In recent years, consumers have been hit with a fusillade of headlines regarding data breaches and other privacy concerns.
The result of all of this online turmoil? An atmosphere in which consumers seem to be adopting a simple strategy when it comes to safeguarding their information: trust no one.
What’s the California Consumer Privacy Act (CCPA)?
Regulators have responded to this cultural shift with new laws intended to put control over personal information back into the hands of the people. On January 1, 2020, the California Consumer Privacy Act (CCPA)—the most comprehensive data privacy act passed in the U.S. to date—went into effect.
Under CCPA, a company that collects personal information on a consumer must disclose what information is being gathered, as well as how it’s being used. It also requires firms to allow consumers to opt-out of data collection practices, and grants consumers the power to view and erase any information collected about them.
The law applies to for-profit businesses with operations in California that meet any of the following criteria:
- Generates an annual revenue of at least $25 million
- Collects the information of at least 50,000 individuals, households or devices on a yearly basis
- Generates at least half of its annual revenue from the sale of personal information
Big Data Can Mean Big Fines
These new regulations present some serious challenges for marketers at larger companies running digital campaigns. Those more used to measuring return on investment and tracking click-through rates are now saddled with the responsibility of managing and parsing massive troves of data to ensure compliance.
Research shows that most companies are not prepared to handle the challenges of CCPA. In October 2019, Osterman Research surveyed companies on behalf of data security software company Egress to determine how prepared they were for CCPA. The results were a bit sobering; more than half of them didn’t expect to be compliant with the law before it took effect.
These firms might be playing with fire, given that those who run afoul of CCPA risk getting hit with some serious fines. Those found in violation of the law can face penalties of up to $2,500 per violation—that figure jumps to $7,500 per violation if the transgression is deemed intentional.
Those fines can add up quickly. Think of it this way: A violation on 1,000 customer records could result in a fine of $2.5 million. And those sanctions can be applied retroactively to January 1, 2020, as well.
A Precedent from Across the Pond
All of the clamor around CCPA might sound awfully familiar to digital marketers who’ve already been forced to figure out their compliance strategy for the General Data Protection Regulation (GDPR), the rule that governs data privacy and protection in the European Union.
Following its implementation in May 2018, GDPR has been closely enforced by authorities in the EU’s member states. In fact, as of January 2020, GDPR violations had ginned up nearly €430 million ($473.5 million) in fines.
Those figures might give digital marketers some idea of the financial pains they could face if they fail to stay on the right side of CCPA.
Staying Ahead of the Curve
Data privacy compliance is a tricky beast largely due to its complexity. In a recent blog post, research firm Forrester noted that third-party compliance with privacy regulations presented a potentially large problem.
“Third parties that don’t follow the same privacy policies you do can destroy not only your privacy program but also your brand, your customers’ trust, and your partner ecosystem,” Forrester Senior Analyst Enza Iannopollo said in the post. “From vendors to subcontractors to data suppliers to the partners you share data with, it’s evident that third-party risk has far-reaching implications for privacy.”
In other words, in today’s regulatory climate, it’s no longer enough for marketers to make sure they’re in compliance with privacy regulations. They also have to consider whether the vendors and partners with whom they share information are doing the same.
Digital marketers don’t just need to be compliant with the law. They also need to consider including legal notices on their customer-facing channels, like websites and mobile apps. Policies regarding cookies, privacy, children’s use and terms of use should all be made visible and easily available to consumers to head off privacy concerns before they even start.
Privacy regulation isn’t going anywhere. In fact, Washington, Illinois and at least 10 other states are currently developing their own regulations to protect the privacy of their residents, similar to the CCPA. And legislation at the federal level might not be far behind.
But that’s not bad news for companies. Better privacy policies will actually lead to better customer experiences. Digital marketers can get ahead of the curve by embedding legal and operational best practices across their organizations today.