New CCPA Privacy Policy Requirements CMOs Should Start Addressing Now

CCPA Privacy Policy Requirements: Processes and Systems for CMOs to Implement Now

In my last post, I discussed the differences between the General Data Protection Regulation and the California Consumer Privacy Act — both in how they protect consumers and what they require of businesses. In this post, I’d like to focus on the specific steps marketers should take to meet the requirements of the CCPA and provide tips for ensuring the road to compliance is as smooth as possible.

Marketers are at a watershed moment. On one hand, we strive to deliver hyper-personalized experiences. On the other, we need to do so with the utmost trust and concern for consumer privacy. The CCPA and future data protection laws like it threaten to make matters more complicated for marketers. Penalties will become the new norm, and companies will see their business grind to a halt — or even shut down entirely.

In compiling the tips below, I reviewed advice from Attorney Lothar Determann, who wrote on the subject for the International Association of Privacy Professionals. He offers a list of action items toward compliance, some highlights of which are summarized below.

The CCPA: CMOS, Start Here Now

Invest in New Processes and Technology

Businesses can no longer avoid investing in proper data management practices and tools. Complying with the CCPA will require significant time and budget resources across several functions of your business. First and foremost, marketers will need to map the location of any existing data, records or customer databases related to California residents, households located in the state, or devices owned by residents. A customer data platform (CDP) can help businesses find and consolidate data from specific individuals across many disparate systems.

Make It Easy for Consumers to Request Data Access and Info

Next, organizations will need to create a straightforward way for customers to request access to their data and how it is being used. This includes setting up a separate toll-free phone line and email with staff designated to handle the requests. New security processes and systems will also need to be put into place for verifying the identity of those customers requesting their data report or that their data be deleted.

Update Your Privacy Policy

As we discussed in my last privacy post, the CCPA requires some updates to a company’s privacy policy. Organizations must add a section which details California residents’ data privacy rights specifically. They must also make exercising those rights simple and easy. For example, California residents have the right to insist that their data not be sold or shared under the CCPA. Homepages should feature a clear call to action for the consumer to make this request via a specific web page or portal, mail, phone or email.

Get Treasure Data blogs, news, use cases, and platform capabilities.

Thank you for subscribing to our blog!

Another consideration many marketers overlook with regard to privacy and consent is how minors factor into the CCPA equation. In California, children under the age of 13 cannot consent to privacy policies, so there must be procedures in place to obtain consent from their parents or guardian. Organizations that don’t have these methods in place will be charged with “willfully disregarding the California resident’s age.”

The California-only Strategy

Because it’s a California law, the CCPA brings with it many security, administrative and operational requirements affecting a small but significant piece of any organization’s customer portfolio. Some business will look to California-only sites, products or communication channels to address these requirements, allowing them to leave their original sites and products as is. This approach has its merits, but organizations must be sure not to rely on IP address or location alone when determining which website or service a customer uses when browsing online. A California resident visiting your website while traveling in Massachusetts must be sent to the appropriate California-only CCPA-compliant site.

For many, the CCPA compliance deadline — January 1, 2020 — seems a long way off, but marketers must advocate that their businesses start taking steps now to ensure requirements are met. Consumer data protection compliance is the new normal, and the way organizations respond to new rules and regulations can make or break the customer relationship. Customers are getting to the point where they hold all the cards when it comes to their personal information, and companies must treat all consent relationships with the respect they deserve if they expect to maintain long-term trust.

Also, to help keep businesses informed on the evolving interpretation and implementation of the CCPA, Arm Treasure Data has issued blog updates on privacy, including the CCPA. Here are several related blogs in our series on CCPA, GDPR and customer data protection:

Learn more on customer trust and data protection!

Smart CMOs know simple compliance is not enough for protecting consumer data

Read More

Erik Archer Smith
Erik Archer Smith
Erik Archer Smith is a data-driven marketing and sales professional at Treasure Data with 10+ years experience helping companies scale during phases of hyper-growth. Erik got involved with tech early and built the first social media site in Japan using open source technology in the early 2000s. When not working, he enjoys spending time at the beach with his wife and dog, and obsessing over character-build stats in whatever RPG currently has him hooked.
Related Posts