CCPA Compliance: How to Mitigate Your Risks

Privacy & Consent Management|9 Minute Read

CCPA Compliance: How to Mitigate Your Risks

The California Consumer Privacy Act (CCPA) is officially here. That means CCPA compliance has become the primary focal point for marketing professionals and brands worldwide.

What was once a small ballot initiative backed by a select few is now a fully fledged customer data regulation — one that will have wide-ranging impacts across industries.

As with the exhaustive winter preparations by the citizens of Westeros, marketers have been bracing for Jan. 1, 2020 — the long-circled CCPA effective date — for quite some time.

And “winter” has finally come.

ccpa vs gdpr

A breakdown of what CCPA compliance entails for brands and marketers today

Organizations across the United States, European Union, and rest of the world that conduct business in the Golden State (or intend to) are now obligated to comply with the rules of the controversial personal data measure pertaining to California residents.

In short, companies that have gross annual revenues of $25 million or greater, have personal data on at least 50,000 people, or collect more than half of their revenue (totaling any amount) from the sale of personal data are subject to the CCPA regulation.

(Disclaimer: These are the measure’s core stipulations, but it’s critical to consult your legal team to understand the impact of the law on your business in particular, given we’re no legal experts by any means and the CCPA is much more nuanced than what’s described above.)

As with General Data Protection Regulation (GDPR), strict enforcement of the CCPA regulation won’t occur until mid-2020, per California Attorney General Xavier Becerra.

However, that doesn’t mean marketers such as yourself shouldn’t modify and enhance their data collection protocols accordingly and build data privacy-oriented consent management strategies to ensure 100% compliance today with the consumer protection mandate.

consent management

Sure, your company’s executive and legal teams certainly have sizable roles to play regarding CCPA compliance and preventing data breaches in the years ahead.

But the bulk of regulatory preparations and day-to-day compliance with the California law and properly securing and storing consumer data falls on you, a marketer.

What’s more, you and your colleagues will not only need to distinguish those who wish to opt out of data usage from those who provide consent, but also maintain accurate, ongoing records of that consent over time to make sure your database reflects the most recent changes with those contacts.

In other words? You need a comprehensive risk mitigation strategy that prioritizes “bad data” cleaning (see: third-party data), utilizes the latest in consent management tech.

Like consent management functionality offered in certain customer data platforms (CDPs), which can help your company follow the letter of the California data protection law.

ccpa compliance

Ensuring CCPA compliance a primary marketing goal — but not the only one

Tracking the myriad CCPA amendments made and subsequent requirements added to the California data privacy law before it went into effect certainly kept the global marketing community fairly busy in 2019 — and hopefully imparted the seriousness of the regulation.

(Note: You can view the full and final CCPA text here, if you really want to take a deep dive into the consumer data privacy law and understand the intricacies of the measure.)

This hard work to establish total CCPA compliance won’t have been in vein, though, for those who recognize the data regulation is actually an opportunity for them to right some wrongs regarding past (and even current) data collection procedures and usage.

By ensuring absolute CCPA compliance, you drastically reduce the risk of your company being penalized by California lawmakers (well, once they enforce the law) for mishandling user data (e.g., failing to remove email addresses or other personal information for those who “opt out of the sale,” improperly providing customer data access to third parties).

Having said that, CCPA compliance isn’t your end game. Rather, you need to regularly revisit (scrutinize, really) how you accumulate, manage, and activate customer data.

Some of the most vital questions to ask about your data protocols and processes include:

  • “Do we really need to collect all data we currently ask for from leads and customers?”
  • “Are we offering enough value to our audience in exchange for their personal info?”
  • “How can we improve the ways in which we go about asking customers for data?”
  • “Do our data collection and usage procedures comply with other data measures”
  • “Are we doing enough to protect the integrity of contacts’ personal data and info?”
  • “Do we have the requisite martech to maintain accurate records of users’ consent?”
  • “Do we have a single source of truth where all user data can live and be activated?”
  • “If we don’t have proper martech to do these things, what tech should we invest in?”

These are all critical questions to consider internally. But it’s the latter few Qs that should be asked first. Why? Because the right customer database (see: the CDP) can help answer the previous ones and, in turn, resolve your most pressing data management problems.

ccpa compliance checklist

Investing in premier martech to improve data management a must for brands

There are endless takes on the California Consumer Privacy Act and related consumer privacy measures from marketers, execs, and others likely to be impacted by the regulations.

The high-level takes simply shrug off the gravity of the laws (“Consumers don’t care about data use” — which, as evidenced by one CCPA survey after another, isn’t the case).

Then, there are takes steeped in self-denial and arrogance (“It may not even apply to us,” “Let’s see what happens to other brands before altering our data management approach”).

To say these data compliance takes are cold is an understatement. (“Frigid” is more like it.)

As Digiday reported, the CCPA “grace period” for brands may seem like a nice respite. The reality? Just because enforcement won’t go into effect until well after implementation, California lawmakers can still penalize companies that didn’t comply earlier in 2020.

Not only do businesses and marketing professionals with this mindset need to get their collective heads out of the sand and take CCPA compliance (and compliance for similar legislation, including GDPR and PIPEDA) seriously, they need to invest in the ideal martech that can help them abide by the personal data measures at all times.

A consent management platform on its own is certainly a start to ensuring total compliance. But if that platform doesn’t cover the mandates of the CCPA and other data privacy laws, you’ll only be wasting time, energy, and money on the solution.

A CDP with consent management functionality built in, on the other hand (see: BlueConic) can ensure user consent at the individual level is wholly and persistently accurate and that any data activated cross-channel abides by those consent preferences.

Case in point: BlueConic customer Holland.com wanted to guarantee GDPR compliance once the major EU regulation initiated way back in early 2018.

Using our leading CDP, the tourism brand implemented the requisite changes on its owned channels, including and especially its website, to provide opt-in and out options for visitors.

The results? The company grew its consent acceptance rate from 28% to 75% — a vital improvement that has aided every aspect of its marketing: from acquisition to retention.

Moving from a cookie-based consent strategy — now unacceptable, given the collapse of third-party cookies as a legitimate marketing asset — to collecting first-party data (dynamically updated and stored in our CDP’s persistent profiles), Holland.com can rest easy knowing consent is always up-to-date and correctly designated for every contact.

blueconic

Removing bad data and federating consent across your stack essential

The “right” marketing technology, in and of itself, isn’t enough to crack the consent code, so to speak, and keep your organization on the right path regarding data compliance.

There are two other essential action items to handle among your marketing team:

  • 1) Eliminating all “bad” data in all of your database technology: Even with the near-end of third-party cookies, there are still other sources of third-party data brands can get their hands on to build and expand their marketing programs (e.g., data marketplaces, many of which have been, are, and will remain untrustworthy and dubious). Despite the continual presence of these additional sources, your best bet is to turn to the increasingly popular, far more reliable and effective first-party data — data you secure straight from your customer base.
  • 2) Federating consent for all contacts throughout your stack: Some technologies in your existing stack undoubtedly “speak” to one another in some capacity. But a modern martech stack needs to have a dependable, single source of truth at the center that connects not just with some other solutions, but all of them. What’s more, this centralized database needs to continually alert those systems regarding the latest consent modifications among contacts.

BlueConic VP Marketing Michele Szabocsik put it best:

“It’s not just about collecting consent. It’s about federating it across your marketing eco-system so you can have the confidence that, when you activate it, you won’t face any ramifications.”

The key to avoiding negative consequences (a hefty fine and diminished brand reputation)?

A CDP that can tell all your systems whether one’s consent is still up-to-date.

ccpa regulation

Getting your C-suite to understand non-CCPA compliance risks a critical task

Understanding the significant value in onboarding a CDP with consent management capabilities that can enable CCPA compliance and conformity with like laws is great.

But that knowledge alone won’t do you any good if your leadership doesn’t recognize the risks associated with inaction regarding refinements to your data management methods.

Just 2% of organizations were fully compliant with CCPA requirements, as of the end of 2019, according to an IAPP and PossibleNOW survey. (You read correctly.)

That means 98% of businesses that operate in California have substantial work to do to fine-tune their data collection and activation programs and, ultimately, obey the CCPA rules.

Risk mitigation for regulations including, but certainly not limited to, the California data privacy law shouldn’t fall solely on your shoulders. It needs to be a company-wide effort.

But as an experienced, savvy digital marketing professional, you have the power to enact a consent management solution, and enforce an ensuing strategy, that both streamlines your day-to-day promotional efforts and ensures your company is ready for the CCPA and all other consumer privacy directives — including those yet to come to fruition.

Given there will certainly be more on the way for years to come, it’s wise to approach consent management as not just solving a spot-problem for prospects and customers covered by a single law, but as a cardinal component of your overall marketing program.

Planning a more comprehensive data compliance strategy — one that takes into account customer experience and data management best practices — can be a strategic advantage while providing a consistent experience for all of your prospects and customers, irrespective of where they reside: California, the EU, or elsewhere internationally.

Watch out webinar to learn how the California Consumer Privacy Act of 2018 will impact your marketing strategy for the foreseeable future.

ccpa

See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.