Be compliant or be complacent. These are the two options facing brands and marketers today, as data privacy laws continue to increasingly take hold.
For those paying attention, it’s been clear for some time that Europe’s GDPR regulations were only the beginning of a global effort to formalize and enforce protections for internet users and their personal data. But with California’s landmark privacy legislation, CCPA, set to become enforced in 2020, data privacy is no longer a distant foreign concern for American businesses, if it ever was.Be compliant or be complacent. These are the two options facing brands and marketers today, as data privacy laws continue to increasingly take hold. @NickNelsonMN #dataprivacy #digitalmarketing Click To Tweet
What is the CCPA?
At a high level, the purpose of the California Consumer Privacy Act (CCPA) is quite similar to that of GDPR: It’s about giving people transparency into, and control over, how their personal data is used by companies.
As the epicenter of technological advancement in the United States, California is a logical launch point for this type of legislation. The bill was signed into law by Gov. Jerry Brown in summer of 2018, and after a period of back-and-forth amending, it’s slated to officially go into effect on Jan. 1, 2020.
To cut through the complexities and narrow it down, the CCPA includes three primary mandates. Starting next year, residents of California must be able to:
- Access their personal information (what’s been collected, by which companies, and why)
- Request deletion of personal information (via, at minimum, a toll-free phone number)
- Opt-out from having their personal information sold (via link on home page of company website)
Now, it bears noting that there’s a fair amount of specificity in the CCPA. For example, the companies that fall under its scope must satisfy certain thresholds in terms of annual revenues, amount of data possessed, and percentage of revenue derived from the sale of consumers’ personal information.
The new law is also ostensibly localized in one state, although that’s a bit misleading: Any company doing business in California is subject to CCPA’s guidelines. The International Association of Privacy Professionals estimates more than half a billion U.S. companies will be affected.
Plus, as Len Shneyder writes at Marketing Land, the Golden State is hardly alone in pushing for data privacy laws: “Bills in New York and other states are making their way through legislatures, all with similar yet nuanced provisions, protections and, in many cases, breach notification requirements.”
Be Compliant, Not Complacent
Whether through the proliferation of state-level laws like CCPA, or the eventual enactment of a similar federal legislation, it’s only a matter of time before data privacy regulations are in place across the United States. For marketers and brands doing business in California, compliance is no longer optional. And I’d suggest the same is true for all others, because the alternative – complacency – is only going to set you back while putting customer relationships at risk.
We’ll have to wait and see what kind of specific penalties are levied for those who violate CCPA, but companies running afoul of GDPR regulations have already felt the sting — Google was fined $50 million earlier this year for failing to disclose how data is collected across its various services and platforms. British Airways and Marriott are also among the companies to receive fines under the new law.
Incurring financial penalties shouldn’t be the only motivation here, though, and maybe not even the primary one. As I wrote here earlier this year, when addressing the growing trend toward data privacy legislation, “brands everywhere should take a hard look at their own customer data practices, not just because of these looming legal implications but even more so because it’s plain-old good business.”
We’re all wise to aim for the kind of transparency and control mandated by the CCPA. Responsible data handling is essential to building trust in this evolving digital world. Microsoft is among those leading the charge on this front, pledging to “honor California’s new privacy rights throughout the United States.”
How to Get Compliant with Data Privacy Practices
By no means would I advise that marketers stop collecting and leveraging user data. This information is often necessary to form accurate customer insights as a basis for resonant marketing programs. But we do need to ensure we’re being very up-front about the what, why, and how. Complacency just ain’t a good look.By no means would I advise that marketers stop collecting and leveraging user data... But we do need to ensure we’re being very up-front about the what, why, and how. @NickNelsonMN #dataprivacy #digitalmarketing Click To Tweet
As a starting point, here are some general advisable practices when it comes to transparent data privacy:
- Ensure you’re making very clear — on your website and any other applicable digital properties — what information you’re capturing from visitors and how you’re going to use it. This is crucial.
- Collect only the data you need, and nothing more.
- Make it extremely easy for your audience to opt out of everything. Consent is king (that’s how the saying goes, right?).
- Implement multi-layered security measures wherever customer data is stored — especially in cloud-based services.
- Make data privacy a central and persistent talking point in your organization. Everyone involved should be part of the conversation.
Meanwhile, getting specifically compliant with CCPA and its core principles will put virtually any business in a good position going forward. To that end, here are some helpful resources:
- CCPA Compliance Framework, via the Interactive Advertising Bureau
- The California Consumer Privacy Act (CCPA) is coming — get compliant, via The Next Web
- A Quick Reference Guide for CCPA Compliance, via Deloitte
You’re also welcome to reach out to our team at TopRank Marketing if your organization is looking for a partner that understands the data privacy landscape. We’ve been working with several clients under GDPR guidelines since its inception, so we’re no strangers to its scope and implications.