Authored by Jodi Daniels, Founder of Red Clover Advisors
It’s official – GDPR has celebrated its first anniversary. Now it’s time to take a step back and examine what we’ve learned and how it might be applied to companies preparing for the California Consumer Privacy Act (CCPA) which becomes effective in January 2020.
In the last year, GDPR has seen violations ranging from warnings to fines at companies big and small. Google received the largest fine to date at $57 Million while small ad tech company Vectuary received a strong warning from the CNIL, the French data protection regulator, that a controller must be able to show valid consent and that only relying on a contractual relationship was not sufficient. The November 2018 Vectuary warning has been an important conversation for what consent should look like for the whole ad tech eco-system.
There has been mass confusion over what cookie consent should look like. Does the “x” to close the cookie consent box mean consent was captured? Or does the user have to hit the accept button? Or does simply ignoring the box and scrolling count? The CNIL in May 2019 announced a cookie consent reprieve as they update guidelines set to be announced January 2019 and then companies will have six months to get them up to date.
What does CCPA mean for marketers? CCPA affects companies who fall into one of these three buckets:
- earn $25 million in revenue, or
- collect 50,000 data points on individuals, households, or devices (think 50K website visitors!), or
- earn more than 50% of their revenue from the sale of personal data.
The definition of personal data is very similar to that of GDPR and includes online identifiers (e.g. IP address, cookies, browsing behavior, data segments, etc). It also includes data at a household level and that can be reasonably tied to an individual whereas GDPR defines it as data from a natural identifiable person.
What do companies need to think about to comply with CCPA?
Digital marketers need to know what data is collected, how it is used, what type of notice was provided to the user and what choices are offered to the individual.
The first step is to take a data inventory. If you did this for GDPR, it’s a great first step. Data inventories should be reviewed often and updated for any changes.
It’s important to also include a pixel/tag audit. How many pixels are on the site? Are they still active and required? Each pixel on the site can cause site latency, increases the risk for malware, and exposes the company to data leakage.
Companies also need to ensure that the privacy and cookie notice reflects what is actually happening with the data identified in the data inventories. Like the data inventories, privacy notices should be dynamic and always reviewed with each new marketing strategy to ensure it accurately captures how personal data is being processed. Further, CCPA has new privacy notice requirements beyond that of GDPR such as disclosing the categories of personal data and the types of companies data is shared with.
The CCPA offers consumers various individuals rights such as the ability to have access to, delete, port, and opt out of the sale of personal data from the prior 12 months.. Companies who sell data are required to have a link on the homepage for an individual to easily opt out of the sale of data and to also include a phone number (there is an amendment to change the requirement to a phone number or an email address). It is critical that companies have a complete picture of the data collected, used, and shared to determine if data is sold.
The company needs to have a process and policy in place to honor incoming individual rights requests under CCPA and GDPR. This policy should also be tested to identify if the company can accurately find all the data storage spots including third parties and service providers within the allowed 45 day timeframe (note, under GDPR companies have 30 days and it’s all data held on the individual, not just the last 12 months).
Are there future laws I have to worry about?
Other states are looking at passing additional privacy laws. In June 2019, Nevada passed a new privacy law effective October 2019 with an emphasis on allowing individuals to opt-out of the sale of data. Other states have laws on the docket and there are numerous lobbyists, industry groups, and companies pushing for a federal privacy law.
Customers are increasingly expecting businesses to protect their privacy. Taking privacy seriously will make the difference between a customer potentially choosing you as a business or picking your competitor. Privacy is just good business.