CCPA Compliance: How to Mitigate Your Risks

Privacy & Consent Management|[wtr-time]

CCPA Compliance: How to Mitigate Your Risks

The California Consumer Privacy Act (CCPA) is here. That means CCPA compliance has become the primary focal point for growth-focused teams and companies worldwide.

What was once a small ballot initiative backed by a select few is now a fully fledged customer data regulation — one that will have wide-ranging impacts across industries.

A breakdown of what CCPA compliance entails for organizations today

Organizations across the United States, European Union, and rest of the world that conduct business in the Golden State (or intend to) are now obligated to comply with the rules of the controversial personal data measure pertaining to California residents.

In short, companies that have gross annual revenues of $25 million or greater, have personal data on at least 50,000 people, or collect more than half of their revenue (totaling any amount) from the sale of personal data are subject to the CCPA regulation.

(Disclaimer: These are the measure’s core stipulations, but it’s critical to consult your legal team to understand the impact of the law on your business in particular, given we’re no legal experts by any means and the CCPA is much more nuanced than what’s described above.)

As with General Data Protection Regulation (GDPR), strict enforcement of the CCPA regulation won’t occur until mid-2020, per California Attorney General Xavier Becerra.

However, that doesn’t mean companies like yours shouldn’t modify their data collection protocols accordingly and build data privacy-oriented consent management strategies to ensure 100% compliance with the consumer protection mandate.

Sure, your company’s executive and legal teams certainly have sizable roles to play regarding CCPA compliance and preventing data breaches in the years ahead.

But the bulk of regulatory preparations and day-to-day compliance with the California law and properly securing and storing consumer data falls on growth-focused teams.

What’s more, you and your colleagues will not only need to distinguish those who wish to opt out of data usage from those who provide consent, but also maintain accurate, ongoing records of that consent over time to make sure your database reflects the most recent changes with those contacts.

In other words? You need a comprehensive risk mitigation strategy that prioritizes “bad data” cleaning (see: third-party data), utilizes the latest in consent management tech.

Like consent management functionality offered in certain customer data platforms (CDPs), which can help your company follow the letter of the California data protection law.

ccpa compliance

Ensuring CCPA compliance a primary business goal — but not the only one

Tracking the myriad CCPA amendments made and subsequent requirements added to the California data privacy law before it went into effect certainly kept the global business community fairly busy in 2019 — and hopefully imparted the seriousness of the regulation.

(Note: You can view the full and final CCPA text here, if you really want to take a deep dive into the consumer data privacy law and understand the intricacies of the measure.)

This hard work to establish total CCPA compliance won’t have been in vein, though, for those who recognize the data regulation is actually an opportunity for them to right some wrongs regarding past (and even current) data collection procedures and usage.

By ensuring total CCPA compliance, you reduce the risk of being penalized by California lawmakers for mishandling user data (e.g., failing to remove emails and/or other personal info for those who “opt out of the sale,” improperly providing data to third parties).

Having said that, simply ensuring CCPA compliance isn’t your end game.

Rather, you and your team need to regularly revisit (scrutinize, really) how you accumulate, manage, and activate consumer data in your customer engagement efforts.

Some of the most vital questions to ask about your data protocols and processes include:

  • “Do we really need to collect all data we currently ask for from leads and customers?”
  • “Are we offering enough value to our audience in exchange for their personal info?”
  • “How can we improve the ways in which we go about asking customers for data?”
  • “Do our data collection and usage procedures comply with other data measures”
  • “Are we doing enough to protect the integrity of contacts’ personal data and info?”
  • “Do we have the requisite tech to maintain accurate records of users’ consent?”
  • “Do we have a single source of truth where all user data can live and be activated?”
  • “If we don’t have proper tools to do these things, what tech should we invest in?”

These are all critical questions to consider internally. But it’s the latter few Qs that should be asked first. Why? Because the right customer database (see: the CDP) can help answer the previous ones and, in turn, resolve your most pressing data management problems.

ccpa regulation

Investing in the right tech to improve data management a must for companies

There are endless takes on the California Consumer Privacy Act and related consumer privacy measures from marketers, execs, and others likely to be impacted by the regulations.

The high-level takes simply shrug off the gravity of the laws (“Consumers don’t care about data use” — which, as evidenced by one CCPA survey after another, isn’t the case).

Then, there are takes steeped in self-denial and arrogance (“It may not even apply to us,” “Let’s see what happens to other brands before altering our data management approach”).

To say these data compliance takes are cold is an understatement. (“Frigid” is more like it.)

As Digiday reported, the CCPA “grace period” for brands may seem like a nice respite. The reality? Just because enforcement won’t go into effect until well after implementation, California lawmakers can still penalize companies that didn’t comply earlier in 2020.

Not only do businesses with this mindset need to start taking CCPA compliance (and compliance for similar legislation, including GDPR and PIPEDA) seriously, they need to invest in modern tech that can help them abide by the personal data measures at all times.

A consent management platform on its own is certainly a start to ensuring total compliance. But if a CMP doesn’t cover the mandates of the CCPA and other data privacy laws, you’ll only be wasting time, energy, and money on the solution.

A CDP with consent management functionality built in, on the other hand (see: BlueConic) can ensure user consent at the individual level is wholly and persistently accurate and that any data activated cross-channel abides by those consent preferences.

Case in point: BlueConic customer wanted to guarantee GDPR compliance once the major EU regulation initiated way back in early 2018.

Using our CDP, the brand implemented the requisite changes on its owned channels, including and especially its website, to provide opt-in and out options for visitors.

The results? The company grew its consent acceptance rate from 28% to 75% — an improvement that has aided every aspect of its marketing: from acquisition to retention.

Moving from a third-party-cookie-based consent strategy to collecting first-party data (dynamically updated and stored in our CDP’s persistent profiles), can rest easy knowing consent is always up-to-date and correctly designated for every contact.

Removing bad data and federating consent across your tech stack essential

The “right” business technology, in and of itself, isn’t enough to crack the consent code, so to speak, and keep your organization on the right path regarding data compliance.

There are two other essential action items to handle to ensure CCPA compliance:

  • 1) Eliminating all “bad” data in all of your database ecosystem: Even with the near-end of third-party cookies, there are still other sources of third-party data companies can get their hands on to build and expand their marketing programs (e.g., data marketplaces, many of which are unreliable). Despite the continual presence of these additional sources, your best bet is to turn to the increasingly popular, far more reliable and effective first-party data — data you secure straight from your customer base.
  • 2) Federating consent across your stack: Some tech in your existing stack undoubtedly ‘speak’ to one another in some capacity. But a modern tech stack needs to have a dependable, single source of truth at the center that connects with all other tools. What’s more, this centralized database needs to continually alert those systems regarding the latest consent modifications among contacts.

BlueConic VP Marketing Michele Szabocsik put it best:

  • “It’s not just about collecting consent. It’s about federating it across your marketing ecosystem so you can have the confidence that, when you activate it, you won’t face any ramifications.”

The key to avoiding negative consequences (a hefty fine and diminished brand reputation)? A CDP that can tell all your systems whether one’s consent is still up-to-date.

Getting your C-suite to understand non-CCPA compliance risks a critical task

Understanding the significant value in onboarding a CDP with consent management capabilities that can enable CCPA compliance and conformity with like laws is great.

But that knowledge alone won’t do you any good if your leadership doesn’t recognize the risks associated with inaction regarding refinements to your data management methods.

Just 2% of organizations were fully compliant with CCPA requirements, as of the end of 2019, according to an IAPP and PossibleNOW survey. (You read correctly.)

That means 98% of businesses that operate in California have substantial work to do to fine-tune their data collection and activation programs and, ultimately, obey the CCPA rules.

Risk mitigation for regulations including, but certainly not limited to, the California data privacy law shouldn’t fall solely on your shoulders. It’s really a company-wide effort.

Given there will certainly be more measures on the way in the coming years, it’s wise to approach consent management as not just a means to ensure CCPA compliance, but as a cardinal component of your overall marketing and customer experience programs.

Planning a more comprehensive data compliance strategy — one that takes into account CX and data management best practices — can be a strategic advantage while providing a consistent experience for all customers, irrespective of where they reside.

Watch our on-demand webinar to learn how the California Consumer Privacy Act will impact your business and customer engagement efforts moving forward.


See what BlueConic can do for you.

Whether you’re looking for operational efficiencies or improved marketing effectiveness through data activation, our customer data platform can help.