Data compliance is emerging as a giant opportunity for dynamic brands to differentiate and build stronger customer relationships. Brands that compete against category leaders with de facto monopolies can use data leadership and privacy to seize an industry-leading role in an area that is increasingly important to customers.
By Marc Shull
With the California Consumer Protection Act (CCPA) going in to effect on January 1st, 2020[1], and key lessons coming from the initial General Data Protection Regulation (GDPR) penalties that have been assessed, organizations need to understand the differences between these two pieces of legislation and how they can turn them into a strategic opportunity.
[1] The enforcement of CCPA was extended to July 1st, 2020 in October but organizations are still expected to be compliant on January 1st.
As with all business decisions, organizations try to balance the best outcome of risk and reward, but in the case of the new CCPA legislation, those that put themselves at the forefront will see four key advantages:
- Strengthens brand-customer relationship
- Reduces risk of costly fines and litigation
- Addresses many similar GDPR requirements
- Prepares the organization for national data privacy legislation
While there is considerable overlap, there are a multitude of important differences between GDPR and CCPA. Neither law provides businesses with a single set of laws to follow that are as clear and concise as they could be. GDPR legislation was worded in plain language to improve understanding but directly calls out that some things, like the definition of Personal Data and extra-territoriality, will remain fuzzy to account for market changes. In practical reality this leaves the door open for different interpretations of the law which just makes it more difficult for businesses to be compliant. Unfortunately, CCPA was not written in plain language making interpretation more challenging which may be why it includes some specific examples to help interpret when CCPA applies and to whom. The sister legislation to GDPR, ePrivacy Directive, which was recently updated, provides one of the better cases-in-point for how this type of legislation is imperfect, as well as providing a warning that this type of legislation in the U.S. will continue to evolve.
Category leaders who do not act in the best interest of their customers leave the door open for their competition, and in some cases, new entrants into their competitive space.
Both CCPA and GDPR represent bold steps to address growing data privacy issues from a consumer perspective and legal harmonization challenges that plague the business world, but they are fighting very different battles. GDPR has created greater harmonization across the E.U., although there is still a way to go as interpretation and the extensiveness of the reach are just starting to be understood. CCPA should be looked at as more of an effort to force the issue at the U.S. federal level in the hopes of one day harmonizing data privacy laws across the United States. One unfortunate aspect of both is that they are each incomplete – but this will not stop the governments from enforcing them.
From a business perspective, if GDPR is about data collection and management, ePrivacy is about using this data for communications and other marketing activities, two things that are highly intertwined for marketers. As state-level legislation, CCPA is not only subject to U.S. federal laws (some of which it conflicts with) but key aspects such as breach notification are not part of CCPA at all but are part of other California laws. CCPA itself calls out one of the major conflicts as it is not in alignment with the Children’s Online Privacy Protection Act (COPPA). Organizations will have to be cautious when dealing with California as CCPA places a higher parental consent burden than the one outlined in COPPA.
As one might expect when legislators do not consult the business world, for 10 years ePrivacy has failed to distinguish between cookie types so that if a customer browsing a website declined cookies, it meant that they could not add products to their shopping cart. Obviously, this was contrary to the E.U.’s efforts to make technology more user friendly and was changed. The authors of CCPA accounted for this, along with other key lessons from GDPR, but decided not to address key aspects including Erasure by Design, Data transfers outside of California, Data Privacy Impact Assessments, and the Data Protection Officer role.
To help provide greater understanding of the differences between CCPA and GDPR, we have compared the key aspects of both and provided a relative rating for how strongly they address each aspect. As you will see there is considerable overlap, but some key concepts, such as consumers’ right to financial gain from the sale of their consumer data is unique to CCPA.
So where are the opportunities?
Category leaders who do not act in the best interest of their customers leave the door open for their competition, and in some cases, new entrants into their competitive space. When Marriott Hotels allowed a known data breach to persist for four years without addressing it, a clear message was sent to guests. A message that was very reminiscent of Lily Tomlin’s SNL line… “Here at the Phone Company we handle 84 billion calls a year with a system consisting of a multibillion-dollar matrix that is so sophisticated even we can’t handle it. But that’s your problem, isn’t it? We don’t care. We don’t have to. We’re the Phone Company.” While a terrible customer experience, it created a major opportunity for competitors to position themselves as a company that cares about customers and their privacy.
CCPA creates another interesting opportunity for data compliance related competitive differentiation. By opening the doors to financially rewarding consumers for the use of their data, the question isn’t “will” a brand pay customers to use and resell their data, but who will be the first. For a second-tier brand looking to make a strategic move, this creates a very interesting opportunity to change the competitive landscape. Major 3rd party data providers like Acxiom, Infogroup, and Epsilon who have seen their data assets become commoditized over the last decade could use this as a carrot to improve data collection straight from consumers or see a fracturing of their industry from new entrants. If a major 1st party data collector like Amazon were to incentivize for data usage the impact could be monumental. In addition, brands themselves could embark on setting standards for their own data collection and utilization practices to take a path that supports letting the consumer determine what they’re individually most comfortable with.
Both the CCPA and GDPR are the natural progression and solidification of the overall shift in the brand-customer dynamic that has been in process over the last decade and they represent a strategic opportunity for agile, forward-thinking organizations. A version of CCPA at a national level will benefit consumers by making their rights easier to understand and defend, while making compliance far more business-friendly. Instead of businesses trying to figure out what the ever-changing set of laws are in 50 states (not to mention foreign nations), a singular set of domestic laws will greatly simplify life for technology, product, marketing, and legal teams at every organization. While CCPA is not a national law it is a first step. How businesses adopt this law into their company cultures, processes, competitive positionings, and brand experiences will set the foundation for their success in an era where data privacy legislation will continue to grow.
Over the last 20+ years, Marc Shull has worked with businesses ranging from regional non-profits to large multi-national corporations across a diverse set of industries including Visa, Party City, Aetna, Del Frisco’s Restaurant Group, General Mills, Miller Coors, Proctor & Gamble, Prudential Capital Group, Polska Grupa Farmaceutyczna, Wrigley, Safeway, and Wal-Mart.
Most recently he and his teams brought ground-breaking real-time technologies to market that turned big data into a practical, actionable insights and aligned his organization – and their 100+ clients – with new international data privacy legislative requirements.
Marc has a B.S.B.A. in Marketing from Ohio State University and a M.B.A. from the University of Notre Dame.
Photo by Matteo Vistocco on Unsplash.
