Resolution No.1 for 2020: Avoid Falling into the CCPA Leghold Trap
Aptly so, the first editorial piece of the Year 2020 is about the California Consumer Privacy Act (CCPA). We are tracking its mandates and how businesses cope with the new regulation for the next 6-8 months.*
California Consumer Privacy Act (CCPA) officially came into action from 1 January 2020. With barely hours since its kick-off, a majority of the US businesses are still trying to standardize their CCPA data privacy guidelines. Those with a strong grip on the EU’s General Data Protection Regulation (GDPR) may have a better chance to tackle the latest challenge and to better handle consumer data privacy practices. Others, who have been idle or acted the least on CCPA, could fall into this new-age “digital leghold trap”.
We reached out to leading Marketing and Sales executives to understand their CCPA preparedness and what steps they have taken to comply.
In this article, we recommend why your first action-plan of the New Year should be focused on fortifying your existing data governance and IT security technologies, investing in new AI and ML-based data management technologies and improving overall Data Wrangling practices. Adhering to all these would ensure a safe passage through the landmine of traps that would otherwise blow all your business chances if you put one misstep.
A Quick Overview of the CCPA Price Tag
CCPA Compliance Comes With a Hefty Price Tag: California DOJ Assessment
According to a report prepared for the Attorney General’s Office California Department of Justice, the initial CCPA compliance cost is speculated to be $55 Billion. This is equivalent to two percent of California Gross State Product in 2018.
The report titled, “Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations” states that nearly 99% of California businesses have fewer than 500 employees.
How would the CCPA Compliance Cost Vary?
The Standardized Regulatory Impact Assessment provided a break-down of components and factors that decide the CCPA Compliance Cost. These are based on :
- the type of company,
- the maturity of the businesses current privacy compliance system,
- the number of California consumers they provide goods and services to, and
- how personal information is currently used in the business.
Chris Babel, TrustArc CEO, stated –
“While all aspects of privacy compliance are important, a business’ external-facing websites, apps, and ads are often subject to the most scrutiny by customers, partners, and regulators. Companies are looking for technology solutions to streamline and automate the process of responding to data subject access requests (DSAR) and managing cookie consent requests, as well as generating compliance reports.”
Start with CCPA FAQ’s
I found out a very interesting article on CCPA and the various other components that could help your business get away from the sticky wicket.
One such article is written by the CEO of TeachPrivacy Daniel Solove. George is a legal tech expert and Professor at GW Law School. The clear distinction between CCPA and GDPR is very useful here. You can understand how GDPR and CCPA actually work, and how they impact their respective subjects.
You can also read significantly helpful CCPA survival guides, whitepapers, and attend webinars. For example, data risk intelligence company, Clearip advises businesses to steer clear of mishaps, such as the one that happened with Facebook and Cambridge Analytica.
In 2018, Cheif Data Officers and legal advisors sparred on the topics of GDPR and Cambridge Analytica. While the EU has fined global companies for noncompliance in the GDPR-related cases, the US FT entered into a consent order with Facebook to resolve its investigation into the Cambridge Analytica scandal for $5 billion and another twenty years of compliance monitoring.
In addition to the usual CCPA and GDPR features, readers should also seek information about Data Subject Access Requests (DSARs), Brand Indicators for Message Identification (BIMI), CAN-SPAM, Canadian Anti-Spam Law (CASL) and AB-375.
Help Digital-Native Customers Understand the ‘Creepy’ Factor
In 2015, most marketers would believe that data is the new ‘currency’ of doing business. Every marketer was focused at collecting Big Data, especially from Mobile, Email, Forms, Social Media, and other unique channels. All these channels would often trap gullible consumers to see and try out products before buying… in exchange, fill out the form or share your details. By 2018, the tables turned on the data practices, courtesy GDPR.
However, the creepy factor continues to haunt consumers.
“41 percent agreed that they have reduced use of social media due to privacy concerns while a majority (59 percent) have not.” – Selligent Global Connected Consumer Index
Selligent Global Connected Consumer Index found out that consumers prefer online shopping because of sizeable offers/discounts on big-ticket purchases. For the sake of delivering enjoying seamless experiences online, customers still share their personal information and details related to their usual buying/shopping behavior to get better results and recommendations from the stores.
But, that’s going to change soon with the biggest California News of the year!!!
As Gartner predicts that 80% of marketers will abandon personalization efforts by 2025, we thought every CMO should know this unique relation between consumer data and personalization efforts. Gartner states that “71% of consumers believe personalization is very important; but, only 51% of consumers are willing to share personal data for more personalized customer experience.”
Niki says, “Building consumer trust and long-term loyalty is the holy grail for any marketer. Consumers today are more connected than ever; they expect a level of personalization in their brand interactions and want everything in an instant. But because they are also wary of their data being used in ways they may not agree with, brands need to develop a strategy that strikes a relevancy balance – articulating personalized consumer value without being intrusive. To successfully do this, businesses need an intelligent platform that provides a complete view of the customer. Having full visibility across all consumer touchpoints will enable brands to deliver an elevated customer experience and drive lasting value.”
Comply with the Industry Framework to Support CCPA Compliance Amongst Publishers
With CCPA, consumers have more control over their data and the power to authorize the use of that data by businesses. As IAB puts it, “CCPA is an omnibus statute that seeks to create broad privacy and data protection rules that apply to all industries doing business in one jurisdiction, California, rather than focusing on a single sector or specific data collection and use practices. The CCPA was created in response to changing public perceptions.”
Last month, IAB released the industry-first CCPA Compliance Framework for Publishers and Technology Companies.
The IAB CCPA Compliance Framework guides the publisher community to responsibly collect, analyze and utilize PII across the data management chain.
Adhering to framework entails two benefits –
- For participants, it creates a simple and efficient vehicle from which to create service provider relationships in the data supply chain without the need of having to enter into hundreds of separate contracts.
- It provides participants with the opportunity to demonstrate accountability by requiring them to submit to audits and/or self-certifications to ensure that when the consumer opts out, limited personal information is being used only for purposes permitted by the CCPA.
In an official blog, Michael Hahn of IAB stated –
“Creating a new industry framework to support CCPA compliance amongst publishers and technology companies engaged in programmatic transactions requires careful consideration, implementations in a technologically complex and important ecosystem and balancing of different perspectives and business models. We believe that the Framework and Agreement accomplish this by providing ad tech companies with assurances that participating publishers provide California consumers with explicit notice and the opportunity to opt-out of the sale of their personal information. Participating publishers will also have assurances that ad tech companies and vendors use personal information pursuant to limited CCPA permitted “business purposes” when California consumers exercise the right to opt-out of the sale of their personal information.”
Michael Hahn is SVP & General Counsel at the Interactive Advertising Bureau (IAB).
You can refer to these resources:
- OpenRTB Extension for U.S. Privacy: For support of the IAB CCPA Compliance Framework, this document specifies how to pass information pertaining to CCPA within OpenRTB
- U.S. Privacy User Signal Mechanism “USP API”, (CCPA Compliance Mechanism): This document outlines technical mechanisms to support communication of the U.S. Privacy signal. These signals contain information about disclosures made and choices selected by a user regarding consumer data privacy under US Privacy regulation and are documented in a separate US Privacy String specification.
- U.S. Privacy String (CCPA Opt-Out Storage Format): To facilitate CCPA compliance, the U.S. Privacy String signals whether or not the U.S. Privacy regulations apply to the consumer if an “explicit notice” legal disclosure has been established with a consumer, and if the consumer has chosen to opt-out of the sale of their personal data.
New Gig Economy in Retail and Services, Minus the Likes of Google, Facebook, and Amazon
2019 was a big year for the AdTech industry. We saw the implementation of browser cookie tracking policies and brands/publishers starting to challenge the triopoly. With CCPA, retail tech players (vendors and customers) have an interesting challenge to tackle.
“Nike recently announced they were pulling their products from Amazon. Nike was able to do this because their purchase of Celect, which allowed Nike to bring personalization to their own properties. Amazon used to have the advantage here since you would have to login to Amazon to peruse products, and then products would be shown to the user on a person-by-person level. However, brands are getting smarter about leveraging the vast first-party data they have and creating identity graphs that deliver the ability to personalize ads. Now, there’s less need for a brand to hand over the inventory to Amazon, and brands like Target, Wal-Mart, and Kroger are even thinking about monetizing their own online digital inventory like a news publisher does.”
Kerel added, “The last few years have been a bloodbath for Publishers as revenue decreased for them while going up for the likes of Facebook and Google. Publishers had favored Google’s and Amazon’s solutions, both of which brought Publishers diminished returns and handed power over to the industry giants of Amazon and Google. Prebid won’t solve every problem for Publishers, but it is a symbol that Publishers are fighting back. Expect more consortiums and strategic data-sharing in order to mount a defense against the walled gardens.”
CCPA is Unique: It’s a Journey, Not Just a Step You Can Walk Away With
According to eMarketer’s Principal Analyst, Lauren Fisher, “As we saw with GDPR, CCPA compliance is a journey that most companies won’t be able to complete before January 1, 2020, deadline. Even those who feel ready and say they’re compliant will likely have to make modifications and changes as the year progresses and the true nature of the regulation becomes clearer. Companies need to look at compliance as an ongoing process and not a static checklist.”
In December 2018, leading security and identity management company OneTrust announced the expansion of the OneTrust ID Verification Partner Program.
Together with the partners, including Acxiom, IDology, Evident, ID DataWeb, Socure, Yoti, ID.me, and LexisNexis® Risk Solutions, OneTrust will provide the market with choice for leading industry and vertical-specific ID Verification techniques. This community will help businesses to streamline the identity verification process to complete consumer rights requests within the 45 day time obligation under the California Consumer Privacy Act (CCPA).
We are expecting to see many more unique CCPA partnership programs to assist data teams manage CCPA practices effectively.
(*To share your insights on CCPA Preparedness, Standard Practices, and Challenges, please write to us at firstname.lastname@example.org)