With the challenges facing GDPR enforcement in Europe, what is California learning from the CCPA?

On January 1st, 2020, the California Consumer Privacy Act (CCPA) went into effect. The law grants California residents the right to be informed about how companies are using their data and protects consumers from having their data collected and sold without their knowledge. It’s considered the most comprehensive privacy law in the United States to date.

Personally, as both a consumer and marketer, we have the responsibility to make sure that we as individuals are protected and our brands can still effectively market to consumers but in a balanced and appropriate way so it’s a win-win for everyone. But, there’s still a ton of speculation about the impact the CCPA will have on businesses, consumers, and the state due to many businesses and their service providers waiting for final guidance from California Attorney General Xavier Becerra. Even though the law was established on January 1st of this year, businesses have been granted a six-month transition period until July 1, 2020 to establish compliance. Furthermore, Becerra released an update to its proposed CCPA Regulations, giving companies until 5pm PT on February 24th to submit comments on this updated draft.

Currently, businesses must abide by the CCPA by July 1, 2020 or any business making more than $25,000,000 in annual gross revenue or buys/sells/shares personal information of 50K+ of their customers, could face fines between $2500 to $7,5000 per violation if determined intentional. The California Department of Finance estimates that 500,000 businesses would need to comply and that it may cost as much as $55 Billion for tech companies

To better understand the opportunities and the challenges presented by the CCPA, let’s look to Europe, where the General Data Protection Regulations (GDPR) have been in effect since May 2018. The CCPA was inspired by the GDPR and comparing the two can provide valuable insight into how California can overcome and avoid some of the issues Europe has faced.

The Past, Present and Future of the GDPR

The GDPR stated that a company could only use an individual’s data if given explicit permission. This necessitated major changes for just about every company with customers in the EU, and particularly those that handled large amounts of consumer data. The fines for violating GDPR standards were set at €20 million ($22.6 million) or 4% of global revenues, depending on which was the bigger number.

At first, regulators were slow to impose penalties, giving rise to concerns that the GDPR was “without teeth.” In 2019, however, enforcement picked up. 21 countries in the EU have levied fines, according to Enforcement Tracker, and Facebook, Equifax, Uber, Google, British Airways and Marriott have all received penalties for “negligent and intentional misuses of consumer data.” In January 2019, Google was fined €50 million ($57 million) by data regulators in France, and in May 2019, Ireland’s Data Protection Commission announced it was also launching an inquiry into Google. British Airways is facing a fine of £183 ($237 million)—the largest to date—for a data breach disclosed by the company in September 2018.

While fines have been relatively rare thus far, they are still top of mind for companies struggling to become GDPR-compliant. A Ponemon Institute and McDermott Will & Emery report of more than 1,200 international organizations revealed that 80% of organizations said GDPR implementation was more difficult than other data privacy and security requirements. More recently, numerous surveys have suggested that up to one-third of European businesses are still not compliant and that many businesses are not making compliance a priority. “We now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR, with a significant percentage of decision-makers indicating that focus has waned in the past 12 months,” said Tony Pepper, CEO of Egress, a software supplier that polled businesses about GDPR compliance.

Compliance takes time, as it requires businesses to invest in new technologies, and hire new people. The regulations have led to an increased adoption of consent management platforms (CMPs) and encouraged publishers to hire data protection officers to ensure compliance. In addition, the GDPR has forced businesses to change how they’ve done things in the past and adapt certain behaviors. In the advertising industry, for instance, programmatic advertisers have shifted their spending from open exchanges to private marketplaces and advertisers are relying less on third-party data for ad targeting. More than 1,000 U.S. publishers have blocked European users and cut off EU ad exchanges. Meanwhile, marketing tech vendors have pulled out of Europe out of concern over being fined.

Broadly speaking, there are those who argue that the GDPR is “hurting businesses, consumers and innovation” by holding European businesses back. The Financial Times stated that the GDPR rollout coincided with a 33% drop in venture funding for EU tech companies. New academic research from Boston University marketing professor Garrett Johnson and Scott K. Shriver of the University of Colorado Boulder found that privacy regulation, like the GDPR, can decrease competition in the short term, enabling large platforms like Facebook and Google to increase their market share.

Conversely, there are signs that the GDPR is having a positive impact, both for consumers and for organizations that have made compliance a priority. Check Point surveyed CTOs, CIOs, IT and security managers from organizations in the UK, France, Germany, Italy and Spain and found that the GDPR is delivering a strong positive effect overall for European businesses. 74 percent of organizations said that the GDPR has had a beneficial impact on consumer trust and 73 percent said it has boosted their data security. Moreover, a report from Capgemini research found that GDPR compliant organizations have outperformed non-compliant companies by an average of 20%. GDPR compliant organizations report seeing better consumer ratings, improved customer satisfaction, greater trust, improved lead quality, better employee morale, and better overall brand image. Those are promising signs.

A Look Ahead at the CCPA

The CCPA is not as comprehensive or strict as the GDPR, but that doesn’t mean its impact won’t be significant. Businesses of all sizes and across industries use consumer data in their marketing and advertising and to make data-driven decisions in areas like product development. Businesses that meet the CCPA standards—legal, for-profit entities that operate in California and collect consumers’ personal information—will be subject to legal action and fines, not to mention reputational damage, if they do not comply.

In March 2018, shortly before the GDPR went into effect, Facebook launched a suite of tools that made it easier for users to change privacy settings, access information, and delete data. This change wasn’t limited to consumers in Europe, and part of a broader response by Facebook to concerns about how it was using personal data, as spotlighted by the Cambridge Analytica scandal. International companies like Facebook and Google, which have already made changes due to the GDPR, have a head start over smaller companies grappling with new privacy regulations for the first time. Smaller companies may have a tougher time getting compliant, and in a letter written to California representatives, over 40 privacy experts expressed concern that compliance costs would force small businesses to exit the market.

While businesses may be concerned about the impact the CCPA will have on their bottom line, it’s important that they start preparing, if they haven’t already. As evidenced in Europe, compliance doesn’t happen overnight, and it looks like the regulatory landscape in the U.S. will only get stricter. Every day, there are more news stories about tech giants abusing people’s data and public support for stricter regulations are increasing. That support is translating into political action as more states—Washington, New Jersey and Colorado, to name a few—are considering their own data regulations. In fact, tech executives, including Mark Zuckerberg, have advocated to pass a national policy because one legal standard would be easier and less expensive to comply.

The CCPA is only the tip of the iceberg. Yes, the GDPR has created challenges in Europe and there has been a steep learning curve, but the CCPA is an opportunity for businesses to learn from that example and work towards compliance, rather than resisting it. There are still definitions and questions around limits and enforcement that need to be ironed out, but companies should start addressing how the CCPA will apply to their business now. As for the direct impact of the CCPA, only time will tell.

We all want privacy change, and it is our ethical duty as marketers to make sure the consumer is protected while balancing the ethical brands who are trying to reach the consumers in an appropriate manner. For example, I get multiple spam calls and emails from unethical and non-legitimate companies or brands even though I have opted into the Do Not Call Lists and emails. So, it will be a balance of filtering out those who are truly contacting consumers in an inappropriate manner and making sure the brands are protected, with appropriate and individualized content that their consumers have opted in to and are asking for.

What Is Privacy Forward and Why Does it Matter for Marketers?

John Francis, DBA

By John Francis, DBA

Original Publication: Marketo

Date of Publication: November 12, 2018

When I worked as a webmaster at AOL in the early days, every employee had visibility into every member’s account. Then in 1999, a naval officer was outed by one of the employees after he logged into an alternate profile with a different screen name. AOL’s course of action was to immediately shut down access to all members’ data and hire an integrity assurance officer. It was a moment of reckoning for online privacy.John Francis, DBA

I’ve been thinking about that anecdote a lot recently following the revelations about how Cambridge Analytica accessed and deployed Facebook data to impact the U.S. election. There’s been a lot of discussion about how much Mark Zuckerberg knew and whether Facebook should have done more to prevent or stop the data theft. Those are absolutely questions worth considering, but the issue of data theft is nothing new. Tech companies have always created platforms with a certain degree of naivete about the possibility that user data could be exposed or exploited.

As a marketer, it’s important to understand privacy as it is part of the customer experience. In this blog, I’ll tell you about what a walled garden is and why it’s a myth, how to engage with customers, and what a privacy forward strategy looks like for marketing teams & their customers.

The Myth of the Walled Garden
At a recent Videonomics symposium, I heard representatives from many tech companies discuss how advertisers couldn’t get into their “walled gardens.” A walled garden is a closed ecosystem where operations are controlled by an ecosystem operator. The term is frequently used, but based on decades of experience with dot-coms and digital advertising, I consider a myth.

The fact is that it’s very simple for someone to take first and third-party data, link it up and retarget consumers with ads. That information combined with a user’s history can help build a persona around them. Even though Facebook shut down the ability to take data from third-party data brokers, companies can still put cookies on other websites that collect activity from users. They may not know who the person is, but if they have an IP address and can link those two together with Facebook, you get a full 360-degree view. The data that is already out there, whether it’s been released or stolen, can then be correlated and shared.

Moreover, data breaches appear to be accelerating in severity and scale. Breaches at Yahoo, Sony PlayStation, and Alteryx, for example, resulted in compromised data for hundreds of millions of people. All that information is available to anyone. We live in an age of “data promiscuity.” Walled gardens and online privacy are nice to think about, but privacy could soon become a relic of the past, which is why a new crop of data privacy regulations and guidelines are emerging to create a privacy-forward landscape.

Data Targeting
Questions around data privacy have particular relevance for marketers and advertisers, who rely on data to improve their targeting capabilities. Robust data allows them to put their ads in front of people and create brand awareness, which helps sell products. Secondly, marketers can use data to put targeted messages in front of people who actually want the product, instead of people who don’t.

However, participants in the advertising ecosystem need to have data integrity assurance incorporated within online platforms that actively works to protect private information. Our industry is making progress towards increasing the capacity to distribute information freely. In addition, the platforms they create to spread this information are very user-friendly. I’m not a programmer by profession, but available analytic tools can be easily configured to exploit private information based on the conspicuously available private data. Cambridge Analytica’s brazen use of a Facebook application to gather insights on millions of users is a prime example of this dynamic at work.

Engaging with Relevant Content
Moreover, Facebook uses a process called content-based targeting, whereby related content and ads are delivered to members based on their likes, shares, and follows. Facebook collects much more data about members’ engagement than what is made privy to advertisers.

Targeting the right audience doesn’t (and shouldn’t) require theft and privacy violations. Data privacy and marketing do not have to be mutually exclusive. Marketers care that an action was created, but not about who created it. All that matters is what the consumer did and why.

Digital analytics and web traffic tools like Google Analytics and Matomo place pixels on a website. The pixel provides timestamp information when an action is taken. Say a commercial aired on Lifetime for a Gerber product. If somebody sees the call to action and types in the URL on their computer or mobile device, then we know what ad they saw, where they were located, and the time and device they used. We also know that a commercial sent a certain amount of money at cost-per-click or per action, which is useful for looking at a marketing budget and figuring out where best media spends are.

A Privacy Forward Approach
In June 2018, California passed the California Consumer Privacy Act (CCPA) of 2018. The policy grants consumers the right to request the data that businesses collect on them and to ask companies not to sell their data. The law imposes strict rules about how businesses disclose data collected from consumers. It also empowers the state Attorney General to fine companies for noncompliance. Needless to say, it was opposed by major media, telecom and tech companies, including Amazon, Google, Microsoft, Comcast, AT&T, and Verizon. Facebook initially opposed it but eased off after the Cambridge Analytica scandal broke.

The CCPA was inspired by what is happening in Europe with the General Data Protection Regulation (GDPR), which imposed new rules on controlling and processing personally identifiable information, or PII. There was skepticism that the privacy forward principles of the GDPR would catch on in the U.S., but it has, starting with California which is setting the standard other states will soon follow. Dot-coms are following suit as well, as evidenced by the pop-ups about policy changes on what feels like every ecommerce and news site.

These initiatives have entered the term “privacy forward” into the modern lexicon. A privacy forward approach is best described as the guidelines for identifying data that should be considered classified. Classified information includes IP addresses, contact information, and genetic and biometric data. It also encourages organizations that collect personal data to conduct mapping and maintain a 360-degree view. Customer information is not a commodity, but rather a personal bond of trust between an organization and its customers. This also extends to what is shared with outside vendors and third-party data analytic tools and their associated platforms. Transparency is paramount.

In 2001, with the merger of Time Warner and AOL, the FCC ordered AIM, which had over 90% of the market (and thus user data) to become interoperable with other chat platforms. Today, Facebook is participating the Data Transfer Project, a collaboration of organizations, including Google, Microsoft, and Twitter, committed to building a common way for people to transfer data into and out of online services. It’s a big and exciting step towards making privacy forward the norm.