Editor’s Note: If you’re not at least thinking about data privacy issues right now then its high time to start. CCPA became law in California just over a week ago and some version of it is likely to become the law of the land across the United States soon. And lest you think this is just another business hurdle to check the box and move past, CCPA has some significant conditions that GDPR merely foreshadowed. Companies need to be vigilant for CCPA blindspots.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media. Today’s column is written by Shane Nolan, senior vice president of consumer and business services at IDA Ireland.
The golden age of gathering data through technology for marketing purposes was lucrative for many companies, but this era appears to be over now that powerful new consumer privacy regulations have been adopted.
By Shane Nolan
First came the European Union’s General Data Protection Regulation (GDPR), followed by the California Consumer Privacy Act (CCPA), clearly demonstrating that a new approach to consumer data has become the trend worldwide.
Rather than a temporary trend, this seems to be a sea change that reorders the way companies do business, but based on various surveys, a notable percentage of companies – from 56% to as many as 88% – say they aren’t ready for CCPA, which became official on Jan. 1, though enforcement does not begin until July 1, 2020.
Whether due to confusion about the law, denial, lack of funding to comply or some other reason, many companies aren’t where they should be, and several blind spots have emerged that are preventing companies from taking the necessary steps needed to be on the right side of CCPA.
CCPA Blindspot No. 1: Companies think they have enough time because enforcement won’t begin until July 1, 2020.
While it’s true that enforcement won’t go into immediate effect, it’s wise for companies to grasp just how significant CCPA is in the scheme of things: California consumers will now have the power to see personal data gathered about them, know all third parties who’ve been given this data and have the right to be removed from databases, whether online or offline.
This is a massive change, and compliance will take time so there’s no benefit in waiting. We’ve worked with companies that have prepared for GDPR, and we’ve seen that while most companies think they have lots of time, having a few extra months to get organized can be beneficial.
CCPA Blindspot No. 2: Marketers think it makes more sense to see how CCPA will be enforced before taking action.
As with GDPR, CCPA enforcement may start small but it will inevitably grow so the smart approach is to avoid penalties by taking the time to reorder how consumer data is handled. Waiting too long makes it difficult to put systems in place and test them before regulations go into effect, so the best mantra is to build compliance into the development cycle rather than bolt it on at the end.
Fines can be steep for violating consumer privacy regulations. The CCPA may penalize companies $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. This is for each record but a company could have hundreds, thousands or even millions of data records.
CCPA Blindspot No. 3: Marketers who complied with GDPR don’t need to worry about CCPA because they’re similar.
While there’s the obvious difference of GDPR covering European customers and CCPA addressing those in California, there are some similarities between the two regulations and some departures. Being GDPR-ready means that a company has privacy-protecting processes in place, which is helpful for implementing CCPA. However, CCPA in some ways goes beyond the scope of GDPR, so it’s best for companies to seek advice on how to best prepare. CCPA focuses on for-profit businesses, which makes it a bigger deal for many marketers.
CCPA Blindspot No. 4: CCPA won’t apply to my company so I don’t need to worry about it.
The wisest strategy is to internalize company requirements for CCPA and appoint someone in house to manage compliance. It applies to companies with annual gross revenues of $25 million or more; those that buy or sell more than 50,000 individuals’ data; and companies that make more than half of their annual revenues from selling customer data. It’s surprising how many companies fit into this box. CCPA also applies to companies located outside the state that hold the data of California residents.
The concept of protecting customer privacy is on a roll that isn’t likely to diminish in 2020 – some think that other US states and countries may jump on this bandwagon. The best approach is similar to what companies have done to prepare for GDPR: Have a well-practiced system of identifying customer data, let customers know and follow their wishes.
Shane Nolan is SVP, Consumer & Business Service at IDP Ireland.