Measuring CCPA Preparedness of Big Data Companies: Facts and Insights

By now, you must have heard about the countless experiences of global Big Data companies and their battle with the General Data Protection Regulation also known as “GDPR” that passed in the European Union. GDPR was passed in 2016 and went into effect in 2018, yet businesses are still coming to terms with GDPR challenges and compliance standards. And now, a similar data privacy law is going to take effect in the United States, fortifying the already-stringent state laws. We are talking about the California Consumer Privacy Act (CCPA).

This article provides a quick snapshot of how the largest Big Data companies see the California Consumer Privacy Act (CCPA) and what are their preparedness levels to protect online consumers using their services and products. As Reuters puts it, “The law is likely to impact a broad swath of companies from Facebook Inc and Alphabet Inc’s Google, to retailers like Walmart and Amazon.com Inc, beginning next year.”

But first, the basics.

What is CCPA?

The CCPA of 2018 will come into effect from 1 January 2020. The new data privacy act grants special rights to the consumers who are basically California residents. These special rights enshrined in the CCPA prevent any kind of misuse of personal information for marketing and sales purposes or being sold to third-party data management companies.

Accenture’s Shawn Sprecker and Manoj Krishna recommend building an entirely new CCPA-compliant data governance framework to manage consumer data and operationalize their privacy requests in real-time.

Going a step forward with what GDPR requires, CCPA preparedness entails every data mining company to make adequate disclosures about their privacy policies and individual’s requests for more information. This information relates to the sale of personal data, data privacy policies, deletion of individual information on request, and so on. Big Data companies have to exercise a different path to ensure CCPA compliance, even if they are GDPR-compliant today.

What Companies Fall Under the Purview of CCPA?

In addition to CCPA 2018 requirements related to California residents, the law also presses for these conditions:

• The businesses are for-profit only
• Earn more than $25 million annual gross revenue
• Mine more than 50k personal data from California residents/region
• Profit from sales of these personal data account for more than 50% of total annual revenue

Google’s CCPA Policy

Google’s CCPA policy states –

“We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide changing requirements including those in the GDPR around Privacy by Design and Privacy by Default.”

Google is protecting its consumers and users with stringent adherence to CCPA. Google’s CCPA policy will now comply strongly with state laws to prevent any misuse of data processing for the first-party or third-party demand. Open Bidding for publishers is 100% disabled, meaning that there would be ‘no callouts’ made to the Open Bidders.

Third-party authorized Buyers are disabled, meaning no RTB services or callouts are available to these Authorized Buyers. However, Mediation is not disabled and would continue to be available on request.

Google is also offering User Transparency.

It states –

“We provide transparency about how data is used in our ads products. We ask users for permission to use data to personalize ads and provides transparency into how the data is used in real time via “Why This Ad?” We provide detailed explanations on how we use data on safety.google.com and in our Privacy Policy. We also provide transparency to users on what data Google saves about them in their Google Account, where users can view and manage their data, privacy, and security settings. Users can go to their ad settings to control the use of data for ads personalization and for all ads shown by Google, including on our Google Marketing Platform products. As part of our continued commitment to giving users controls to manage their privacy, we have updated our account creation experience to give users more options on what data they choose to save in their account.“

You can read Google’s data privacy stance here.

Amazon Web Services and Amazon.com

AWS provides the best benchmarks and resources to meet the CCPA guidelines. They have published two CCPA-centric whitepapers – Using AWS in the Context of Common Privacy & Data Protection Considerations and Preparing for the California Consumer Privacy Act. In addition, AWS also provides a customer enablement platform to adhere to CCPA compliance, including deletion, encryption, and monitoring of consumer data processing on AWS Service Capabilities.

This is what AWS recommends to consumers before choosing a Cloud solution.

When evaluating the security of a Cloud solution, it is important for customers to understand and distinguish between:

1. Security measures that AWS implements and operates – “Security of the Cloud”
2. Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services – “Security in the Cloud”

In their current blog section, AWS clearly mentioned that the company doesn’t intend to provide customers with legal advice on their requirements under CCPA or further counseling on how best to prepare for CCPA’s implementation and enforcement.

Facebook’s Privacy Policies

Back in July 2019, it was reported that Facebook is a non-GDPR compliant company in the EU. Ireland’s Data Protection Commission (IDPC) confirmed that Facebook was found to be violating GDPR regulations by collecting and storing sensitive user information such as contact numbers and passwords in plain text. If it was found to be misleading regulators and consumers once in GDPR policies, it may not be adhering to CCPA 2018 either.

However, for beginners, Facebook clearly mentions that consumers need to make data-related choices themselves. These privacy choices are designed to bring best experiences and services to every customer. Facebook users can control and adjust privacy settings to only an extent, and that leaves a gaping hole in how Facebook uses consumer data for its profit.

In its data policy page, Facebook owns how it collects information. These pertain to user’s contact information, device information, and information from Facebook partners and products.

SAP

SAP has formally announced its CCPA Preparedness. It has mentioned that the SAP Customer Data Cloud will fully-comply with CCPA requirements as well as other important data protection and consumer privacy regulations, including anti-spam, accessibility, healthcare, and data localization compliance. The CDP will also enable its customers manage CCPA.

It stated –

“SAP has been consistent in its approach to data protection as part of our general product standards and this is now being extended to reflect new requirements in the CCPA. As our customers prepare for compliance, SAP has set out a summary of the changes introduced by the CCPA, the implications of these changes, and how SAP product features can help customers implement CCPA requirements.”

“Complexity grows when organizations need to keep track of every purpose for which personal information is being processed and when they need to ensure that all individuals have received appropriate disclosure for each data-processing use case. These measures must be built into existing IT infrastructures.”

Dun & Bradstreet

Dun & Bradstreet is one of the most prized commercial database companies in the world with very high CCPA preparedness. It manages information for over 332 million business records, spanning across 120M+ Hierarchy members and 375M data elements updated daily. It collects and stores data for multiple products serving various industries, including D&B Credit, D&B Hoovers, D&B Lattice and D&B Compass.

With millions of sensitive data related to customers, suppliers, partners, and prospects, it is fundamentally critical for a Big Data management company like Dun & Bradstreet to adhere to CCPA. It not only adheres to CCPA but also prepares customers to adhere to the highest standards of data governance met with dependable quality and consistency you require for your master data content. These are connected and integrated through multiple systems or workflows within your ecosystem of Cloud, Software and Analytics platforms.

Lauren Bakewell, Chief Product Officer, Sales and Marketing Solutions, at Dun & Bradstreet writes, “Here at Dun & Bradstreet, we believe ethical business practices and scalable growth go hand in hand. In fact, ethical practices are a big reason our clients put their trust in us. We are proud that the Ethisphere Institute has voted us one of the world’s most ethical companies for eleven years in a row.”

OneTrust

OneTrust provides a unique CCPA adherence platform to users and consumers. It is already helping numerous businesses to simplify CCPA by delivering them with customized and purpose-built data privacy solutions and professional services. The OneTrust DataGuidance offers direct access to a centralized repository of CCPA resources that includes the full CCPA text, summaries, comprehensive guides, and regulatory guidance, as well as a CCPA amendment tracker.

In addition to its own preparedness, the company is heavily guarding its customers to stick to CCPA guidelines in 2020 through OneTrust Maturity & Planning and Program Benchmarking tools.

Industry Insights

James McDermott, CEO at Lytics predicts the following in the CCPA era in 2020 —

• Vanity Metrics vs. Tangible Conversions: How to take the customer beyond ‘clicks’ – In the past, marketers have been focused on vanity metrics like clicks, but what they want now is to drive conversions. The power of AI/ML assisted customer intelligence will play a much larger role for marketers and deliver on actual conversions.
• The future of 3rd party data: how to reach your audience in a privacy-centric world – Third-party cookie changes combined with CCPA and GDPR will diminish the viability of any ad provider that doesn’t have a first-party relationship (authenticated), making them the only viable ad platforms.
• Marketing siloes will cease to exist – We should expect a new model for marketing that integrates a marketers’ current silo into the rest of the organization to solve alignment problems between marketing and other departments.

Analytic Partners’ Jenn Leire, states –

CCPA will help simplify and even enhance personalization for many brands. While companies will need to realign and revalue their data, consumers, who will have to opt-in under the new law, will be encouraged to participate and actively engage on their end, creating a positive feedback loop. Post-CCPA personalization approaches will also help get rid of waste and allow for better customer segmentation, as brands will be able to better identify groups ranging from most loyal customers to those who have the least brand awareness (and therefore, the likelihood of making a purchase). Jenn thinks CCPA might also increase consumer trust, and therefore, increase consumer willingness to allow offer-based targeting on their phones, for example.

For smaller players, who might not have the valuable first-party data available to larger entities, like a Walmart, Jenn recommends that their personalization strategy will need to differ as they will need to develop personas to optimize campaign performance.

Iván Markman, Chief Business Officer at Verizon Media said,

“CCPA marks the “Evolution of Regulation…” A major component of 2020 will be privacy and data regulation as CCPA comes into effect in the New Year. The U.S. is not alone in evaluating its approaches to regulations, and we’ll continue to see inputs from governments around the world. In tandem, the industry itself is evolving to support privacy initiatives and provide consumers with greater transparency and choice when it comes to their data. Implementation, of course, will not come without challenges, but the greater focus will create new opportunities and allow for innovation. It’s important for everyone in the ecosystem to act in a principled way and seek to build trust with consumers. In short, what’s good for consumers is good for us all.”

Kerel Cooper, SVP Global Marketing at LiveIntent (people-based marketing platform), said, “2020 Will Be The Year the Tides Begin to Change for Publishers. The last few years have been a bloodbath for Publishers as revenue decreased for them while going up for the likes of Facebook and Google. However, Publishers are finally embracing the common cause and working together. The biggest example is Publishers embracing the open-source pre-bid auction clearinghouse. Previously, Publishers had favored Google’s and Amazon’s solutions, both of which brought Publishers diminished returns and handed power over to the industry giants of Amazon and Google. Prebid won’t solve every problem for Publishers, but it is a symbol that Publishers are fighting back. Expect more consortiums and strategic data-sharing in order to mount a defense against the walled gardens.

Pavel Dmitriev, former Principal Data Scientist for Analysis and Experimentation at Microsoft, and current Vice President, Data Science at Seattle-based Outreach, said,

“Government regulations such as GDPR and CCPA make letting customers know what AI systems do with their data and how they make decisions a legal requirement. In 2020 we will see an increased emphasis on technologies and processes designed to increase the transparency and trustworthiness of AI solutions. As the saying goes: garbage in, garbage out. Collecting, cleaning, organizing and labeling data for AI is a huge challenge. While developments in data storage and processing will continue to gradually make this easier, I don’t expect a breakthrough in this area in 2020. High-quality data will continue to be the main bottleneck in deriving value from AI initiatives.”

Richard Vestuto, a Managing Director at Deloitte Transactions and Business Analytics LLP, said, “In terms of compliance, working with third parties is important because the organization is responsible for what those third parties do with its data—not to mention fourth and fifth parties.”