Snippets

How Businesses Must Change Tactics to Comply With the California Consumer Privacy Act

background

New Privacy Protocols Under the CCPA Are Changing How Businesses Operate and How They Can Approach Long-Used Approaches to Marketing 

In 2018, the General Data Protection Regulation (GDPR) went into effect as a core part of Europe’s digital privacy legislation, and it was the talk of the town in the U.S. as companies that do business overseas readied themselves for compliance. At the onset of this new decade, however, there’s a new kid on the data privacy block: the California Consumer Privacy Act (CCPA). 

A Short Introduction to the California Consumer Privacy Act

Don’t be fooled by the law’s geographic specificity – the CCPA applies to any company that employs or serves California residents.

Broadly, the CCPA establishes new consumer rights relating to the access, deletion, and sharing of personal information collected digitally by businesses. It also establishes procedures to facilitate consumers’ new rights under the law and guidance for business compliance. 

To trace the origins of the CCPA, we can point to the widely-known Cambridge Analytica scandal during the 2018 presidential election that shone a spotlight on the myriad ways consumer information was being used without consumer permission. 

Taking action to try and rectify these wrongs, California’s privacy act gives consumers more control over their data, including insight into what information companies have collected on them, whether companies have sold or are selling their personal information, and the option of removing their information from company databases. 

The CCPA is essentially the U.S. version of GDPR; incidentally, it was signed into law in 2018, but it officially went into effect in January 2020, which has companies scrambling to ensure compliance. 

Which Industries Will be Most Impacted by the CCPA?

The most important designation of the CCPA is that it only applies to businesses that earn more than $25 million in gross revenue, collect data on more than 50,000 people, and acquire more than 50% of their revenue from selling consumer data. 

Technology, telecom, and financial services companies may have a “leg up” since they’re already subject to a slew of regulations and are inherently more aware of and prepared for stricter privacy regulations in a post-Cambridge Analytica world (and with the threat of security breaches always looming). 

The CCPA will have a different impact on the Facebooks and Twitters of the world, but all tech and telecom companies with customers or employees in California have had to take a series of actions to comply, including: 

  • updating their privacy policies
  • preparing communications to answer consumer questions about their data (such as a web page or special phone number)
  • putting the “Do not sell my information” button on their websites, which is a feature we can all expect to see on sites that enables consumers to enact their rights under the CCPA

Other companies, like retailers, have more work to do to comply with the CCPA because they weren’t subject to GDPR. Although data privacy is a key component of most organizations, compliance with the CCPA requires additional protections. 

Likely because of the large amount of work involved to meet the requirements of the CCPA, a lot of companies are choosing to apply the privacy protections to their entire operation – not just to their California contingent. This can also be viewed as a smart move given the likelihood that other privacy laws will be legislated in other U.S. states in the near future.

Will the CCPA Change Marketing and the Internet for Businesses and Consumers?

According to the law itself, the data it covers includes IP addresses, contact information, internet browsing history, biometrics such as facial recognition and fingerprint data, race, gender, purchasing behavior, and location. 

The law grants consumers several rights when it comes to their personal data:

  1. Knowing what data collection practices a business is exercising
  2. Knowing specifically what data on them is being collected
  3. Knowing how their data is being used; i.e., with whom is it being shared and for what purpose
  4. Seeing copies of their data to validate the company’s reports
  5. Requesting their information be deleted or that it not be sold to outside entities

The privacy protections that businesses now must offer under the CCPA can really only be achieved by essentially overhauling current data management practices. For most organizations, consumer data is collected in many different ways and in several different departments. For most businesses of the size specified by the CCPA, consumer data comes in through internet usage, social media, store purchases, payment card information; essentially any way in which consumers interact with a business.

We all know that “big brother”-esque feeling we get when an ad pops up for an item or topic we were just searching for. This occurrence, while mildly irritating at best for consumers, reflects a much larger online operation called “real-time bidding”, in which ad buyers bid on ad space based on user data so their ad can appear in front of that user.

Here’s the part that, under the CCPA, users have the ability to opt-out of. That user data is then stored so webpages have more specific user information to validate higher ad prices, and that data can also be purchased by companies looking for target audience information.

Because the CCPA grants consumers the right to essentially remove their information entirely from formerly robust databases, it could be seen as a pivotal change for marketing tactics as we know them.

Once the law has been in place for a time, it will be interesting to see how many users actually choose to opt-out of data-sharing practices; however, if enough do, the costs for ads – and thusly the revenue they pull in – could be drastically lower.  Companies may find themselves working from a smaller pool of data and may have to rely less on purchasing or selling information to beef up audience targeting or raise ad revenue.

However, while the CCPA does impact some keystone marketing tactics, the law is not a red herring for the end of the internet as we know it or anything sinister like that – but it does mean companies will have to adjust and reevaluate how they collect the data that drives many common marketing practices. 

Adapting to a Data Privacy-Conscious World

GDPR and the CCPA should be viewed as just the beginning of a more data privacy-conscious online and business environment. Other states will join California in leveling-up privacy protections for consumers; Maine and Nevada have recently passed privacy laws, and numerous other states are considering or have already tried to pass similar legislation.

The CCPA achieves something pretty big for the U.S. – putting consumers in the driver’s seat when it comes to their personal information. That being said, there is still an almost mindless ease with which we share private information, and it’s hard to know whether this law will make a marked difference in behavior, at least right away. After all, when’s the last time any of us read through a privacy policy on a website we visited?

Either way, privacy laws are here and more are coming. If nothing else, these legislative actions draw much-needed attention to the risks of data collection and sharing, and should at the very least prompt businesses not required to comply with the CCPA to voluntarily evaluate their privacy protections and security protocols. 

As businesses implement these protections, they’re sure to grapple with the aspects of their marketing strategies that rely on user data for advertising, marketing automation, and other targeting tactics. 

If your business is governed by the CCPA and you’re contemplating next steps for your marketing strategy this year or in 2021, we can help. Being well-versed in privacy rules and marketing means success for your business, even amid big changes. Contact us today!