Thanks to the new GDPR requirements in the EU, consumer data privacy has been a prominent discussion topic among CMOs. But most US marketers are only marginally familiar with it as they tend to let their European counterparts deal with the details and execution of compliance. That is about to change. The State of California passed its own consumer privacy law at the end of June. Clearly inspired by GDPR, the California Consumer Privacy Act (CCPA) of 2018 will require you to manage the personal data of a significant portion of Americans in a whole new way.
In short, data collection is becoming more complex and data privacy is a huge issue. Beginning in January 2020, if you gather personal data on California residents, you’ll have to comply with a new set of data management obligations, including disclosing to consumers what data you are collecting on them as well as to whom it is shared or sold. Californians can demand that you stop selling it (aka “the right to opt out”) and even delete it altogether. What’s more, under CCPA, you cannot charge consumers a higher price or provide a lower level of service (within reason) if they choose to exercise their new rights. Finally, be aware that minors under the age of 16 must now explicitly opt in before you can sell their data, while children under age 13 must have parental consent.
And think carefully about how to make sure your customers can get in touch with you. CCPA mandates that you make it easy for them to invoke their new rights: you must provide an 800-number for consumers as well as a prominent area on your website explicitly labeled “Do Not Sell My Personal Information.”
Who is affected?
You may be wondering if your organization is required to comply with this law. If you have customers in California, the short answer is, “most likely.” Specifically, you must comply with CCPA if any one of these three conditions applies to you: 1) you have annual revenue of at least $25 million, 2) buy data on 50,000 households, individuals, or devices, or 3) at least half of your revenue is generated from consumer data. That means that startups, as well as mom and pop-type businesses, are given a lifeline while most marketing, technology, services and media companies, and many others, will need to comply. Note that there certain additional exemptions built in, such as for healthcare providers and select others already covered by industry-specific data privacy requirements.
More on Data Privacy:
- Coordinating GDPR Strategy Across the Enterprise
- Dropbox Draws Academic Ire Over Data Sharing for Study
What if you do nothing?
Non-compliance is costly. If you fail to respond to consumer data management requests, expect the California attorney general to fine you $7,500 per incidence. In a state with a population of almost 40 million people, those penalties can quickly add up to many millions of dollars.
Data breaches can potentially be even more expensive. CCPA empowers consumers to sue for a minimum of $100 per incident. To put that into perspective, the Target data hack of 2013 affected an estimated 5 million Californians. The company ended up settling for $18.5M across the entire country. Under CCPA, Target would have been liable for at least $500M in civil suits in California alone. Meanwhile, last year’s infamous Equifax data breach affected approximately 18 million California residents. CCPA-backed civil litigation would have easily reached into the billions of dollars. Fortunately for both companies, the law did not exist at the time.
In short, doing nothing is your worst option.
How CMOs can take advantage
Rather than fearing new restrictions and requirements, you can seize on them as an opportunity for competitive differentiation. If GDPR is any indication, most of your competitors will still be scrambling to implement new compliance processes just weeks prior to the new law coming into effect. As a customer-centric marketing organization, you can help your business stand out by being transparent and proactive, boosting your customers’ trust in you and building greater loyalty.
Consider if any of the following steps make sense for your organization:
- CCPA was passed in record-time and with only minimal publicity so most consumers are not aware of it yet. Proactively educating your customers about the law and their new rights will probably reflect positively on you.
- Review your data collection practices and infosec processes. Sensitive or personally identifiable information should be redacted or encrypted. And let customers know that their information is safe with you.
- Consider going all in: if you sell consumer data, ask your customers to explicitly consent (opt in) to having their data shared, perhaps by offering them a discount or incentive.
Communicate early, be transparent
By being more transparent and proactive about data privacy, you have the unique opportunity to set yourself apart from the competition. Some executives may be skeptical of embracing CCPA in such an open manner. However, as customer advocates, it is marketing’s role to educate others within the organization about how this will ultimately lead to competitive advantage.
Regardless of how open your company ultimately chooses to be, the fact remains that CCPA is going to change consumer expectations about the way their personal data is managed. Now that the precedent in the US has now been set by California, it is reasonable to expect that other states will follow suit. Rather than fighting the tide, you might as well proactively ride the current.
Abdul Rastagar is a B2B marketing professional and digital and future enthusiast.