Since the Cambridge Analytica debacle of 2018, data and data privacy have been hot topics. Consumers are increasingly aware of the personal data they elect to provide and are demanding stricter regulations regarding the use and sale of their personal information. As a result, data regulation is top of mind. Legislation like GDPR and the California Consumer Protection Act, or CCPA, have begun to come to fruition in governments across the globe.
The common thread through these new laws is the definition of an entirely new human right — the right to be forgotten. Although this is California based legislation, as a national or global brand, it is difficult to segment consumer data collection and storage based on location or residence, meaning changes will likely need to be made universally in your organization. This will not be the only state or federal-level legislation passed in the United States, so your organization should be prepared to comply with new state or federal requirements as they arise.
Why should I care?
In a marketplace where consumers are increasingly educated and express concern over data privacy, your brand should be concerned too. The success of your marketing programs and the life of your business depends on it. Besides the risk of severing trust with your consumers, non-compliance in these new legal landscapes could result in significant monetary fines and legal action against your company.
Key Challenges of CCPA
- The broad definition of personal information
- Difficulty in identifying California residents and households. Who are the consumer’s relatives and members of household?
- The requirement to provide notice of sale of data. How will you contact each individual or household in your database and how will you notify them of a sale?
- The required “DO NOT SELL MY PERSONAL INFORMATION” opt out could adversely affect certain conversion goals, such as newsletter subscriptions
- More legislation will follow. As additional states and countries adopt similar laws, it will be increasingly difficult to comply with the nuances of each piece of legislation
Implications and Predictions
GDPR and CCPA have established a new baseline for consumer rights and we will see other states and federal legislation follow these models. Maryland and Massachusetts are already working to implement law following the CCPA model and Washington is following suit with the GDPR model. We will likely see significant changes to advertising platforms as they work to comply with these new definitions of personal information. I also predict we will see a rise in data privacy and tech services as companies work through implementation.
Key Takeaways for Your Team
- Consumers have the right to access and delete their data
- You are required by law to heed those requests
- You should be prepared to comply with additional state and federal legislation
- You should consult your legal, IT, webdev and operations teams to determine what next steps should be taken to ensure compliance for the brand
Actions & Steps to Compliance
- Create a data map. Understand the scope of personal information collected, used, and shared in your organization via data mapping. Where are you collecting information? Is it considered personal? How do you use it? Who do you share it with?
- Examine the impact of opt out or deletion requests. Will these opt outs have an impact on your ad targeting or email lists?
- Prepare your policies and procedures. Additional data regulation will likely come from the state and federal level, so you need to put yourself in a position where you aren’t scrambling to comply with those changes each time.
- Staff accordingly & provide training. You should be prepared to handle a large volume of access and deletion requests and are required to provide two avenues, one being a toll-free number.
- Take a look at your third-party contracts. Work with your legal team to update any necessary terms or language.
Read on to learn more about the enforcement, risks, and definitions outlined in CCPA:
What is CCPA – California Consumer Privacy Act?
CCPA is groundbreaking, first-of-its-kind data privacy legislation in the United States, passed in California in June of 2018. It is the most comprehensive piece of US legislation protecting consumer data and privacy to date. It is similar to but differs from GDPR in scope and territorial reach. It outlines consumer rights to data privacy including the right to access and delete consumer information. CCPA outlines requirements of businesses and the penalties for non-compliance.
CCPA effects for-profit companies that meet any one of the following criteria:
- Do business in California or with California residents or households
- Collect information and determine the purposes and means of processing data
- Buy, sell, or share personal information of 50K consumers, households, or devices
- Have gross revenue greater than $25M
- Derive 50% of their annual revenue from sharing personal information
CCPA Outlines Consumer Rights:
- Right to equal service/price
- Right to know and access what personal information is collected, sold, disclosed for business purposes
- Right to deletion and opt out of sale of personal information
- Right to opt in to sale for Children’s personal information
Under CCPA, businesses are required to:
- Have reasonable data security measures and practices
- Provide disclosure of the type of data collected and purposes of the user
- Provide an opt out – “DO NOT SELL MY PERSONAL INFORMATION”
- Handle data access requests and provide a 12 month look-back of customer data
- Provide training for employees responsible for handling consumer inquiries
Under CCPA, businesses are NOT required to:
- Retain personal information collected for a single or one-time transaction, as long as information is not sold or retained
- Reidentify or unencrypt any data that could not reasonably be linked back to an individual or household
Risk of non-compliance
- Private Right of Action includes damages limited to $750 per consumer per incident or actual damages, whichever is greater
- Collective or class action lawsuit
- AG Enforcement – not more than $2,500 per violation or $7,500 per intentional violation. As it stands, businesses are provided a 30-day grace period to cure any violations, but upon enforcement of CCPA, the 30-day grace period will cease and any violations may be reprimanded immediately
What is personal information?
Personal information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. These identifiers include:
- IP address, online identifier, browsing history, search history, demographic data, online behavior, purchase behavior, and inferences used to create a profile about a consumer, just to name a few.
What is not considered personal information?
Publicly available information such as information from federal, state, and local government records is not considered personal information.
- Aggregate information that is not reasonably linked to an individual or household
- De-identified information, meaning you have taken steps to protect it and make sure information cannot be reidentified and linked back to an individual or household
What does it mean to sell personal information?
This includes selling, renting, transferring, communicating, releasing, or disclosing information for monetary gain or other valuable consideration. This could have implications for ad platforms, 3rd-party vendors, and partners. Legal language in the legislation does protect parties acting on behalf of the business but it is not clear how this distinction will be made or enforced.
If a customer opts out of your data collection or requests their information be deleted, what happens? Do they lose access to special pricing or quality of service? Under CCPA, this is considered a form of discrimination. Marketers can defend themselves from this risk by understanding the value of data. Marketers can, by law, adjust pricing or levels or quality of service where the difference in price or quality is reasonably related to the value of the data lost. Marketers can also offer reasonable incentives to discourage opt-out but incentives must not be unjust, coercive, or unreasonable.
Disclaimer: Room 214 is not authorized to provide legal advice and the information in this article should not be constituted as legal advice. Speak with your legal team to decide what steps need to be taken for your organization.