Brand Marketers’ Guide to Privacy and Security with CCPA
In a recent episode of our agency podcast, The Marketing Remix, we discussed how the shifting landscape of data handling, consumer privacy, and the California Consumer Protection Act (CCPA) will affect the modern marketer.
In this two-part blog series, we continue our conversation about CCPA, focusing on two key aspects – Privacy and Security, then Compliance and Maintenance. In part one, we explore privacy and security according to the CCPA, as well as the impact and opportunities businesses can expect when the regulation goes into effect on January 1, 2020.
Privacy and security are related
Privacy is any right a consumer has to control their personal information, including how a brand uses that information. Security is how your personal information is protected.
“California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information.” – California Consumer Privacy Act
Brands are accountable for consumers’ privacy
Data, a consumer’s identifying information, is at the center of the digital marketing revolution. Most consumers are becoming acutely aware of this pervasive use and are starting to understand the value of their data to brands. Before the enactment of the General Data Protection Regulation (GDPR) in Europe and the CCPA in California, consumers had little rights or protection from their data being used or sold at a brand’s discretion. While most brands are respectful of their customers’ and prospects’ data, things like privacy policies and intended use claims are buried deep on pages that the average consumer never sees — and it is unlikely they have the desire to wade through all that lawyerly terminology.
California is empowering consumers to control the personal information collected by companies. Brands must be more transparent with their customers if they sell or disclose personal information. Consumers will have the ability to deny the sale or disclosure of their personal information to a brand for use in profiling (personalization) or to a 3rd party. If a consumer does permit a brand to collect personal information, they have the right to receive the personal information collected about them.
With this change in the law, brands and businesses have an opportunity to show consumers that they respect their privacy and value the information being shared. The language of the CCPA encourages a value exchange between brands and consumers. It also calls out that a brand cannot punish consumers for not sharing information; they must receive equal service even if they opt-out of sharing their data.
Marketers — and the technologies used to provide consumers with timely ads, personalized emails, and experiences — run on consumer data. Without that juicy data, it’s back to the days of spray-and-pray, hoping that your marketing messages get to the right people at the right time.
The primary opportunities that the CCPA offers brands are the high value of the data and the ability to reward consumers who share such data. This past July, Amazon offered “Prime Day” shoppers a chance for $10 off their $50 or more cart totals to install Amazon’s browser extension. Getting $10 off your bill and in exchange letting Amazon follow you around the web — recording every website and click — seems like a lopsided deal for consumers. However, it’s an acknowledgment by Amazon to the value of personal data. What are you offering consumers who share their data with your company?
With the pace of technology, it’s essential to consider and plan for information collection in its current form, be it by mail, email, web form, IoT devices, or biometric devices, as well as whatever the future will bring — think sensors, scanners, chatbots or perhaps nanobots.
Security is the new Currency for Consumers' Trust
The CCPA states that your company must, “…implement and maintain reasonable security procedures and practices…“ Exactly what constitutes reasonable security in the CCPA’s text is a bit vague. Should your brand experience any unauthorized access, infiltration, theft or disclosure of consumers’ personal information, this “reasonable security” will end up getting defined by the court.
One thing is certain: if you store personal information in a digital format, it must be encrypted. Today’s technology makes encryption of data an obligatory endeavor. Un-encrypted data is the equivalent of leaving your password written on a Post-it Note stuck to your monitor.
Security-minded teams talk about when, not if, infiltration happens on your network. Thus, today’s internet-connected systems are continuously being scanned and tested. We’re overdue for the adoption of a security-first mentality in every company. Security is not just the responsibility of IT or leadership; it’s part of every employee's job. If you’ve yet to adopt a security-first strategy, start by reading this 10-point security-first checklist as a primer for adoption at your company.
In summation, the CCPA provides a consent-based opportunity to obtain consumer data. It’s important to note that it also outlines the penalties for not keeping that data secure or using it beyond consumers’ permission. In reality, brands can face a $7500 fine for each violation.
It’s worth it to respect permissions and keep consumer data secure. As Instilling trust in your brand is crucial for your marketing team or other 3rd party marketing teams.
Remember: It’s Not Security vs Privacy, It’s Security and Privacy
You cannot ensure consumers’ privacy without securing their personal information. The CCPA is forcing all companies in California — and companies who deal with California residents — to adhere to California regulations. It is only a matter of time before additional states or Congress enact similar laws.
Providing the tools to let consumers consent to data collection, along with denoting how and who can have access, is the first step in building a trust-based relationship for data sharing. Giving consumers assurance that your brand will adhere to their consent allows for a deeper marketing connection. Consumer trust comes in the form of allowing them to see their collected data and giving them the ability to request the removal of this data.
The CCPA is the price for operating in a world where data is collected at the speed of light.
Read on for part two of our CCPA series, as we explore who will be affected by the regulation and highlight the required changes for your digital properties and data collection processes.