Many people credit the EU’s recent General Data Protection Regulation (GDPR) for the rise and spread of data privacy laws, including the California Consumer Privacy Act (CCPA) which goes into effect in January 2020. The possible New York privacy bill, also known as Senate Bill S5642, which is currently making its way through the New York legislature, could bring even more strict regulation. Brands are becoming more and more aware that the GDPR ushered in a “data-first” culture that has forced companies, including ad tech vendors, to assess their data practices. With less than seven months until the CCPA law is implemented and the possibility of more states following suit, brands must be prepared to answer to regulators on what data they’re collecting, using, where data is stored and who has access to the data.
We are still in the early days of this new regulation. In many cases, it is unclear how these new rules will be interpreted and enforced, but there is at least a major opportunity for the regulators to make a real difference on the issue of citizens’ privacy rights. Brands may have more to fear from the CCPA and the upcoming New York bill.
Unlike the GDPR, which for Europeans represented an evolution in data privacy laws rather than a complete step change, the CCPA represents a fundamental shift in how data is protected in the U.S., by conceptualizing data subjects’ rights in more European terms. Moreover, the CCPA introduces fines based on how many individuals are affected by a violation, which can easily accrue to a very large sum in the event of a breach. With fines up to $750 per consumer or up to $7,500 per intentional violation, some brands could be financially devastated. If New York has their way the thresholds will be even wider.
If brands have already instituted measures to comply with the GDPR, they may be more or less ready for the CCPA. However, for some U.S. brands (especially those not working directly with European customers), the GDPR preparation may not have been necessary at the time, but now, with the California legislation and the prospect of the New York bill, brands may need to revisit their policies and processes to keep themselves out of the crosshairs of regulators. Here are a few ways U.S. brands can set themselves on a path to compliance:
- Get your house in order: Do a deep dive into what is collected, by who and where it is stored. Start by reaching out to customers, partners, and vendors to begin a dialogue about data privacy and rights. Data is now on the agenda of every conversation and is central every time a brand wants to initiate a new partnership.
- Streamline your data: Develop a “record of processing” to identify exactly where your data is coming from and where it’s going. If you don’t know why you’re collecting it, dump it — it’s not worth the liability and cost of storage. You may even see better conversion and engagement results from a cleaner and leaner data set. While the CCPA may not require a “record of processing,” like the GDPR does, this is still a very good idea and worth including in your CCPA preparation.
- Go over your plan with a fine-tooth comb: Don’t be content with simply mapping it out — make sure you walk through each step of the process so you have a thorough understanding of it. Being meticulous about what happens at each step of the way may enlighten your team to sensitivities and opportunities.
- Put someone in charge: Assign a person or team with access to senior management to confront the challenges of data regulation and the ability to hold the organization accountable for an internal audit. These are usually very senior data protection specialists. The person or team in this role will be accountable for the brand’s data processing policies, which makes compliance less difficult to deal with and helps drive an effort to define what data is collected and how it is used. This is another requirement of the GDPR that isn’t a CCPA requirement but is certainly a great approach!
- Step up your communication game: Invest in clear, concise and consumer-friendly communications that explicitly tell them what data is collected and how it is used. Your customers are more likely to provide their consent if they understand and can relate to what they are reading or watching. Getting ahead of the curve now could mean setting yourself up as the clear choice for consumers looking to do business with a brand that takes their privacy seriously.
While the various regulations may have slight differences, the universal theme is clear. Companies need to take privacy seriously and begin instituting processes now that not only bring them into compliance but also build a stronger relationship with the end-user by answering their demand for privacy and accountability. One such example is the recent Apple “Privacy. That’s iPhone” ad campaign which points to how the company’s devices keep customer searches and transactions private and allow users to download all the information stored by the company. Whether your company has started this process yet or not, it is worth taking the time to make sure that your organization is taking consumer data privacy laws seriously, as more state regulations are sure to follow.