The stroke of midnight on Jan. 1, 2020, ushered in a new decade and activated the most sweeping privacy law passed in the U.S. during the digital age: the California Consumer Privacy Act (CCPA). In broad brush, the law grants Californians four new rights: the right to know what personal data about them is collected and where it’s shared; the right to opt out of data sharing; the right to delete their data; and the right to suffer no consequences for exercising any of these rights. Consumers are also given an implicit limited right to data security through language that assumes businesses have a duty to perform reasonable security practices. Businesses that fall under CCPA regulation must abide by these regulations as it relates to California residents under penalty of fines and litigation.
That this state-level law focuses only on California residents is cold comfort. California boasts the largest state economy in the U.S. and generates almost 15% of the country’s GDP. The law’s reach stretches across California’s boundaries, too, as organizations located elsewhere are subject to CCPA provisions if they conduct business in the state. If you’re headquartered in Houston and harvest data from San Franciscans or Los Angelenos, the CCPA applies to you.
While the CCPA might be the furthest reaching of all state privacy laws, it’s not the only one on the books. Three months before CCPA went into effect, Nevada enacted a similar intended law requiring companies to obtain consumer permissions to sell certain information to data brokers. Other states are emboldened to act in California’s wake, with privacy bills being debated in New York, Maryland, Massachusetts, Hawaii and North Dakota. Outside the U.S., the European Union’s General Data Protection Regulation (GDPR) already affects many American marketers and directly influenced the CCPA’s creation as well as the revelation that political consulting firm Cambridge Analytica accessed the Facebook information of nearly 90 million users.
For marketers, it must seem like the walls are closing in as governments position themselves as vexing interlopers. Some might even be tempted to entertain notions of withdrawing from jurisdictions with privacy laws—if such a fantasy didn’t fly in the face of the modern marketplace. Most brands today are national, if not global, and the idea of cutting Californians out of marketing efforts to avoid CCPA compliance is defeatist and likely impossible. And who’s to say there won’t be a national law soon to follow?
“The train has left the station,” says Alan L. Friel, a law partner specializing in digital media, intellectual property, and privacy and consumer protection law at BakerHostetler. “CCPA is just the first of what will be a multi-state and potentially federal effort to provide consumers with greater transparency, access and choice regarding their personal information.”
Yet CCPA’s mandate is not universal, even within California. Nonprofits are exempt. Ditto for-profit companies that gross less than $25 million per year; handle data for fewer than 50,000 California customers, households or devices annually; and earn more than half their revenue from something other than selling Californians’ personal information. Only a for-profit that falls outside any of those three thresholds is subject to CCPA. Others required to comply are organizations that fall short of the triggers by themselves but are owned by a larger company that meets any benchmark itself, or through the cumulative weight of its subsidiaries.
If anything, CCPA’s selective application creates more uncertainty about compliance requirements, especially for companies that aren’t small but are by no means the gigantic ad-sellers the public has in mind when it thinks about consumer data mining.
“CCPA is hard for some people to take seriously because they don’t fall into it today,” says Noah Jacobson, senior vice president of corporate development and strategy at martech company TapClicks. “That’s kind of a slippery slope because today you don’t—[but] tomorrow you might.”
The number of marketers who are not yet compliant with privacy laws, and don’t know how to get there, is not small. CCPA has been law since January, yet noncompliance is rank and enforcement has not begun. “Organizations are typically behind on [CCPA],” says Eric Holtzclaw, founding partner and chief strategist of marketing and operations firm Liger Partners, which is currently assisting six large companies in meeting CCPA requirements.
The GDPR fares little better. “There are very few shining examples of companies that have addressed this and dealt with it in a positive way,” says Peter Gillett, CEO of U.K.-based mobile lead capture software company Zuant. “I’m sorry to say that as a marketer, but it’s the truth.”
Why is this so hard? CCPA and GDPR are not the first laws to come on the books that impact how marketers work. True, complying is neither fast nor inexpensive. The California attorney general’s office estimates total compliance costs will range between $467 million and $16.45 billion in the years spanning 2020 to 2030. A 2017 PricewaterhouseCoopers survey of American GDPR preparedness found that 77% of respondents estimated compliance costs to be in excess of $1 million. But the biggest hurdle may be that the process of adapting to privacy laws does not fit into a single organizational lane. CCPA compliance is not achievable without coordination among most branches on the org chart. The only route that assures failure faster than delegating CCPA compliance to marketers alone might be cutting them out entirely.
Though legal, financial and technology officers have crucial roles to play in any compliance roadmap, marketers are the supreme stewards of customer data. They must—at a minimum—be empowered to develop ways in which the consumer will experience CCPA-required changes.
Any attempt to satisfy new privacy requirements must begin with an understanding of new expectations. With the CCPA, that means unraveling the legal definitions of terms such as “personal information” and “data selling.”
Accept that it will be impossible to proceed with certainty on every point, at least initially. Data-selling is one of the larger facets of CCPA where expressed language hasn’t translated into concrete reality.
“This remains a matter of controversy and unfortunately the [state] attorney general has provided no guidance,” Friel says. “A conservative interpretation is any disclosure or making available of personal information in a commercial context could be a sale unless there is a statutory exception.”
Despite that large uncertainty, there are many areas where CCPA changes are clear. One example is knowing the law applies to your organization.
Marketers who have determined they are subject to CCPA must then work out the exact legal definition of personal information, which is critical to any compliance effort.
“Marketers’ first step is to understand the responsibilities of companies that fall under the law and the scope of the term ‘personal information,’” says Chris Olson, CEO of The Media Trust, a digital security service agency. “Knowledge of the law will enable them to collaborate effectively with colleagues in charge of compliance.”
CCPA text defines personal information as anything that could be linked to a specific consumer, household or device. This includes data traditionally viewed as sensitive—such as birth dates, addresses and social security numbers—but it also applies to less historically protected information like IP addresses. CCPA goes a step further than GDPR in this specific instance, as the latter limits itself only to information that applies to individuals. With both laws, companies must then create a way to facilitate consumer requests to view, delete or prohibit the sale of their data.
No understanding of privacy laws would be complete without an awareness of the penalties attached to noncompliance. Fines for CCPA violations range between $2,000 to $7,500 per intentional violation. The California attorney general, responsible for enforcing the law, has maintained that (as of press time) CCPA will be enforced starting July 1.
Here again, the GDPR might serve as a model for what noncompliance may entail. Last year, the European Data Protection Board released enforcement stats for the first nine months GDPR was active. The stats show a total of 206,000 violations reported by 31 EU countries. Of these, 94,000 are consumer complaints, 64,000 are breach notifications, and the remaining 47,000 are unspecified. Fines totaled 56 million euros (or $61 million). That figure was dwarfed within months after British Airways was socked with a whopping 183 million euro (or $198.5 million) fine following a data breach affecting some 500,000 customers. A watchdog website created to track GDPR enforcement reports a total of 458 million euros (or $497 million) in GDPR-related fines levied by February 2020.
Companies shouldn’t only consider how the state will act: The CCPA also grants citizens the right to sue companies in response to a data breach. Individuals can recover as much as $750 per violation, or actual damages if the amount is greater. Individuals are empowered to band together to file class-action lawsuits against companies that fail to safeguard data, greatly elevating the potential for high-value payout.
Friel advises marketers who are fortunate enough to have an in-house corporate counsel to meet regularly and discuss data collection and usage practices, and to develop language on data collection disclosure. Those without an in-house legal team should seek help from outside firms, or at least consult guidance issued by enforcement agencies.
Even the most limited response to CCPA will likely need a substantial technical overhaul, as most pre-existing data collection and management techniques are not up to snuff with new standards. In 2019, a single seller posted a collection of breached data made up of 773 million unique emails and 21 million unique passwords—the largest single public data breach to date. The issue didn’t even address the new need to track consumers through every piece of software used throughout organizations.
“Most companies I see are making mistakes on how they onboard new contacts and move them from system to system, not following the path of origin for those contacts or matching the compliance language agreed to,” Holtzclaw says. “You have to show that you’ve kept track of compliance throughout the chain, from collection to use.”
Here, almost nothing can be accomplished without straying beyond the marketing team, but marketers can still set themselves up as point people who lead and execute, starting with a complete datamap. Most data inventory and mapping of data flows are important stepping stones to CCPA compliance, but they’re required under GDPR. And while companies can easily map what is input into a client database, unstructured digital assets are trickier because they cannot easily be recovered without structured query language.
“The challenge arises in the dynamic digital asset environment, where executing vendors and their activity continuously changes according to geography, device or user behavior profile, often without the enterprise’s knowledge,” Olson says. “Marketers aren’t even thinking about the amount of personal data that is collected every time someone accesses their website or mobile app. From cookies to device IDs to fingerprinting, the myriad ways of consumer data leakage expose enterprises to significant risk.”
It’s a highly technical process that underscores the need for hand-in-glove partnerships with information teams. But the marketer’s role during data mapping is no less vital.
“Since most corporate websites are managed by marketing teams, they must take the lead or collaborate with security and privacy colleagues on staying compliant with the law,” Olson says.
Only departments working in lockstep can fulfill the requirements of new privacy laws with minimal glitches. Gillett recommends appointing a single leader empowered to make decisions on customer data protection and management. The role would function somewhat like a customs officer, inspecting how data passes in and out of a company, only with a fresher title (Gillett suggests “data enhancement officer”).
A map and a navigator make the road ahead feel less formidable. When consumers request their data—and they will—it won’t be easy to track down every last bit of information within the 45-day window required by CCPA. Many companies cannot automatically pass opt-outs across back-end systems because of silos or business unit divisions that aren’t apparent to the general public. Consider assigning each consumer a unique internal ID number to cross-reference between all systems.
CCPA also regulates how personal information is shared with third-party organizations, a category that potentially includes advertiser networks, social networks, automation platforms and data analytics providers. Included within the universe of third-party organizations, CCPAs carve out a distinct category called service providers. Only they can receive personal information from consumers who have opted out of data sharing—the remaining third-party vendors cannot.
For that reason, it’s extremely important that companies draw up contracts with important vendors that explicitly outline the business purpose for the data sharing and prohibit vendors from selling personal information. Without this agreement, data for customers who have chosen to opt out of selling must never be shared.
Companies can still provide information to third parties that are not service providers for consumers who haven’t opted out of data selling. Third parties that aren’t service providers may themselves sell the consumer data, but only if they’ve notified customers about the sale and provided them with the ability to opt out. Though not required under CCPA, contracts with both service providers and other third-party vendors should specify data security practices. Periodic audits of vendors should be on the table as well.
“Today’s internet is designed to enable user tracking, and periodic audit strategies don’t work in this ever-changing environment,” Olson says. “The only way to control user data collection and meet regulatory obligations is by identifying all executing vendors, analyzing their tracking activity, communicating enterprise policies, demanding full tracking disclosure and continuously monitoring for compliance—tasks that require collaboration across marketing, risk, security and digital operations.”
GDPR eschews the CCPA concept of third parties and service providers in favor of a data controller and data processor schematic—this is based on who makes the business decisions regarding the collection and use of personal information, and who merely acts on instructions. GDPR mandates far more detailed contracts between controllers and processors than CCPA does. Note that GDPR also includes a legal definition of a third party, but it’s radically different than third parties as defined in CCPA. GDPR’s data processors are much closer to the CCPA definition of service providers.
Third parties shouldn’t be viewed only as liabilities, though: They can also be assets. Holtzclaw believes contracting with outside vendors to manage CCPA requirements is preferable to building a new internal database designed to collect and store all consumer information, comply with user data requests and intersect with the marketing workflow.
“The biggest mistake I see is companies trying to build something internally,” Holtzclaw says. “Just like the rest of the marketing technology stack, a company may need to tap multiple vendors in order to build a comprehensive solution. … Specialization is a strength in this category because each enterprise has different approaches, customers and needs.”
“Get help from digital security experts who have the tools to identify and eliminate digital threats,” Olson adds. “Relying on convenient though ineffective conventional website security tools will fail to meet CCPA’s requirements for reasonable security.”
Money allotted to building a new database could be spent directly engaging the consumer. Empowering consumers with control over their personal information forms the backbone of CCPA, even if the law requires little in terms of customer-facing changes. CCPA requirements are limited to the creation of a personal information management webpage where consumers can request to view, delete or prohibit the sale of their data, and affected companies must now provide notice to customers at or before data collection, and cannot ask consumers who have opted out to reconsider their decision for at least 12 months.
CCPA and GDPR diverge on customer control over data collection, with CCPA only requiring businesses to let consumers opt out of ongoing data collection, and GDPR requiring consumers to opt in before data collection can occur. An important exception to this dynamic is how the CCPA treats minors. Consumers ages 13 to 16 must opt in before their data is collected, rather than requesting to opt out of data collection in progress, as is the case with adults. Consumers younger than 13 must have a parent or guardian opt in for them.
Yet marketers have so many more opportunities to get creative with communicating their steps toward privacy sensitivity beyond announcing that they’ve satisfied barebones legal requirements.
“Imagine the power coming in your house,” Holtzclaw says. “There’s a big on-off switch outside that the fire department can turn off. Then you have your fuse box on the inside, which should organize all your electricity by room, and then you have light switches.”
Holtzclaw says businesses tend to think in terms of fuse boxes, whereas customers are asking for light switches. Directing users to a fuse box, such as a marketing preference center in an app or on a webpage, represents a failure in some respects. Most customers want the ability to make small modifications.
Emails are a textbook example. Not everyone wants to hear from a brand every day. Given the choice between daily emails or no emails, a lot of users will select the latter. The solution is to make the tech upgrades necessary to give users a tiered system of permissions, allowing them to set their preferred email frequency.
“If I’m only responsible for marketing, I would look for the lowest-hanging fruit,” Holtzclaw says. “If you’re getting a lot of unsubscribes, put an opt-out page in place. We’ve seen those have greater than 60% retention of people staying on a list. It’s not that people don’t want to hear from you; they don’t want to hear from you as often.”
Another way of preventing absolute opt-outs is to offer what the CCPA terms as “financial incentives” for consumers who allow their data to be collected and sold. The exact nature of financial incentives is a fine line, as CCPA also prohibits discrimination against users who opt out unless the incentive offered is reasonably related to customer data. In practice, this might look like a retailer offering discounts to customers who sign up for mailing lists (but can later request to obtain, delete and opt out of selling their personal information).
“In the context of a loyalty program, if personal information is only used for program administration and you can opt out of marketing and still get loyalty benefits, there is no restriction on the program,” Friel says. “However, if you lose discounts or benefits if you delete data to avoid marketing, then the value of the benefits would need to be reasonably related to the value of the ongoing marketing consent.”
Subscriptions are another example that have the benefit of already being in use. Imagine a website or an audio or video streaming service that offers free content to users who receive ads between content, but provides an ad-free experience to users in exchange for direct payments. When it comes to CCPA, some of the financial incentives that companies may share with users could resemble such a model. Consumers who opt out of the data sharing could be charged to consume content, so long as the price tag is reasonably related to the value of revenue lost from collecting and selling consumers’ personal information. Jacobson says this course of action is proved to boost consumer’s willingness to share data.
Whatever changes companies make, updated terms and conditions need to be visible and companies must provide notice of any financial incentives in place. But marketers don’t need to trumpet each dotted “i” or crossed “t.” They merely need to respect the customer’s privacy. Sometimes, marketing will be more impactful if it focuses on showing over telling.
“It’s about being a decent corporate citizen,” Holtzclaw says. “If [customers] love that brand, [they] need and want to hear from them. It’s when [companies] start to do things outside their charter, or they’re selling your data to another company, that’s where you start to get into these gray areas. Did you ever have the friend that sent you to a multi-level marketing person and you start getting calls from them? It’s the same concept.”
It’s one thing to hold your nose and comply with a law. It’s another to warm to its spirit. In some cases, the most significant obstacle is changing a culture of resistance or inertia. Adopting an internal culture that prioritizes privacy means that if additional laws come about, your business will be prepared.
Experts repeatedly touch on the importance of creating a new mindset. Friel calls for all future marketing campaigns to include “privacy by design” through the consideration of privacy impact during planning stages. Olson advises companies to regard customer data like it’s intellectual property. “[Customer data is] something of value that can lead to serious damage should it be stolen, lost or misused,” he says. Holtzclaw echoes their sentiments. “It’s a practice, not a project,” he says.
Anecdotal stories paint pictures of future marketing departments well-versed in responsible data management. “If you’re going to go work in marketing, you’re going to have to know things about the CCPA, especially in California,” says Kristen Walker, marketing professor at California State University, Northridge. “I’ve heard from at least three students who ended up getting job offers based on that.”
Yet Holtzclaw warns that compliance rhetoric often fails to align with brutal business reality, particularly when the solutions are perceived to be tech-centric and not system-centric.
“Let’s say I’m the vice president of marketing for a business unit and I want to be the CMO,” Holtzclaw says. “You tell me that [privacy] is important, but you also tell me I need to sell 800,000 units this year. I’m going to go sell 800,000 units and [privacy] will be the next guy’s problem.”
Marketing is not alone in its need for soul-searching. There will always be a tug between honoring the customer and fulfilling the business goals of the company. And there will always be moments when it seems the privacy laws are a blunt instrument producing unhelpful results. But more than ever, consumers today want to know that companies share their values. Privacy will be among consumer values if it’s not already, even as it erodes in the face of omnipresent surveillance. Marketing teams that meet privacy laws with zeal will emerge not just unscathed, but lauded.
And when it comes to the introduction and design of new cultural attitudes, who better to execute than the marketing department? By using internal marketing strategies, staying on-message and leading by example, marketers help companies live their values or create new ones. You could say it’s a law of marketing.
Written by Zach Brooke.
Illustrations by Eugene Smith.