CCPA Readiness Similar to GDPR?
On May 18, 2018 - the day the EU's General Data Protection Regulation was enacted - the UK Information Commissioner, Elizabeth Denham, appeared on TV and assured businesses that May 25 “is just a date” and doesn't mean the ICO starts dishing out fines when the clock strikes midnight.
But the Irish Data Protection Commissioner's office seemed to have a different view, when Deputy Commissioner John O'Dwyer made clear that "There is no grace period. The grace period ends the 25th of May."
Fortunately for businesses that are covered by the California Consumer Protection Act, fair warning has already been given that although the CCPA comes into effect on January 1, 2020, the actual enforcement of the Act will not begin until July 1, 2020 – in effect providing an unstated “period of grace” of six months for affected organizations to get their act together.
No doubt this 'extra time' will bring a sigh of relief from countless numbers of businesses who are still struggling to achieve CCPA compliance.
However, as the January 2020 “deadline” creeps ever closer, there still remains a high degree of confusion and concern, as several amendments await their fate. Last month, government officials voted on seven amendments covering everything from information collected for loyalty programs to consumer access request methods. The legislature has until September 13, 2019 to pass bills.
In March 2019, a poll was conducted by the International Association of Privacy Professionals (IAPP) and OneTrust, revealing that 55% of US privacy professionals planned to achieve CCPA compliance in time for the January 1, 2020 enactment data. Approximately 25 percent said they were aiming to be ready for July 1, 2020, when the new law will be enforced.
Lauren Fisher, principal analyst at eMarketer, said “Similar to what we saw with GDPR, there’s a wide range in readiness for CCPA,”
According to the CCPA, any business that has an annual gross revenue of $25 million or more, or businesses that buy or sell the personal data of more than 50,000 individuals and derive more than 50 percent of their annual revenues from the sale of personal data, must comply with the following:
A business must notify consumers what Personal Information is being collected from a consumer, how that Personal Information is being collected and used, and whether and to whom it is being disclosed or sold. These disclosures generally should occur through a privacy notice, and specifically upon request by a consumer.
Consumers must be presented with an easy, simple and straightforward process to opt-out of having their Personal Information sold to a third party. Consumers who are under the age of 16 must affirmatively opt-in in order to allow their Personal Information to be sold. A business must receive the consent of a parent or guardian for children under the age of 13. Finally, a business must post a “Do Not Sell My Personal Information” link on its homepage, which allows California consumers to easily exercise that right of opting-out.
Consumers may request a business to delete their Personal Information, and businesses must inform consumers that they have this right. Businesses must comply with these requests and ensure the consumer’s Personal Information is also deleted by third-party contractors with whom the business may have previously shared that consumer’s Personal Information. There are some exceptions to this requirement, such as if the Personal Information is needed to complete a transaction.
A business cannot discriminate against a consumer who exercises his or her rights under the CCPA. Generally, the CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA. However, the CCPA does allow a business to charge a different price or provide a different level of service to customers if “that difference is reasonably related to the value provided to the consumer by the consumer’s data.” Businesses can offer consumers financial incentives to allow Personal Information collection.
Since the CCPA was heavily influenced by the GDPR, it’s not surprising that both privacy laws provide consumers with a much clearer understand of how to access the personal information businesses hold on them.
However, there are some fundamental differences; the biggest of which is the opt-out consent required by the CCPA, as opposed to the GDPR’s opt-in consent.
Interestingly, one of the major effects of the GDPR was a marked reduction in numbers of individuals whose details occupied mailing lists and marketing databases, for rental or sale.
Lauren Fisher said:
Because CCPA is opt-out vs. opt-in, we’re not anticipating marketers’ databases will take as big of a hit, …But so much of that is contingent on marketers and the customer experience they craft—and the expectations they set. Marketers failing to uphold practices that make consumers feel comfortable with sharing data are likely to feel the effects.
Will CCPA Echo GDPR’s Impact on Marketers & Consumers?
Shortly after the enactment of the GDPR, there was an assumption that consumers would experience improvements in the way businesses used their personal data, given that those who remained opted-in were still interested in the information sent to them, as well as a willingness to share that information in certain cases. But, that's not quite the way things turned out.
While a few marketers reported an increase in trust among consumers, others claimed that the new regulation created a greater degree of irritation.
A 2018 CMO Council survey in partnership with SAP, revealed that in a global poll of senior marketing executives, 65 percent said that the GDPR had created a much greater awareness of data and security issues among their customers, while 43 percent of respondents said it had increased trust. 24 percent reported that the GDPR had caused an increase in consumer irritation because customers now had to to take extra steps, in order to opt-in.
It appears evident that since the GDPR became law, many digital marketers have made significant efforts to improve their data-centric activities, by ensuring their data collection and processing is GDPR compliant.
In her report entitled Digital Marketing in Today’s Privacy-Conscious World, Fisher says:
Mandates that businesses prove data is collected only for ‘legitimate business interest’ and is encrypted and protected have some companies thinking twice about how much data they really need.
Sources & credits: eMarketer