With the challenges facing GDPR enforcement in Europe, what is California learning from the CCPA?

On January 1st, 2020, the California Consumer Privacy Act (CCPA) went into effect. The law grants California residents the right to be informed about how companies are using their data and protects consumers from having their data collected and sold without their knowledge. It’s considered the most comprehensive privacy law in the United States to date.

Personally, as both a consumer and marketer, we have the responsibility to make sure that we as individuals are protected and our brands can still effectively market to consumers but in a balanced and appropriate way so it’s a win-win for everyone. But, there’s still a ton of speculation about the impact the CCPA will have on businesses, consumers, and the state due to many businesses and their service providers waiting for final guidance from California Attorney General Xavier Becerra. Even though the law was established on January 1st of this year, businesses have been granted a six-month transition period until July 1, 2020 to establish compliance. Furthermore, Becerra released an update to its proposed CCPA Regulations, giving companies until 5pm PT on February 24th to submit comments on this updated draft.

Currently, businesses must abide by the CCPA by July 1, 2020 or any business making more than $25,000,000 in annual gross revenue or buys/sells/shares personal information of 50K+ of their customers, could face fines between $2500 to $7,5000 per violation if determined intentional. The California Department of Finance estimates that 500,000 businesses would need to comply and that it may cost as much as $55 Billion for tech companies

To better understand the opportunities and the challenges presented by the CCPA, let’s look to Europe, where the General Data Protection Regulations (GDPR) have been in effect since May 2018. The CCPA was inspired by the GDPR and comparing the two can provide valuable insight into how California can overcome and avoid some of the issues Europe has faced.

The Past, Present and Future of the GDPR

The GDPR stated that a company could only use an individual’s data if given explicit permission. This necessitated major changes for just about every company with customers in the EU, and particularly those that handled large amounts of consumer data. The fines for violating GDPR standards were set at €20 million ($22.6 million) or 4% of global revenues, depending on which was the bigger number.

At first, regulators were slow to impose penalties, giving rise to concerns that the GDPR was “without teeth.” In 2019, however, enforcement picked up. 21 countries in the EU have levied fines, according to Enforcement Tracker, and Facebook, Equifax, Uber, Google, British Airways and Marriott have all received penalties for “negligent and intentional misuses of consumer data.” In January 2019, Google was fined €50 million ($57 million) by data regulators in France, and in May 2019, Ireland’s Data Protection Commission announced it was also launching an inquiry into Google. British Airways is facing a fine of £183 ($237 million)—the largest to date—for a data breach disclosed by the company in September 2018.

While fines have been relatively rare thus far, they are still top of mind for companies struggling to become GDPR-compliant. A Ponemon Institute and McDermott Will & Emery report of more than 1,200 international organizations revealed that 80% of organizations said GDPR implementation was more difficult than other data privacy and security requirements. More recently, numerous surveys have suggested that up to one-third of European businesses are still not compliant and that many businesses are not making compliance a priority. “We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months,” said Tony Pepper, CEO of Egress, a software supplier that polled businesses about GDPR compliance.

Compliance takes time, as it requires businesses to invest in new technologies, and hire new people. The regulations have led to an increased adoption of consent management platforms (CMPs) and encouraged publishers to hire data protection officers to ensure compliance. In addition, the GDPR has forced businesses to change how they’ve done things in the past and adapt certain behaviors. In the advertising industry, for instance, programmatic advertisers have shifted their spending from open exchanges to private marketplaces and advertisers are relying less on third-party data for ad targeting. More than 1,000 U.S. publishers have blocked European users and cut off EU ad exchanges. Meanwhile, marketing tech vendors have pulled out of Europe out of concern over being fined.

Broadly speaking, there are those who argue that the GDPR is “hurting businesses, consumers and innovation” by holding European businesses back. The Financial Times stated that the GDPR rollout coincided with a 33% drop in venture funding for EU tech companies. New academic research from Boston University marketing professor Garrett Johnson and Scott K. Shriver of the University of Colorado Boulder found that privacy regulation, like the GDPR, can decrease competition in the short term, enabling large platforms like Facebook and Google to increase their market share.

Conversely, there are signs that the GDPR is having a positive impact, both for consumers and for organizations that have made compliance a priority. Check Point surveyed CTOs, CIOs, IT and security managers from organizations in the UK, France, Germany, Italy and Spain and found that the GDPR is delivering a strong positive effect overall for European businesses. 74 percent of organizations said that the GDPR has had a beneficial impact on consumer trust and 73 percent said it has boosted their data security. Moreover, a report from Capgemini research found that GDPR compliant organizations have outperformed non-compliant companies by an average of 20%. GDPR compliant organizations report seeing better consumer ratings, improved customer satisfaction, greater trust, improved lead quality, better employee morale, and better overall brand image. Those are promising signs.

A Look Ahead at the CCPA

The CCPA is not as comprehensive or strict as the GDPR, but that doesn’t mean its impact won’t be significant. Businesses of all sizes and across industries use consumer data in their marketing and advertising and to make data-driven decisions in areas like product development. Businesses that meet the CCPA standards—legal, for-profit entities that operate in California and collect consumers’ personal information—will be subject to legal action and fines, not to mention reputational damage, if they do not comply.

In March 2018, shortly before the GDPR went into effect, Facebook launched a suite of tools that made it easier for users to change privacy settings, access information, and delete data. This change wasn’t limited to consumers in Europe, and part of a broader response by Facebook to concerns about how it was using personal data, as spotlighted by the Cambridge Analytica scandal. International companies like Facebook and Google, which have already made changes due to the GDPR, have a head start over smaller companies grappling with new privacy regulations for the first time. Smaller companies may have a tougher time getting compliant, and in a letter written to California representatives, over 40 privacy experts expressed concern that compliance costs would force small businesses to exit the market.

While businesses may be concerned about the impact the CCPA will have on their bottom line, it’s important that they start preparing, if they haven’t already. As evidenced in Europe, compliance doesn’t happen overnight, and it looks like the regulatory landscape in the U.S. will only get stricter. Every day, there are more news stories about tech giants abusing people’s data and public support for stricter regulations are increasing. That support is translating into political action as more states—Washington, New Jersey and Colorado, to name a few—are considering their own data regulations. In fact, tech executives, including Mark Zuckerberg, have advocated to pass a national policy because one legal standard would be easier and less expensive to comply.

The CCPA is only the tip of the iceberg. Yes, the GDPR has created challenges in Europe and there has been a steep learning curve, but the CCPA is an opportunity for businesses to learn from that example and work towards compliance, rather than resisting it. There are still definitions and questions around limits and enforcement that need to be ironed out, but companies should start addressing how the CCPA will apply to their business now. As for the direct impact of the CCPA, only time will tell.

We all want privacy change, and it is our ethical duty as marketers to make sure the consumer is protected while balancing the ethical brands who are trying to reach the consumers in an appropriate manner. For example, I get multiple spam calls and emails from unethical and non-legitimate companies or brands even though I have opted into the Do Not Call Lists and emails. So, it will be a balance of filtering out those who are truly contacting consumers in an inappropriate manner and making sure the brands are protected, with appropriate and individualized content that their consumers have opted in to and are asking for.