Let's Take This to the Inbox
Sign up for our news, resources and updates. The inbox is our favorite place after all. We’ll make sure it’s worth it. (You can unsubscribe at any time, but you probably already knew that.)
The most comprehensive consumer data privacy law in the United States – the California Consumer Privacy Act (CCPA) – went into effect on Jan. 1, 2020, and will start being enforced on July 1, 2020.
But marketers in every state, and in other countries as well, must get up to speed now so they understand how the law affects them and whether and how they need to change, how they store, protect and share data.
At Trendline Interactive, we’ve been tracking CCPA since 2017, when deliberations began in the California Assembly and Senate. The two houses approved the bill, and outgoing Governor Jerry Brown signed it on June 28, 2018.
CCPA background: For U.S. marketers, CCPA is the first of what’s likely to be a series of strict state laws governing consumer data privacy and transparency, and provisions on storage, security and access.
California has recognized an individual right to privacy since 1972. The law’s introduction notes that the Cambridge Analytica scandal of 2017, which revealed the misuse of Facebook users’ data in 2016, spurred the move to codify consumer data and privacy rights into state law.
CCPA focuses on individual consumer rights and how data is to be shared, stored and accessed. Under the law, California residents will have the following rights:
You do, if your company is for-profit and it meets at least one of the following conditions:
So, if your company is based in New York but you have customers or employees who are California residents, they are covered by the law. You don’t need to have a physical footprint in the state.
Also, the law applies whether you paid for the data through buying or renting email lists, paying a data broker or any other form of data purchase or acquired it for free.
Don’t panic at the prospect of being held accountable for the consumer data you collect, manage, store or share. But, don’t ignore the law, either. It’s the leading edge of the data privacy and transparency movement that is spreading across the United States and might someday lead to federal legislation. (More on that later in this post.)
Here are 10 steps you should take so you’re ready for the law when it gets enforced in July.
We hear from many marketers that they don’t have location data on their customers, so they don’t know who’s covered by the law. Our response: Treat all of the people you hold data on as if they’re from California, especially because many other states are passing similar laws.
You probably have more information than you realize, too. Look for information such as when, where and how they opted in, IP addresses, web form locations, and other data that their behavior generates, as well as any preference data showing location.
For example, your form could request each subscriber to indicate country of residence. The form could present a request for an explicit opt-in from residents who say they live in EU countries, Canada or other places where data laws require a positive action.
Or, revise your opt-in form to require an explicit opt-in from every subscriber (like an unchecked checkbox that says “Yes, please send me email messages from your company”).
When we work with clients, we look at how they map their data. A marketer might use a WordPress site to collect data, or an ESP web form. It will synchronize from the CRM system over to their ESP or marketing automation program.
We will then analyze and map the data from the CRM to a billing system. Knowing how information is mapped and where it goes will help you comply with the law’s “right to be forgotten.”
A PIA helps you understand where your data is flowing and how it is mapped. We work with companies, clients and prospects on data mapping and PIAs. They reveal vulnerabilities and compliance gaps with CCPA.
As part of this process, we look at multiple databases, products, and applications, and how they collect, share, sell and grant access to consumer or customer data.
This is an often-overlooked area in data and privacy compliance. Lots of marketers have third-party contracts with vendors to store data in their data centers or share their data for surveys or analytics.
We look at those contracts to see what your vendors are doing with your data. Review all contracts now to see if your third-party vendor is up to date with CCPA’s provisions. That will help you see whether you could be in trouble if you turn your data over to that vendor.
The marketing department isn’t the only one that has to comply with CCPA, GDPR, CASL and other data laws. Take the lead in your company and bring reps from Marketing, Sales, Legal, Privacy and IT to the table so everyone can learn about the law, share information and understand how other departments collect, store and share data.
Make each member of the roundtable responsible for one part of the process, such as locking down the database, updating data-collection forms or changing data acquisition processes. All participants should be assigned certain responsibilities and what they need to recommend for compliance.
For many companies today, data breaches aren’t a matter of “if they happen” but “when they happen.” No matter how carefully your company safeguards data, prepare for the worst.
Marketing and IT often have a contentious relationship. But, if a breach happens, your two departments will be the company’s first line of defense in complying with legal notification requirements.
Know how your data is being watched. Monitor log files and watch third-party systems for breaches, and be sure everyone on your privacy roundtable knows the procedure and whom to contact if the unthinkable occurs.
This can be a function you assign to members of your privacy/compliance roundtable. Functions can include tracking down and listing locations and people responsible for policy and procedural manuals and for databases of consumer information, whether they’re on-site or stored in cloud-based systems.
This section of the law allows California residents to request that you delete certain categories of their personal data and requires you to notify residents that they have that right. A similar provision is also a key element of GDPR.
But, as noted earlier, you can retain some personal data that falls into protected categories. Know what data you are entitled to retain, and how deleting data that is eligible for removal could interfere with your business processes or databases.
Then, create a process to handle these requests.
Adopt a multiple-channel approach. Allow consumers to contact you by phone, in person, via email or through a web form. You’ll need to create a guide in both print and digital formats to explain the law, the consumer’s rights and how to request removal.
Don’t forget your customer-facing teams, either, including your customer-support and in-store personnel. Write and test scripts to handle questions, concerns and complaints.
If you want to be transparent – and, yes, you do want to be transparent – you can use your guides and scripts to explain your procedures and how long it will take to remove the data. Run everything past your legal, compliance, sales and IT reps on your privacy roundtable to make sure everything is accurate.
We’re keeping our eyes on CCPA and other laws, including amendments that could change the law’s definitions, requirements and scope. See the next section on potential changes, and sign up for blog updates to get the latest news.
Also, contact us to see how we can help you audit your data gathering and management practices to reduce your exposure to violations. Our experts can create a Privacy Impact Assessment report and assist in an overall gap analysis.
Although the CCPA is a done deal, several bills could narrow the focus and define more terms in this broad law.
Here are some potential amendments:
We’ll stay on top of the changes and update you periodically on what you need to know to stay on the right side of the law.
If you buy or rent lists and use extensive third-party data, the law will hit you harder than a marketer who relies only on first-party data (the data you collect yourself).
We already know that list-buying can hurt your email marketing program through lower deliverability, higher spam complaints and lower open rates. Using out-of-date data can create a major deliverability challenge. You could get blocked or kicked off your ESP because you’re sending to bad lists. Learn more about Deliverability Challenges.
Transparency is the name of the game. Being transparent with your customers, explaining how you collect, share, store, use and protect data and how you protect their privacy and confidentiality will give you a major trust advantage. If you have good database integrity and transparency, you’ll be golden.
They share some common characteristics:
But they differ on some key issues:
Many of the data privacy and security laws on the books now or being considered have conflicting provisions, such as the age of consent for using or selling data on minors.
Washington and Massachusetts are just two of the other states that are actively pursuing legislation. Industry leaders like Apple CEO Tim Cook have been pushing for a federal data privacy law that would supersede the patchwork of data laws now developing across the U.S.
You might see this new wave of data privacy and protection as an incursion on your business processes, but your efforts to comply could end up benefiting your business more than hurting it.
Consumers are tired of data breaches and having their data shared far and wide beyond their control. Being a brand or company that can secure their data will make you more trustworthy.
Becoming known for keeping data safe and secure and being transparent about how you use it can become a selling point in your favor. It can make you the consumers’ choice over companies tainted by breaches or shoddy regard for privacy.
That will benefit your marketing program and your company in the long run and make it a viable participant in the new world of data transparency, safety and security.