For over two years during the run up to the effective date of the EU General Data Protection Regulation (“GDPR”), marketers were inundated with “what you need to know” pieces, or “top impacts to your business” articles about the new rules. It’s déjà vu with the California Consumer Privacy Act (‘CCPA”) which is slated to become effective on January 1, 2020. Scores of marketing tech vendors from the top to the bottom of the funnel will “cover” CCPA with the same unhelpful, super-high-level articles and compliance tips like “make sure you know the different types of customer data you have.”
I prefer not to provide canned “advice” or “top 5 gotchas” of the CCPA. Instead, I’ll simply note what I consider the really big things to care about if you’re a digital marketer in data privacy-sensitive 2019.
- Your privacy lawyer has to be in the room. The sensitivity hovering over personal information is heightened thanks to Cambridge Analytica, huge data breaches and the GDPR. Organizations with any scale have a person (lawyer or not) dedicated to data privacy. That person needs to be in the room early and often – they are a marketing business partner now. It’s not that they need to sign-off on every single tactic. But collaboration is a must. This extends to the marketer’s key vendors and their respective privacy team. If a vendor can’t or won’t put their privacy person on the phone to discuss key topics, they are flat out failing their customers.
- CCPA isn’t final (not even close). Articles about CCPA are either patently inaccurate or disingenuous if they don’t mention two things: (a) the CCPA will change, and rulemaking will clarify the law and how it will be interpreted. Industry groups and concerned brands are spending lobbying dollars to impact the CCPA and it’s enforcement. We do not know the CCPA’s final form, and that matters a lot; and (b) there is momentum for a US Federal data privacy law which preempts the CCPA. Draft laws have already circulated the House and Senate. Some preempt CCPA, others do not. Some empower the FTC to enforce data privacy rules, some do not empower the FTC much. And, there are state data breach laws which need to be preempted by any federal law that passes in order to avoid a patchwork of laws to contend with. There are a lot of moving parts here. Any “compliance recommendations” from vendors are premature and do not consider the reality on the ground.
- Prepare For the Boulders, not the Pebbles. The CCPA contains big rocks – fundamental consumer-focused rights that aren’t moving or changing. These are GDPR-like requirements: a consumer can ask for access to personal information, deletion, correction and a brand will need to carefully consider its privacy policies. Instead of worrying about how to “buy” compliance from a vendor, focus on these big-ticket items and engage trusted partners, internal privacy teams and outside counsel to guide marketing decisions. If a vendor does not proactively steer you in this direction, doesn’t have a privacy team ready to help work through these challenges as they relate to your business – they aren’t prepared, and they aren’t optimally operating on behalf of customers.
It’s time to level up the CCPA conversation. The CPPA is one set of potential compliance tasks. Looking deeply at the bigger picture with your tech partners is the true “compliance” win.