Preparing for privacy: Here comes the CCPA (and more!)

preparing for privacy

By Kerry Gorgone, {grow} Contributing Columnist

There’s retargeting and then there’s creeping.

Savvy businesses know the difference, but not all businesses are savvy. I’m on board for a certain amount of data collection that companies can use to personalize my experience. In fact, a generic customer experience annoys me, given how easy it is for companies to learn who I am and what I want.

But counterbalancing this desire for personalization, relevance, and convenience, is the need for privacy. Gen Z’ers in particular value privacy, and marketers need to take note. Near constant data breaches have eroded their trust and increased their awareness of how much data companies collect on their behaviors, preferences, activities, and purchases.

The laws are coming

Last year, the General Data Protection Regulation (“GDPR”) took effect in the European Union, causing concern among businesses worldwide as noncompliance could subject them to incredibly hefty fines. Some businesses elected to block EU residents (which doesn’t actually solve the problem, by the way), while others made some attempt to comply with requirements that remain somewhat unclear.

Since the GDPR came into effect, the EU has addressed some isolated instances in which companies failed to comply with the requirements of the GDPR, but the situation is still developing. (If you’re not already up to speed on GDPR, my interview with GDPR expert Lisa Loftis on the subject might help you.)

One thing that’s happened in the meantime is that 24 states and Puerto Rico have introduced legislation to address consumer data privacy. The rise in awareness and shift in sentiment have clearly made their way to the elected representatives, and we can expect more legislation, possibly federal, to clarify requirements for U.S. companies. It’s time to think about preparing for privacy legislation for every organization.

Looking toward CCPA

Amid all the excitement about GDPR, it’s easy to overlook another piece of legislation that passed during roughly the same period: the California Consumer Protection Act (CCPA). Compared with the GDPR, the CCPA had a very short inception period, famously passing after just a week of debate. Nevertheless, its impact on the data privacy landscape in the United States has already been significant – and could become even more so as time goes on.

CCPA, which goes into effect on January 1, 2020, has already impacted the content of other state legislation, but no two are exactly the same.

The landscape for all business becomes somewhat tricky because there’s a good chance the CCPA applies to you, even if you’re not based in California.

CCPA affects you

Although the CCPA is often referred to informally as “the American GDPR” it has a slightly different focus and scope to its European counterpart, being more focused on commercial uses of data as opposed to data processing of all kinds. It also works on an opt-out basis, while under the GDPR, consent (one of the lawful bases for data processing, though by no means the only one) requires “a positive opt-in”.

By its terms, the CCPA protects the private information of California residents even when they’re outside the state. This means that, if you sell anything to or market anything to or gather any data on California residents, you’re subject to the CCPA’s provisions and need to be ready.

Whether or not you think the GDPR or CCPA should affect your marketing, the reality is both will. But the really important thing is that consumers want their privacy protected. That being the case, smart marketers should take a proactive approach, rather than waiting to see what they have to do and then doing the minimum.

Are you ready to get ready?

Preparing for privacy

1. Review your existing data collection and privacy policies.

When preparing for privacy, it’s first things first: Review how you currently handle data and privacy, and determine whether what you’re doing is enough to comply with privacy regulations like the GDPR and the CCPA.

2. Conduct an audit.

Figure out what data you’re collecting, where you’re keeping it, and what you’re doing with it. Conduct an audit of data collection throughout your organization, in every department. You could be collecting data through third-party tools and apps that you’re not even aware you’re using.

Once you know what you’re collecting, decide what data you actually need, then stop collecting the rest.

3. Add in a step for consent.

Review your data collection plan and add a step where users consent (even if the collection is happening through a vendor or third-party app).

Unlike GDPR, the CCPA doesn’t require consent before you start collecting data: it just requires that you let people opt out. Once a consumer does this, businesses have 45 days to process the request, which can involve disclosing what data is collected, deleting that user’s data, or committing to a “Do Not Sell” request for an individual’s data, among other things.

Still, chances are good you’re subject to GDPR, as well, and a more “conscious marketing” approach would suggest that getting affirmative consent is better than trying to slip anything past your audience.

4. Run a “CCPA drill” to see if you’re ready to comply.

Submit some test opt-out requests and see how long it takes you to process them. Remove one test user’s data from your system. Prepare a reply explaining how another test user’s data is being used. Comply with a “Do Not Sell” request.

Bear in mind that you probably don’t have staff whose only job is CCPA compliance, so you’ll need to factor in your staff members’ other duties when calculating the time to complete each request.

When preparing for privacy, be sure to review the requirements for CCPA (and GDPR while you’re at it). There’s a lot of great content comparing the two. Given that similar legislation is pending in nearly half of the states, you might want to adopt whichever approach is more protective of consumer privacy, so you can minimize the amount of revamping your processes and procedures will need later.

Kerry O’Shea Gorgone is a writer, lawyer, speaker and educator. She’s also a Learning Designer at MarketingProfs. Kerry hosts the weekly Marketing Smarts podcast and gets people to open up about their cool collections, weird hobbies, and inspiring side hustles on The Punching Out Podcast with co-host Katie Robbert. Find Kerry on Twitter.

All posts

The Marketing Companion Podcast

Why not tune into the world’s most entertaining marketing podcast!

View details

Let's plot a strategy together

Want to solve big marketing problems for a little bit of money? Sign up for an hour of Mark’s time and put your business on the fast-track.

View details