On January 1, 2020, Californians will ring in the ‘new year’ with the California Consumer Privacy Act (CCPA). The data privacy law is the latest in an alphabet soup of legislation – GDPR, anyone? – that governs the use of consumer data. But before the requirements go into effect, qualifying businesses need to make their data protection and user privacy policies compliant — or risk paying the high price of negligence.
In this episode of The Marketing Remix, Dennis Gonzales, Chief Operating Officer, and Ron Hadler, Sr. Director of Marketing Technology, will explore how the shifting landscape of data handling, consumer privacy and CCPA will affect the modern marketer.
What is the California Consumer Privacy Act (CCPA)?
Ron: Sure. As we had already talked about the GDPR here on the podcast, it is another piece of legislation passed to protect consumers, protect the data that is just proliferating out there on the web and making sure that brands, companies use the data in a respectable manner.
Reid: Yes. You said GDPR, remind us again for those who maybe... I mean I'm surprised if they missed that episode of us, but here, GDPR is what again?
Ron: General Data Protection Regulation.
Reid: That's right, that's in Europe, right?
Ron: Absolutely. It's for all those Europeans, and that is what kind of like snowballed these regulations. Not only do we hear the CCPA being really aimed from California and starting that, but this will eventually come at the federal level.
Reid: That's the thing that we're thinking of here, it's gone, Europe, California moving on, and so that's a big reason why we're talking about it because everyone's going to have to deal with this, everyone everywhere.
Ron: Well, I mean just this morning it was announced that FCC has leveled a $700 million fine for the Experian breach. It's not just the fact that it's happening, but it's really expensive to have these things happen.
Reid: It's the FCC won't let me be, I think that was Eminem. Maybe a little old. At a high level though as it relates to the marketing side of it, what is CCPA going to mean for marketers? Because that's obviously the folks who are listening mostly to our show, what rights will consumers soon have and how do marketers have to deal with that?
At a high level, what will CCPA mean for marketers? What rights will consumers soon have?
Ron: It's very similar again to the GDPR. There's lots of little things that allow us to have a hold on that as far as being transparent. That means readily having access to your privacy policies and your terms of service, what you intend to do with that data, who you share that data with is important. Also, asking consent of those consumers visiting your properties, making sure that they are okay with you using that data, especially if you're going to sell. Just also being trustworthy and not using that data in other ways that you're going to say you're going to do it.
Reid: People have to understand, when you're going to use my data, what are you going to do with it, where it's going to go. That's generally what marketers long-term have been accumulating all this data because they want to use it for promotional purposes and outreach, but now you have to be a lot more explicit about it.
Ron: Yes. That is what's going on. You see that anytime you're visiting websites because there's so many international websites of brands that people are visiting, and they're just putting this in by default now. This is the normal mode of operation, and it should be in... I think regardless even of just preparing yourself for CCPA, is this is what marketers need to do in general. Get ahead of the curve, don't be behind it, and do that mad rush to get all of this done. Have the ability to ask consent, but then log consent. Have the ability to understand where your data goes, who you share it with. CCPA in particular, are you selling that data? Be very, very careful there because that is really the difference between GDPR and CCPA, is they're really concerned about people selling that data.
Reid: Right. For the most part then, if marketers are maintaining control of it and probably at a baseline level just kind of restricting how much they put out and give it to other partners, and people like that are probably is a first level of defense, it's just to keep it to yourself for the most part. What I'm concerned about is how it's such a default at this point that maybe brands, and I'm going to turn this over to you, Dennis, to talk a little bit about this idea of brands may be paying this a little bit too much just lip service and say, "Oh I've, I've kind of checked the box. I've put a privacy policy out but, I mean done." That's the concern and the risk that I think that a lot of brands have at the moment. What do you think, Dennis, what do you think brands are going to need to do to not just pay lip service to it, but to make sure they're actually complying?
How does CCPA differ from the legislation outlined in Europe’s GDPR? What happens when a business fails to comply?
Dennis: Well, marketers definitely have to be much more engaged, most specifically at the C-suite level working with CIOs and CFOs because they do need to understand how they're going to manage that data from a security perspective. Because there are requirements for CCPA not just managing the data, but if they do get a request to then say delete that data that a consumer requests or a consumer requests that they want to be deleted, they have to be able to then do that. Working with their CIOs or their technical departments to do that. Another instance is working with their CFOs, obviously, this is going to take an investment. There's possibly some liabilities that will need to be understood. Working with the CFOs, CFOs need to be in tune with that. Obviously, because of the third-party concerns that you mentioned, Ron, working with the council, working to modify and develop the appropriate agreements so that when they do work with the third parties, that they have the right agreements in place.
Reid: One of the other parts of it you mentioned was obviously the financial component of this, making the investment, understanding the risk, but on the other... the balance of all this stuff is not just the financial risk of all of this, but what does this mean to a consumer if there is in fact a breach or they can't, as Dennis was saying, the company can't delete the records that a consumer asked for? The way I would see it is there's just the reputational risk, and that's even far bigger in a lot of ways, don't you think?
Ron: Absolutely. I mean here again, we just saw it as I said, the gigantic fine the FCC levied, that is just hurting their business like crazy and they're having to provide coverage for all those people because they collected very important information. If you're collecting just PII, personally identifiable information such as name, address, phone number, that's a lot less risk than collecting social security numbers or credit card payments and things like that.
Reid: They do see that differently then?
Ron: Yes. That that is going to level. When it comes to like a breach or not complying with CCPA, they're still going to get let levied, but if the FCC gets involved, what gets exposed, they're going to market and your fines will be much different.
Reid: From a marketer standpoint then going back to that is, is this also going to start setting a stage where they maybe don't want certain information and say, "You know what, just, I don't even want to deal with that", or even maybe with their IT department saying, "Look, this is information we just don't even want to collect."
Ron: The feedback we've got from GDPR is that, when it first came out everybody was like, "No, don't, don't, don't follow me. No, don't, don't collect information on me." Now, what the consumers are learning is that if I don't give up some of this information, I'm not going to get the features and the benefits that this brand offers me. There's a value exchange there. I as a consumer are willing to give up some privacy, allow somebody to use my data to get better marketing, get better recommendations, personalization, which is a lot of what's going on, in personalizing ads, emails and websites based on the information you're sharing with a brand.
Reid: From that standpoint, this adds another role or a thing that a marketer I guess has to do is explain what a consumer might be giving up if they don't provide this information. While it adds more to their job to say, not just market to a consumer but market to a consumer why they might want to give us information and what that quid pro quo is. I know that's obviously just, again, more to do, but I think it's more of a... it creates the relationship a bit more with the consumer.
Ron: Yes. You brought up the term quid pro quo, it's one thing for another. Amazon's actually taking it even further than that, and they're offering you $10 to give up your information so you can go ahead and... they are just gathering information like crazy for $10 which, as a customer acquisition cost is pretty cheap.
Reid: Yes, I would imagine, or is it a retention thing too. If you're giving them that information and you're getting these great benefits from them having that information, and then you don't get that same experience elsewhere, you maybe decide to work more with Amazon or whatever brands choose to do that because you're like, "Wow, this experience is so much more seamless over here", and maybe not as a consumer recognize that it's because you gave them all your information.
Ron: I think that's absolutely where it's at. You're going to end up as a brand, providing more value and not just necessarily getting that information. The end point is yes, you're going to get your sale, your consumption of services, but you're going to have to give a little bit more. I think experience is definitely one of those things where you can differentiate between brands as to what they are getting for giving up.
Reid: Yes. You have to get active about this and recognize that it isn't necessarily about compliance, but it's actually about enabling, and empowering, and some of the things you can do from a marketer to a consumer, or to ultimately their customers, somebody who they actually have a relationship with. How can marketers maybe prepare for the arrival of CCPA right on the heels of GDPR to organizations can move past just compliance? I know Deloitte has described GDPR and CCPA as strategic imperatives for the modern CMO, but again, what do we need to do to enable this and get past compliance? Dennis, what do you think about that?
Deloitte has described “GDPR and CCPA as strategic imperatives” for the modern CMO. How can marketers prepare for its arrival? What can organizations do to go beyond mere compliance?
Dennis: Getting past compliance, I think right now because we have several months before it's actually implemented, CMOs are in a good spot where they can be proactive about this. Putting themselves in the shoes or listening to their customers and/or the audiences, they can be proactive. Start to think about how they want to get the right processes in place, have the right, I'll say communication so that they can be proactive and make their customers feel safe, and develop a sense of trust that when it does come. Or it's here, and they need to be able to stand that their data is going to be safe.
Reid: Yes. Given that this a podcast can we give context here is we're in July right now, July 2019, so there is a little bit of a window here, but it's going to creep up pretty darn fast and particularly have other things to do and other priorities going on as well.
Ron: I've got a little bit of a caveat there. Not to want to make people sit back and have more time, but essentially, even though the law is going into effect on January 1, 2020, brands will have until the July of 2020 to actually get their website's compliant. They do have additional six months to make that happen before the attorney general can come down on you and start levying funds.
Reid: Do you feel like we have a good sense of what real compliance is at this point? The reason I say that is because I know that a lot of times people go, "Well, you know there's, there's all these rules and, and, and laws or whatever, but no one's completely clear on this stuff." Since GDPR already happened, do we feel like we have a better sense because of that moving into CCPA.
Ron: There are a lot of differences between the CCPA and GDPR. GDPR was onerous in the amount of rules that it had, CCPA is a lot clearer cut about what needs to be done. There are some gray stuff that is going on, but for the most part, it's pretty simple as to how to kind of get there for compliance. I think there's even the point that the law could change prior to 2020 also, it's definitely always up for grabs.
Dennis: One of the things I've heard is that the CCPA includes the concept of households and the data you collect for households. What does that mean right now? They're still trying to amend what the details are for that. Things could change, but yes, six months would come up pretty quicker.
Reid: Do you feel like the root of this, I mean, it's just as described as around the consumer privacy and the empowering the consumers, putting this data or these relationships with brands in their control compared to what I've got. I kind of felt GDPR came from the other end of things and was a little bit more onerous as it relates to nothing, nowhere, anytime, any place. Whereas in this case, I think they say, "Look, consumer, as long as you know what's happening, um, you may want to, uh, have this relationship with a brand", like paid Amazon $10 and get the features you want. I feel like it may be was a little bit more marketing-friendly to a degree.
Ron: I agree with that. The GDPR was just so consumer-focused and not sharing data that it really... We keep using that word onerous, it's just really, really hard to do. Did I meet those regulations or not? With the CCPA, I think they take to the point where if I'm establishing a relationship with a brand and I'm sharing my information, I'm showing that trust, I have it because I'm sharing it. They're really making that point is, is if that brand takes that data and then sells it to third parties or many third parties, how do you trust those people that you have no relationship with?
Reid: Right. People have been experiencing that for a while, I mean you give information, all of a sudden you're getting 15 different phone calls from 15 different brands about certain things which has created whole industries in a lot of ways, the lead sales and stuff like that. Now to get ahead of this, is where does this go? GDPR, CCPA and everything else that we're going to see well into this future, when you start to get that feeling go, that's a really bad experience. You know that there's probably some legislation coming to change all of that and that's what was really happening. In marketing or marketers are doing bad things, and bad things in the sense it's good for the market or bad for the consumer, you have to expect that someone's going to have to jump in and solve for this. I feel like that that's when this came in was CCPA is getting out ahead of it a bit since GDPR already came out in Europe. California's handling it the way they're going to handle it, and putting a little bit more power and control in the consumers' hands as long as everyone understands what's supposed to be happening so that we feel better about these relationships. Better between the brand, better between the consumer, because in the end of the day, you want these great features that enable and empower, and you have to give up a certain amount of information for that to get that. Some people may not want that and that's fine too, but as long as we all know. Fair?
Ron: Fair.
Dennis: Agreed.
Reid: Well good. Dennis, anything else you want to add from a marketer or consumer standpoint that we need to be thinking about? I think what we're all seeing right now is obviously the privacy little banner slipping up there, but there are so much coming up from the bottom or wherever it may be on a website. There are so much more that's going on behind it. How do you think this unfolds in the next, we're talking about now, nine to 15 months or so?
Dennis: Yes, possibly. Things that could come up. I mean Ron mentioned user experience, and depending on how you collect data, what data you collect could definitely influence the interactions, the product, service offerings that marketers then need to be aware of and manage now so that they can get in front of it. You also wanted to understand, what can marketers do to get in front of this stuff. Marketers are in control of... not total control but they do understand the customer services, products offerings and if data and what data they collect is going to affect those, now's the time to start thinking about that.
Reid: Yes. Its relationships within the company, relationships with the consumer, relationships marketers between their CFO in the investment, [inaudible 00:17:25] with the people who can make this stuff happen with legal, make sure this is worded right and making sure it's not about just compliance but really enabling and empowering is I think the summary of all of this.
Ron: It's an opportunity.
Reid: It is.
Ron: This is the new foundation for modern marketing that permission-based and trust with my data, data protect protection.
Reid: Yes, and therefore there needs to be a reason why you take that information and so you're making somebody's experience better as a result. Cool. Thanks for joining us guys. Dennis, Ron, I really appreciate you guys coming on the show and looking forward to the next time when we have more legislation to talk about. No, no one looks forward to that one, but we do look forward to helping our marketers figure this stuff out. Thanks a lot guys.
Ron: Thanks Reid.
Dennis: Thank you.
Reid: Be sure to check out show notes from this episode at reddoor.biz, and be on the lookout for more CCPA content from the Red Door team. As always, subscribe to the Marketing Remix and leave us a review on Apple Podcasts. See you next time.