The California Consumer Data Privacy Act – 3 Steps Marketers Need to Take NOW
If you’ve worked hard to meet the last round of requirements for the GDPR privacy requirements, and thought you could breathe a sigh of relief, we’ve got some bad news from California.
New California regulations mandate even stricter data protection practices, which must be in place by 2020. The California Consumer Data Privacy Act (CCPA), passed in June 2018, limits how much data can be stored by businesses interacting with California-based consumers, and also restricts what can be done with that data. What does this mean for your marketing teams and the rest of your enterprise?
What’s in the CCPA?
The Act includes greater protections for California residents, and has many marketers asking themselves the following questions:
- Which data can be shared or sold by companies?
- What damages and penalties can result from a lapse in protection of California consumer data?
- What do marketers have to do to support consumers’ right under the CCPA to understand all the data that a company is collecting on them?
What CMOs and marketing directors need to do
For marketers, this regulation means that language must be added to any forms or landing pages (with cookies) that collect personal information clearly defining what data will be collected and stored, and if it will be shared or sold. Information must also be added to privacy policies describing what steps consumers can take to request the company delete the information and general information regarding what data it collects and how it uses customer data.
Also, twice a year, consumers can request a complimentary report of all data any given company is collecting on them, what it is being used for and where it came from. The request must be fulfilled to them within 45 days at no cost to them.
Who is affected by the regulation?
CMOs and marketing directors at companies that collect personal information from consumers who live in California—directly or indirectly—need to ask themselves whether any of the following describes their companies. Answering “yes” to any of the following questions requires your business to conform to the CCPA:
- Does your company have annual gross revenue above $25 million?
- Does your enterprise buy or sell the personal information of 50,000 or more consumers per year?
- Does your business generate half of its revenue from selling consumers’ personal information?
Interestingly, the act does not require the state of California or local governments to follow these rules, which has provoked considerable controversy
What should you do about the CCPA?
So where should you start? Experts recommend the following best practices to achieve compliance with the CCPA.
Scrutinize your data
Take a close look at the data you’re collecting and look for ways to efficiently identify, locate and remove data. Also, take a look at the third-party service providers who have access to your data and ask questions until you understand about what they do with it. In this new paradigm, marketers must take ownership of data and ensure all team members and partners act as stewards of customer information.
Stop hoarding data
Many enterprises have a hidden data hoarding problem, often amassing mountains of customer information and device data that’s often not used and not responsibly handled. Up until recently, marketing efforts were so focused on gathering as much data as possible that companies are struggling to figure out how to leverage it for real value. Now these same enterprises face a far bigger issue—the potential to violate a customer’s trust and take a brand hit—by using data the consumer didn’t know was collected or sharing it with a third party that misuses it. Once a prized possession for marketers, databases of customer data might contain a modern-day Trojan horse that could destroy your brand credibility with one click.
Manage the Growing Complexity with a Customer Data Platform (CDP)
Clearly, the new level of complexity generated by the CCPA requires a flexible, centralized platform for managing data from multiple channels and devices. Marketers now need automated help to maneuver through the maze of consumer consent preferences and data requests that will be in a continuous state of flux for the foreseeable future.
Stay Updated by Checking the Arm Treasure Data Blog
To help keep businesses informed on the evolving interpretation and implementation of the CCPA, Arm Treasure Data has issued updates on privacy, including the CCPA. Here are several related blogs in our ongoing coverage of this topic:
- GDPR vs. CCPA – What You Still Need to Do to Comply
- Customer Personalization and Data Privacy: 6 Facebook Takeaways for CMOs
What the right CDP can do for your organization
Fortunately, the right enterprise Customer Data Platform, or CDP, can help businesses find and consolidate data from specific individuals across many disparate systems. CDPs are designed to break down silos and integrate data from multiple sources—including IoT devices—to give unprecedented visibility into the behavior of prospects and customers. It’s also easy to use these CDPs to track the requirements on your data, making it less likely that human error or inconsistency causes a CCPA violation.
CDPs were first developed as the next evolutionary step up from customer relationship management (CRM) systems and data management platforms (DMP). They help marketing teams improve their targeting, relevance, and personalization efforts. But many marketing directors and CMOs don’t realize that the inherent functionality of a CDP as a data unifier and processor also makes it a helpful addition to your arsenal of tools for managing consumer consent preferences and complying with new data protection laws.
Beyond the CCPA: CDPs help with the ‘new normal’ confronting CMOs and Marketing Directors
The California Consumer Data Privacy Act is the latest reminder that data protection compliance is the new normal, and the way organizations respond to new rules and regulations can make or break the customer relationship. Customers are getting to the point where they hold all the cards when it comes to their personal information, and companies must treat all consent relationships with the respect they deserve if they expect to maintain long-term trust.