with the law. Other companies, regardless of size, which hold data on 50,000 or more Californian residents, or ones which collect more than half their revenue from the sale of personal data, will also be subject to the regulations.
(Image source: unsplash.com)
An important detail to note is that, like with the GDPR, companies do not have to be based in California to come under the jurisdiction of the CCPA. They don't even need to have a physical presence in the state, nor do they have to be based in the United States. If your business fills any of the criteria described above, no matter where in the world you are, you need to be prepared for the CCPA.
One regard in which the CCPA goes much further than GDPR is in what it constitutes as sensitive data. The definition has been significantly expanded from the European regulations:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
- Characteristics of protected classifications under California or federal law.
- Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer's interaction with a website, application or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
If your company deals in any of these data types of data and fits the categories previously defined, you'll need to prepare for the CCPA.
One of the most important parts of effective data management is to have policy in place where your organization regularly audits and cleans its data stores.
Data cleaning refers to the practice of going through your databases and making sure that the information you have stored is accurate and relevant. The new regulations require that data only be kept when it is accurate and still necessary for business purposes, so any which is irrelevant or outdated should be either deleted or updated. Your organization should only ever store the bare minimum of data it requires to perform its role, as the more information you have in your possession, the greater the chance of it becoming compromised or falling into the remit of the CCPA in some way.
Create a Single Customer View
Also known as propensity modeling, creating a single customer view allows your organization to represent its stored data in a manner that is aggregated, consistent, and holistic.
The ability to view data in a single location not only allows your organization to better serve customers through a more thorough analysis of past behavior and creating more personalized and targeted interactions but will also allow your company to fulfill its CCPA responsibilities.
The CCPA requires companies to provide people with copies of the data held on them. By having all that data in a single customer view, it will enable your business to facilitate this quickly and easily.
Customer relationship management (CRM) software has risen in popularity in recent years. The newest generations of the software are helping organizations manage their data more effectively and compliantly than ever before.
The most relevant aspect of next-gen CRM to the CCPA is that it no longer requires data to be entered manually. Automatic data capture can help eliminate human factors such as optimism, error, time lapse between contact and entry time, or pressure to look good, which are responsible for many data inaccuracies.
Brands must make sure the CRM platforms they are employing are reputable and robust. With the software having so much control over data, the use of an insecure or ineffective CRM could cause more data security problems than it solves.
While consumers are understandably more concerned and careful about their data than ever before, 57 percent are still willing to hand over personal information in exchange for personalized service. In fact, 79 percent of consumers say they are only likely to engage with an offer if it has been personalized to reflect previous interactions the consumer has had with the brand.
This means that personalization is still of great importance to customers, but that brands must now be more careful than ever to ensure that data is being used in a way which offers real value to them. Most importantly, brands must ensure consumer data is stored and treated with the respect and responsibility it deserves.
Marketing professionals and marketing teams are currently facing one of the most challenging climates ever seen. Increasingly, marketers must deliver savvier forms of communication, more impactful types of engagement, and hyper-personalized experiences to ever more cynical and fickle audiences, all while negotiating the most strictly regulated environment in modern history.
The new and stricter regulatory environment we find ourselves living in proves particularly challenging for marketing attribution.
Because attribution requires consumers to be identified and tracked as they interact with the internet and the physical world, it butts up against regulations such as the GDPR and CCPA which demand the exact opposite from brands, unless they acquire clear consent from those individuals.
The big tech firms are rising to meet this challenge, however. Google has recently announced a cross-site cookie and fingerprinting crackdown which strongly implies that the demand for continued attribution is going to be met through a decreased reliance on raw data and more black boxes. This will likely require marketers to implement more opaque solutions controlled by tech companies such as Google and Facebook.
Third-party verification partners will still likely be able to perform audits but will still have to place a great deal of trust in the tech companies themselves. Arguably, this is what got us into the position we find ourselves in now.
The GDPR sent waves throughout global industry and it's looking like the CCPA is getting ready to throw another tsunami at our shores once again. Whether your business serves customers in the Sunshine State or is based there itself, you need to prepare for this new onslaught of regulations.
It seems highly likely that other states will very soon follow California's lead and begin introducing their own data privacy regulations. In fact, due to the global nature of the contemporary marketplace, it would seem probable that we may see some kind of worldwide compact before long.
The digital world requires new solutions and the CCPA is one step along that path. Companies must adapt to meet this new environment if they want to succeed in the future and will find that being compliant brings its own advantages as well.
"Consumers want to do business with companies that protect their data privacy," reports Forbes. "As a compliant organization, you'll be able to market your adherence, which in turn can help boost sales and customer loyalty. Not to be discounted is the personal information you collect. You'll know exactly where the information came from and have better control over its accuracy, enabling you to really know your customers and improve your marketing strategies."
The CCPA is sure to be a hot talking point at eTail Connect 2020, taking place in April at the JW Marriott Miami, FL.
Download the agenda today for more information and insights.