GDPR Is Just the Beginning. Get Ready for CCPA
Next up—The California Consumer Privacy Act of 2018
The European Union’s General Data Protection Regulation (GDPR) took effect at the end of May. And now many businesses must scramble to comply with the California Consumer Privacy Act of 2018 (CCPA).
Organizations anywhere in the world that receive personal data from California residents will be bound by new regulations if they (or their parent company or a subsidiary) meet just one of the following thresholds:
- Generate gross revenue above $25 million
- Gather personal information from more than 50,000 California residents, households, or devices annually
- Receive at least 50 percent of annual revenue from selling the personal information of California residents
GDPR Compliance Won’t Fly in California
If you’ve worked hard to comply with the GDPR and think your efforts will sync up to CCPA and other new laws as they pop up, think again. With the California law, GDPR-compliant companies will have additional work to do to prepare for CCPA implementation in 2020.
Here are just a few of the ways in which CCPA differs from GDPR:
- CCPA requires companies to set up specific communication channels—toll-free numbers and websites—so California residents can request information about their data
- CCPA expands the definition of personal data to include household information and data from devices connected to the Internet of Things (IoT)
- CCPA establishes a different set of data deletion requirements
- CCPA establishes new requirements around selling data for commercial purposes
How Can You Start to Ensure CCPA Compliance?
The first thing to do is to learn about the new law. You can read the full text here and be sure to ask your legal counsel to help you interpret the new rules and monitor any changes that might be made. The law, as passed, is somewhat controversial, and interested parties are calling for its simplification, clarification, and even outright appeal.
Attorney Lothar Determann, writing for the International Association of Privacy Professionals, offers a thorough analysis of the new law.
He offers a list of action items toward compliance, some highlights of which are summarized below:
- Prepare data maps, inventories, and other records pertaining to the personal information of California residents, households, and devices
- Consider alternative business models, including California-only sites and offerings
- Establish designated methods for submitting data access requests
- Provide a clear and conspicuous “Do Not Sell My Personal Information” link on your website’s homepage
- Fund and implement new systems and processes to verify the identity and authorization of people who request data access, deletion, or portability
- Update privacy policies with newly required information, including a description of California residents’ rights
- Establish policies to avoid charges that your business “willfully disregards the California resident’s age” by implementing methods of obtaining parental or guardian consent for minors under 13 and direct consent of minors between 13 and 16
Manage the Growing Complexity with a Customer Data Platform (CDP)
Clearly, the new level of complexity generated by the GDPR, CCPA, and laws we don’t even know about yet requires a flexible, centralized platform for managing data from multiple channels and devices. Marketers must be able to maneuver through the maze of consumer consent preferences and data requests that will be in a continuous state of flux for the foreseeable future.
Fortunately, the right enterprise customer data platform, or CDP, can help businesses find and consolidate data from specific individuals across many disparate systems. CDPs are designed to break down silos and integrate data from multiple sources—including IoT devices—to give unprecedented visibility into the behavior of prospects and customers.
CDPs were first developed as the next evolutionary step up from customer relationship management (CRM) systems and data management platforms (DMP), to help marketing improve targeting, relevance, and personalization. However, the inherent functionality of a CDP as a data unifier and processor makes it ideal for managing consumer consent preferences and complying with new data protection laws.
Beyond the Legal Implications, It’s a Matter of Trust
Data protection compliance is the new normal, and the way organizations respond to new rules and regulations can make or break the customer relationship. Customers are getting to the point where they hold all the cards when it comes to their personal information, and companies must treat all consent relationships with the respect they deserve if they expect to maintain long-term trust.
At Treasure Data, we know that a CDP can be an organization’s single source of that trust, and we’re dedicated to helping enterprise organizations reap the rewards of unified data as quickly and as affordably as possible.
To learn more, download our recent white paper on Building Trust Beyond Compliance. This valuable paper discusses compliance issues in greater detail and can help you keep the trust you work so hard to earn every day. You might also be interested in our comprehensive Marketer’s Guide to GDPR, which offers practical advice on how to update your communication channels to align with new rules and regulations.