The U.S. data privacy revolution began with the recently approved California Consumer Privacy Act of 2018 (CCPA), which impacts the data privacy rights of California residents starting in 2020. The CCPA offers a concrete beginning to data privacy rights that U.S. consumers have longed for since the first rumblings of the European Union’s General Data Protection Regulation. And while GDPR stood as the most notable change to global data privacy practice in recent years, the CCPA has opened the door for the U.S. to make consumer data privacy rights a priority.
With the CCPA is set to go into effect in January of 2020, marketers need to begin preparing for the impact of the legislation now if they want to ensure compliance. However, to effectively implement compliance plans for this new data privacy law, marketers first need to understand the ins and outs of the bill, and what rights are afforded to California residents under it.
Similar to GDPR applying to any company marketing products in the E.U., this U.S. data privacy measure will impact any brand that markets products online to California consumers, regardless of the company’s location. Given the number of consumers in California, this state law will impact many non-California-based companies, both international and domestic.
The CCPA was rushed through the legislative process, so we can expect a number of changes to be made before it goes into effect. Nicole Ozer, technology and civil liberties director for the ACLU of California, said that the law “was hastily drafted and needs to be fixed.” We can expect the legislature to at least address the misuse of personal information and not just the sale of this information.
While there are likely to be modifications to its current form, the U.S. data privacy regulation’s primary mission will remain true: to protect the personal information of California residents. With that in mind, marketers need to act now if they want to be prepared for when the bill goes into effect in January 2020.
Brands that have GDPR compliance measures in place will have an easy time transitioning their operations to address the requirements of the CCPA. However, brands that do not have existing data privacy plans in place should implement these processes now; especially knowing there will likely be more U.S. data privacy laws cropping up across the country. Regardless of whether or not there are effective compliance procedures in place, marketers should consider the following four steps to ensure their companies are ready for January 2020.
Educate the Entire Organization About Data Privacy
Marketers should share the details surrounding the new U.S. data privacy regulation and how it differs (or adds to) GDPR with the entire organization, so that all employees can be prepared to comply once the time comes. Some U.S.-based employees of GDPR-compliant companies have been shielded by their organizations so as not to complicate job duties; these barriers have to come down immediately. GDPR stresses that the entire organization is responsible for data privacy and CCPA is only reinforcing this. As changes come in before CCPA goes into effect, marketers should continue to update the entire organization to keep everyone up to speed on preparation efforts.
This can be as simple as sending out company-wide update emails or holding brief face-to-face meetings as necessary to ensure each employee has a full understanding of the U.S. data privacy measure and how it impacts the work the organization does.
Conduct a Data Audit
Once the company is educated on CCPA, it’s time to dive deep into the organization’s processes to figure out how data is collected, where it is stored, who has access to it and how it is used. Marketers often have many platforms in a martech stack — especially in large retail or enterprise organizations.
To begin a data audit, marketers should identify where all data resides across platforms and third-party solutions. It’s not enough to consider internal operations; partners and vendors must be evaluated, as well. After marketers have documented how data is collected, stored and used, they’ll want to identify potential compliance gaps.
Review Internal Privacy Policies
Once all of the data streams are mapped, marketers need to review the organization’s privacy policy to ensure that all data practices are transparent to customers. Brands also need to create (or expand existing) procedures so that customers can exercise their rights under CCPA, including the right to obtain a copy of their personal information and to erase any such information.
Develop a Data Privacy Message for Customers
As marketers, it’s crucial to then articulate the company’s acknowledgement of this U.S. data privacy measure to customers. Brands should share what action plans are in place to ensure customers feel comfortable continuing to engage with the brand. Teams should provide a clear view of the organization’s privacy policy and create a landing page for easy access and visibility. Moreover, messaging surrounding a brand’s privacy policy should be done in conjunction with the organization’s legal and privacy teams.
CCPA is just the first of many pieces of U.S. GDPR-like legislation we can expect to see during the coming year. And while CCPA may be subject to change before it officially goes into effect in 2020, the savviest marketers will start preparing for its impact now to get ahead of the inevitable change in how U.S. consumer data can be collected, stored and used.
Delaying could not only mean non-compliance and potential fines, but it could also cause detrimental, long-term harm to a brand’s image and customer loyalty.
Dave Swarthout is general counsel and data protection officer at Monetate.