Based on the growing number of consumer security data breaches and increased data privacy concerns, the State of California recently passed the California Consumer Privacy Act (CCPA), which imposes more stringent restrictions on data sharing for for-profit businesses. This law is based on a growing global concern about consumer privacy protection including the recently-enacted Global Data Protection Rights (GDPR) and the Canadian Anti-Spam Law (CASL). Although the CCPA law will not be enacted until 2020 and will only affect consumer data in California, the likelihood of other regulations affecting organizations’ consumer data treatment nationwide and even globally is great.
California Consumers’ New Data Privacy Rights
For the first time in the U.S., Californian consumers will own the personal data that is collected about them by businesses. In addition to name, address, phone numbers, birth dates, email and phone numbers, personal data or Personal Information (PI) as defined in CCPA, includes household information, IP addresses, device IDs, cookie IDs, browsing and purchase history. Inferences drawn from personal information to create profiles and any other information that could reasonably be linked, directly or indirectly, with a particular consumer or household will also be considered “personal” data.
Defining personal data more broadly than GDPR, CCPA gives Californians the right to see which categories of PI are collected about them and to obtain a copy of their PI and whether their PI is sold or disclosed, and to whom. Consumers can also opt out of the sale of their PI as well as access and effectively delete their PI. Financial penalties for CCPA non-compliance could add up into the millions if marketers don’t take action on shoring up their consumer data privacy policies proactively.
Proactive Automated Compliance Strategy – Putting the Consumer First
So, what does this mean for marketers and what actions should they be taking? Regardless if the CCPA remains the same or is amended, or another state, national or global regulation is passed, consumers’ privacy rights and the treatment of their identity data should be job number one for marketers. It’s not a question of if but really when it will impact a brand, agency, publisher and martech provider. The best approach is to proactively develop a lean-in compliance strategy that incorporates technology to minimize manual intervention and establishes rigorous yet nimble policies for allowing consumers to manage their personal data.
Enable opt-out options – First, it’s important to proactively provide the ability for consumers to opt-out, which will prevent the sharing or selling of their personal information. The required opt-out options are intended to make it as easy as possible for the consumer, including establishing and promoting a toll-free number and a clearly defined Do Not Sell My Personal Information link on the brand’s website and through its data partner’s website.
Verify the consumer identity – Consumer verification and consent considerations should also be taken into account to ensure the consumer’s right to privacy and permission is paramount. As an example, individuals’ identities must be verified to ensure that individuals requesting a copy of their PI report, opting out or other exercised requests are indeed who they say they are and their identities are protected. In addition, a business must be able to tap into its different systems to show where and how they have used the consumer’s PI. Verification may be automated by a data provider that typically already has these privacy safeguards and best practices in place. Data providers that have not previously dealt directly with consumers need to identify the best, safest, and most efficient manner to use managed data resources to fulfill the verification requirements. This becomes a critical part of the process. A verification process that is overly rigid could lead to excessive exception handling, expense, and consumer frustration. A verification process that is too lax could lead to security issues. Every data provider will need to find the unique approach that works best for them, and a “one size fits all” solution may be hard to come by. Additionally, further refinement of CCPA language could dictate further changes in this area, so flexibility will also be a key. Finally, the verification process needs to fit within the overall required time-period to honor a consumer’s request to exercise rights – CCPA’s current language stipulates a 45-day period.
Be ready to report – Anticipating “To Be Determined” situations and monitoring further regulations should not be overlooked. This process should include a focus on establishing ongoing and routine reporting as well as security audit capabilities, and future process improvement requirements which are not yet clearly defined. Businesses also need to ensure that they are capturing and retaining all reasonable aspects of every consumer transaction, including time-stamp(s), entry data, and disclosed information. Try to anticipate the reporting needs that will certainly be better defined as time passes. Try to anticipate your own internal reporting needs as you identify the true costs and impact to the business. Finally, proper training is also an essential aspect as consumer-facing employees should be able to assist individuals with privacy-related questions and requests.
Document consumer data policies – Businesses need to maintain a Consumer Disclosure document in a consumer-friendly, readable format which reinforces the nature of its business and that of its data partner, if applicable, as well as language describing the categories of its data sources e.g., first-party, third-party data, etc.
More than ever, a company’s goodwill is dependent on its data management practices, particularly identity data as it is the living data that incorporates a person’s interests, behaviors, locations, and transactions. Careful consideration of the privacy, security, adherence to regulations, transparency and communication of consumer’s data can make or break a brand’s reputation and ensure that they are on the right-side of anticipated future regulations.