We use cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our cookie policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.
CCPA Privacy Policy Requirements: Processes and Systems for CMOs to Implement Now
In my last post, I discussed the differences between the General Data Protection Regulation and the California Consumer Privacy Act — both in how they protect consumers and what they require of businesses. In this post, I’d like to focus on the specific steps marketers should take to meet the requirements of the CCPA and provide tips for ensuring the road to compliance is as smooth as possible.
Marketers are at a watershed moment. On one hand, we strive to deliver hyper-personalized experiences. On the other, we need to do so with the utmost trust and concern for consumer privacy. The CCPA and future data protection laws like it threaten to make matters more complicated for marketers. Penalties will become the new norm, and companies will see their business grind to a halt — or even shut down entirely.
In compiling the tips below, I reviewed advice from Attorney Lothar Determann, who wrote on the subject for the International Association of Privacy Professionals. He offers a list of action items toward compliance, some highlights of which are summarized below.

Invest in New Processes and Technology
Businesses can no longer avoid investing in proper data management practices and tools. Complying with the CCPA will require significant time and budget resources across several functions of your business. First and foremost, marketers will need to map the location of any existing data, records or customer databases related to California residents, households located in the state, or devices owned by residents. A customer data platform (CDP) can help businesses find and consolidate data from specific individuals across many disparate systems.
Make It Easy for Consumers to Request Data Access and Info
Next, organizations will need to create a straightforward way for customers to request access to their data and how it is being used. This includes setting up a separate toll-free phone line and email with staff designated to handle the requests. New security processes and systems will also need to be put into place for verifying the identity of those customers requesting their data report or that their data be deleted.
Update Your Privacy Policy
As we discussed in my last privacy post, the CCPA requires some updates to a company’s privacy policy. Organizations must add a section which details California residents’ data privacy rights specifically. They must also make exercising those rights simple and easy. For example, California residents have the right to insist that their data not be sold or shared under the CCPA. Homepages should feature a clear call to action for the consumer to make this request via a specific web page or portal, mail, phone or email.
Another consideration many marketers overlook with regard to privacy and consent is how minors factor into the CCPA equation. In California, children under the age of 13 cannot consent to privacy policies, so there must be procedures in place to obtain consent from their parents or guardian. Organizations that don’t have these methods in place will be charged with “willfully disregarding the California resident’s age.”
The California-only Strategy
Because it’s a California law, the CCPA brings with it many security, administrative and operational requirements affecting a small but significant piece of any organization’s customer portfolio. Some business will look to California-only sites, products or communication channels to address these requirements, allowing them to leave their original sites and products as is. This approach has its merits, but organizations must be sure not to rely on IP address or location alone when determining which website or service a customer uses when browsing online. A California resident visiting your website while traveling in Massachusetts must be sent to the appropriate California-only CCPA-compliant site.
For many, the CCPA compliance deadline — January 1, 2020 — seems a long way off, but marketers must advocate that their businesses start taking steps now to ensure requirements are met. Consumer data protection compliance is the new normal, and the way organizations respond to new rules and regulations can make or break the customer relationship. Customers are getting to the point where they hold all the cards when it comes to their personal information, and companies must treat all consent relationships with the respect they deserve if they expect to maintain long-term trust.
Also, to help keep businesses informed on the evolving interpretation and implementation of the CCPA, Arm Treasure Data has issued blog updates on privacy, including the CCPA. Here are several related blogs in our series on CCPA, GDPR and customer data protection:
- The California Consumer Data Privacy Act – 3 Steps Marketers Need to Take NOW
- Customer Personalization and Data Privacy: 6 Facebook Takeaways for CMOs
- GDPR vs. CCPA – What You Still Need to Do to Comply