CCPA Is on Its Way, 56% of Marketers Unprepared for the Data Privacy Law: How to Comply
CCPA is a little more than four months away from being enforced, and “56% of businesses report they will not be fully prepared” for the law that will regulate how they can use customer data. Surprisingly, that’s a better figure than the half to two-thirds of brands that were unprepared for GDPR a couple months before it was enforced.
Still, market watchers find the figure disturbing. Unlike General Data Protection Regulation, which governs how marketers use E.U. citizens’ data, the California Consumer Privacy Act will be front-and-center for many U.S. marketers.
CCPA non-compliance is worrisome because brands will accumulate hefty monetary penalties. Yesterday, PossibleNOW — an enterprise consent, privacy, and preference management solutions provider that says its solutions solve CCPA woes — “announced the results of its latest survey, showing 56% of U.S. businesses polled reported they do not expect to be fully prepared to meet California Consumer Privacy Act (CCPA) requirements by the January 1, 2020, date of enforcement.”
And the costs of non-compliance are huge:
“Penalties for non-compliance are $2,500 per record for each unintentional violation and $7,500 per record for each intentional violation. So a company that doesn’t honor or mismanages 1,000 consumer privacy requests could face a fine ranging from $2,500,000 to $7,500,000.”
Similar to GDPR, the California law applies to personal data on any state resident, regardless of the location of the marketer. And businesses that are GDPR-compliant may not need to do much more work to become CCPA-compliant. And similar to GDPR, the main way to keep customer data is to not lose it in the first place. As we advised regarding lost email lists, marketers can check for and audit data from Californians, use reliable first-party data, keep all of the data in one place, and personalize communications.
But the 56% of U.S. brands in PossibleNOW’s research that aren’t complying with CCPA have a lot of justifications for not doing so. The vendor finds the main reason for non-compliance is cost, which the vendor says is the equivalent of the price of a full-time employee. The remaining reasons for non-compliance are: Marketers are waiting to see how the law will be enforced; they don’t think their business is big enough to be subject to the law (gross annual revenue of less than $25 million, or are a large data broker, or otherwise get most of the company revenue via selling consumers’ personal data); didn’t understand it; or otherwise didn’t think the law applied to them.
Tips for Marketers Regarding CCPA Compliance
To comply with CCPA, marketers must be able to respond to Californians’ requests about their personal data. PossibleNOW says the law allows California residents to:
- Know what personal data is being collected
- Request details on how their data is being processed
- Access their personal data
- Request to have their personal data deleted
- Know whether their personal data is sold or disclosed to third parties
- Decline or opt-out of the sale of their personal data
How CCPA Is Not Like GDPR
“The California law was written in five days, and really shows,” says Christopher Mohr, VP of intellectual property and general counsel at SIIA. “It is an extraordinarily complicated and poorly written statute.” Adding insult to injury, it is grammatically inconsistent and difficult to understand. I can’t imagine what compelled them to rush such important legislation through. It sounds irresponsible when you consider the EU worked on GDPR for more than three years.
“This is not the same as GDPR — it’s much broader.” Not a statement the already GDPR-fearing publishing industry wants to hear. Mohr continues, “In GDPR the information is tied to a data subject, for example, an individual. The CCPA covers ‘households’ as well as individuals. In addition, the CCPA’s potential ban on the use of information extends not only to the information but to the ‘inferences’ you might draw from it.” Inferences? Yikes! The law goes on to explain what is meant, but the idea of inferring conclusions sounds ripe for misinterpretation to me.
The main goal of the law is to regulate the collection and sale of personally-identifiable (PI) consumer data to third parties and service providers. You do not need to get paid for the data. If you disclose it to another party, it is considered a transaction. Using outside vendors to help manage your data is not a problem, because you are the controlling party.
Everyone will now have the “right to delete.” I asked Mohr to confirm that means deleting people from your database, not from your articles. “That’s the intent, I think. Whether the words match the intent is a completely different issue, and it’s not as clear as it could be. Personal information covers any information that could be associated with an individual.”
Anyone can tell you to cease disclosing their data to others; and you must comply. You cannot deny goods or services to anyone because of their data opt-out. That becomes the new Catch-22: In order to know you are not supposed to have data on an individual, you must have that individual in your database. And since it is likely you must have data on an individual in order to do business with him or her, how do you conduct business with data exceptions? For those rare European GDPR complainants, admittedly some American publishers will simply delete; good-bye. In the Hotel California, “you can check out any time you like, but you can never leave.”