What You Need to Know About the California Consumer Privacy Act

January 07, 2019

AdobeStock_203966406-1Just as companies are getting comfortable with GDPR, a new data privacy law has appeared on the horizon: the California Consumer Privacy Act (CCPA). While CCPA is similar to GDPR, there are key differences that marketers should understand.

Starting in 2020, if you are a resident of California, CCPA gives you the right to:

  • Know all data collected on you by a business
  • Say no to the sale of your information
  • Request that a company delete your data, and take private action against any company if your information is not removed after this request. If information about the consumer was being held in a non-encrypted format at any time, such as an excel sheet, and that information is not deleted upon their request, you can sue.
  • Mandated opt-in before sale of children’s information (under the age of 16)
  • Know the business or commercial purpose of collecting your information
  • Be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection
  • Know the categories of third parties with whom your data is shared
  • Know the categories of sources of information from whom your data was acquired

These last few bullet points are where things start to get tricky, and where marketers need to start preparing now in order to be compliant by 2020.

The first step to compliancy is auditing all of your current systems to ensure you know where data is being stored and that all data being stored is properly encrypted. For enterprise size companies, data can be ingested from several different sources and stored in a variety of places, so it is up to the company to perform and audit and ensure the proper steps are being taken to track and encrypt all first party data. A customer data platform (CDP) can be a useful tool for performing such an audit, as it will display all source system IDs and source customer numbers, revealing where customer data is living outside the CDP. If you don’t have a solid grasp of where your data is being used, and what data is being collected, you run the risk of a piece of data falling through the cracks and not getting deleted, therefore opening your company up to a potential lawsuit.

During this audit, we highly recommend deleting email addresses from customers that are non-responsive. This is an easy, proactive way to ensure you won’t receive a request later down the line, which will lead to a much more complicated process than a simple email delete. Once you have completed an audit of your data sources and storage, you also need to ensure there is a simple way for your company to quickly delete the entirety of someone’s data if they request it under the CA Data Privacy Act.

“Know the categories of sources of information from whom your data was acquired” -- this CCPA mandate is where the law is the most vague; there isn’t much clarity around what is considered a “category.” Therefore, some argue that digital advertising and retargeting could be included, even though cookies are being tracked, not PII data. If you are utilizing cookie tracking when someone visits your site, and sending the cookies to a third party vendor for digital advertising purposes, this could legally become an unauthorized breach according to the new law. While tracking and deleting PII data can be simple, cookie tracking could become a significant new hurdle marketers will need to overcome for compliance.

The first step to staying on top of this is to begin offering a digital advertising “opt out” button. Similar to an email opt out, this is an additional checkbox that allows consumers to let you know that they would like to not receive digital advertising from your company. The second (and most important step) is utilizing a customer data platform to ensure the digital advertising opt outs are properly suppressed. A customer data platform like AgilOne is integrated with most digital advertising vendors. A CDP can take the digital advertising opt outs and create segmented lists of those individuals to suppress from our digital advertising partners. Additionally, a customer data platform allows you stitch together all the data you are collecting on an individual in one place, allowing you to see where the data is coming from, what data you have collected, and easily delete someone from your system if requested in accordance with GDPR or the CA Data Privacy Act.

If you would like to learn more about how AgilOne can help you better track your first party data, and ultimately help you stay in compliance with privacy laws, please contact us to set up a quick discussion.