For US companies in the data business, and for marketers generally, 2020 means the official enactment of the California Consumer Privacy Act (CCPA). California is the first state to impose comprehensive legislation around data handling, privacy and transparency. The act holds businesses accountable for data tied to California residents or employees living in the state, even if the business is based elsewhere.
US marketers have been through this initiation period before, with European GDPR regulations. Already, over a dozen other states have some bill in the works for regulations of their own, ensuring that a new era of regulations is in full swing. Such regulations raise the stakes for businesses by requiring compliance and imposing penalties, opening up businesses to financial risk. Now, businesses could also lose data if individuals assert their right to have it erased.
In the leadup to CCPA, and also now that it’s official, issues of compliance and interpretation are still open, as companies look to their legal teams for guidance on the capabilities and portals they need to provide to consumers to comply.
PwC lists five CCPA requirements that may have the biggest impact on businesses, although this again is up for interpretation:
1. Data inventory and mapping of in-scope personal data and instances of “selling” data
2. New individual rights to data access and erasure
3. New individual right to opt-out of data selling
4. Updating service-level agreements with third-party data processors
5. Remediation of information security gaps and system vulnerabilities
Jeff Nicholson, VP of CRM product marketing at customer engagement platform Pegasystems, sees a disparity in the way companies are responding to the new regulations, due to individual interpretations and varying levels of readiness.
“It’s been a slow burn when it comes to CCPA readiness,” Nicholson told me. “Even though details around the CCPA were announced and publicized for months leading up to the Jan. 1st go-into-effect date, many businesses seem to have been caught flatfooted. Many were not ready when GDPR took effect, and the same goes with CCPA.”
He added, “Businesses are essentially tasked with coming up with their own interpretation of what it means to comply. It’s not one size fits all. Various industries, and even businesses within each industry can have very different interpretations. And these interpretations will likely change over time.”
Those bracing for a big change on day one haven’t seen it. But that doesn’t mean shifts in consumer sentiment and behavior won’t occur at some point down the line, compelling marketers to adapt if they haven’t already.
Chris Harrison, President of identity resolution vendor FullContact, stressed the importance of getting out ahead of new regulations and anticipating what other states will enact.
“Our stance is that clarity and the more clear state laws that are written is a good thing, because it provides boundaries for companies to work within,” Harrison told me.
“We believe that the way the interpretations of CCPA mostly fell, in terms of the things that impact businesses, are already encapsulated by what we’re doing,” he stated.
While stricter regulations around data might pose a challenge to companies in the identity space specifically, it creates an opportunity for identity resolution.
“Identity resolution is a critical component to make sure brands and publishers are compliant,” Harrison said. “Companies need to identify the people themselves. If you don’t know who they are, you don’t know, most importantly, what state they live in [and which state regulations apply].”
If most consumers don’t immediately become more proactive about their data rights out of the gate — taking advantage of all rights afforded by CCPA to opt-out, erase data as so forth – the regulations point the conversation about privacy in the right direction, helped along by increased transparency.
“I believe in terms of attitude, you’d be hard-pressed to find a person that doesn’t want more transparency on the type of data companies are collecting on them,” said Harrison. “Consumers ought to have the ability to see that information transparently for each of the brands they’re working with. And companies need to apply it across channels. The sentiment has been there, and every time someone sees headlines about a data security breach, they don’t want to be surprised any longer.”
Nicholson also considers big data security news as a contributor to the consumer awareness about their data, and a potential cause for an influx of request. The next story comparable to the Cambridge Analytica scandal will force companies to be “prepared to promptly respond to the volume of consumers who exercise their rights,” he said.
According to Nicholson: “We see a number of companies thinking about the big picture, developing technology strategies to automate digital requests, not just route them. This allows them to best scale with greater volume and reduce errors out of the process. When they conclude what it means to comply, as well as establish automated service level agreements and escalation processes, that will create the bedrock of what they need. This is done via technologies including dynamic case management, and robotic process automation, for end-to-end orchestration.”
Nicholson also sees an opportunity for businesses to build trust with consumers.
“A great number of organizations look at this moment as an opportunity, to show that they really do care about proper use of their customers’ data,” he said. “It’s not just good for compliance, it’s good for business.”
Andrew Frank, distinguished VP analyst for research and advisory company Gartner, finds the overall effects on consumer privacy to be “indirect.”
He said, “The most visible effect on consumers is the appearance of abundant roadblocking banners that warn them about opting in and opting out, and that’s not perceived generally as a positive thing.”
He added, “Privacy is such an abstract concept, and details are really obscure, so nobody can define what it is. Even if they want it, they don’t want it to be a burden that they didn’t have before.”
Frank cited GDPR as an example of the increased steps and overall burden consumers aren’t likely to embrace, even though there were measures to empower consumers about their data, and even sell it for financial gain.
“In the EU, there is concern that consumers will be exploited by not truly understanding the value and implementation of the contract they’re signing [to sell their data]. On one level, it sounds like a good idea. But it puts a lot of burden on the consumer to understand the risk when they enter into these data agreements.”
For advertisers, Frank believes the biggest concern is “to what extent they will be able to target ads and measure effectiveness when third-party data cookies become more scarce and difficult to manage.”
Data is an important resource for brands, and any change to the way they can communicate with customers quickly becomes a challenge to their bottom line.
To remain nimble, Pega is making their CCPA compliance updates easy to be further updated, automatically, across channels, so that brands don’t have to waste additional resources constantly updating protocols.
Even without a jarring start to the new year, marketers are keeping a close eye on the gradual effects that new regulations will take.
“In the past,” Nicholson explained, “there was the opt-out effect, where consumers were given the power to opt out of a newsletter or marketing campaign. But the organization still had their data, and they still used that data to understand CLV and apply it in other ways, such as during inbound interactions to focus the conversation. This legislation takes consumers’ rights to their data a grand step further. Now, when customers exercise their right to erasure, the business will in effect, no longer have access to that data associated with the individual at all. They can no longer use it to influence their lifetime value.”
Even if new regulations somehow improve consumer trust and encourage them to share more data, this data will remain a precious commodity.
An additional opportunity for marketing tech vendors, then: what predictive modeling, segmentation capabilities with existing sets, or solutions not even conceptualized yet, will enable marketers of the future to do more with the data they already have?