The California Consumer Privacy Act (CCPA), enacted in 2018, came into effect from 1 January 2020. It is hailed as one of the strongest data privacy laws in the country, and other states are most likely to follow the path. Together with GDPR, CCPA has disrupted the data economy in the US and EU, with an irreversible impact (mostly positive) on the data operations of IT, Marketing, Sales and Customer Success departments.
However, GDPR compliance doesn’t mean your CCPA preparedness is unshakeable. You may still need to do it.
To further narrow down our understanding of CCPA, I sat down with the leaders in Marketing Technologies. These spokespeople helped us fathom how deeply CCPA impacts their business, their relationship with the customers, and the future of data governance in the US and other economic regions of the world.
The CCPA Insights Series include speakers from Tealium, Sovrn, Localytics, BigID, SAP and so on.
This is our Part 1.
CCPA Is the First Major Piece of the Data Privacy Legislation in the U.S.
Chris Slovak, VP at Tealium
“Even though the New York Privacy Act failed this time, federal legislative proposals will continue to put greater fiduciary responsibility on how companies collect and manage consumer data. Most companies today aren’t equipped with the right people, technology, or processes needed to ensure that they’re acting in the best interests of consumers, and that’s because most companies don’t have full visibility over where data comes from and what happens to it after they’ve got it.
While the NYPA ran into roadblocks this time, its creation signals a continued focus by consumers and regulators alike on the transformation of data privacy towards protecting the consumers’ interests first and foremost.”
The New York Privacy Act’s (NYPA) failure to pass the New York Legislature took many by surprise. Had it passed the bill would have introduced a regulatory framework that mirrored or potentially even surpassed that of the California Consumer Privacy Act (CCPA), the first major piece of the data privacy legislation in the U.S.
Compliance Could Quickly Become a Tangled Web for Enterprises to Navigate Here in the States
Jude McColgan, CEO – Localytics
We can absolutely expect to see other US states follow in California’s lead when it comes to data privacy legislation. Technology certainly is a big business driver, but the act of building in security practices from the outset of tech adoption is still a challenge many organizations face.
Security, for many, is still an afterthought – instead of an enabler to ensure consumers’ private information is adequately protected. What becomes an even more interesting question is how this is legislation is enforced, and whether other US states mirror the language in the CCPA or create their own restrictions. Without a governing body standardizing this type of regulation on a national scale, compliance could quickly become a tangled web for enterprises to navigate here in the States.
The Payback Will Come in the Form of Lifetime Customer Value
Sergey Denisenko, CEO at MGID
“Never mind New Year resolutions, the California Consumer Privacy Act (CCPA) is bringing us a New Year law – one which will extend further control to consumers over their data and is expected to seal the fate of the third-party cookie once and for all.
Following on from the GDPR, the CCPA has tighter stipulations requiring consumers to be fully informed about how businesses are using their data, and empowering them to opt-out whenever they wish. As the industry adjusts to this latest regulation, others are on the horizon – from Nevada and Main, from Brazil and Thailand; the list is long and growing. Businesses hoping to sidestep regulation or find loopholes in the law will need to think again. In the new era of compliance, data privacy and security must be at the root of all strategic planning.
The rewards for those who take a proactive stance and embrace best practices – taking control of data flows across the complete supply chain, ensuring secure storage, being fully transparent about data use, and making use of available frameworks and tech solutions – will be abundant in terms of consumer loyalty. Use of third-party data will phase out – hence the demise of the cookie – and there will instead be a focus on targeting practices that don’t rely on personal data and the building and safeguarding of first-party data.
Reminding the customer that they’re in control, without impacting the user experience, will require creative thought – but again, the payback will come in the form of lifetime customer value.”
No Room for Complacency
Gabe Morazan, Director of Product, Digital Governance (CIPP/E), Crownpeak
“With the California Consumer Privacy Act (CCPA) coming into effect in just a few days, we haven’t yet seen the hype that preceded the implementation of the GDPR in Europe. Is this because it applies only to Californian residents and businesses; and only affects firms with an annual turnover exceeding $25 million or the processing of data for over 50,000 consumers?
Or, is it simply that businesses consider the changes they made to meet GDPR requirements will see them through this latest legislation?
Neither of these explanations leaves any room for complacency.
Firstly, data privacy is now a key requirement for consumers, and regulations protecting this are here to stay. We can expect to see new legislation from other states and regions come into play in the months ahead – and the remit will no doubt broaden, so eventually no business will be able to slip through the net.
If we continue with this state-by-state approach, no two legislations will be the same – each will have its own specific requirements.
Addressing the basic steps to compliance for one does not ensure overall compliance across the board.
Only by placing data privacy and security at the very heart of the business – and regularly reviewing strategies and processes to align with the latest regulation – can a firm offer consumers the trusted partnership they’re looking for.
Data privacy should provide real value for consumers. Lengthy clauses and site blockers should be replaced by human-centric designed consent processes to simplify the messaging. Preferences should be transferred automatically across platforms to avoid the need for repeated requests for consent and data subject access requests must be processed promptly and transparently. All these practices should be aligned with the consumer’s values and recall a clear on-brand message: we care about your data at every stage of the process. As you gain their confidence and trust, they will see the value of sharing their data for an optimal experience – and the loyal relationship will be born.”
Data Is the Spine of a Company. CCPA Strengthens It.
Gal Ziton, CTO and Co-Founder of Octopai
“Data is the spine of a company. It must be quickly accessible, understandable, searchable, and traceable in order to provide value.
Now millions of users, such as data analysts, data scientists, business users, and others, can finally understand how to properly use the data in their reporting systems, and companies can save significant money in the process.
Today, companies struggle, juggling hundreds of disparate sources of data, all with different metadata tags, movement processes, and formats. In order to utilize their data, Business Intelligence and Analytics teams must commit months of painstaking, tedious manual labor to set up business glossaries to make their data useable by all departments. As a result, businesses end up compromising on the quality of their business glossary or go without.”
Microsoft Office 365 and CCPA: AI is a Big Enabler, We Agree!
Mika Javanainen (M-Files) and Mike Ammerlaan (Microsoft Corp.)
Last year in July, leading intelligent information management company- M-Files Corporation, announced the general availability of significant enhancements to its Microsoft Office 365 solutions.
At that time, M-Files had stated its efforts in bridging the gap between PII and GDPR-CCPA standards. M-Files also employs Artificial Intelligence (AI) to automatically analyze documents to classify them, extract information insights and ensure proper handling of sensitive information, such as personally identifiable information (PII), as required by regulations such as GDPR and CCPA.
Modern AI-powered features, including auto-tagging and auto-classification, create deep insights into the meaning, value, and sensitivity of documents and other information, guiding users and automating processes to maintain governance and compliance.
Mika Javanainen, Vice President of Product Marketing at M-Files, said,
“We’re making Microsoft Office 365 the lens through which one can see and access essentially any information across the enterprise, in context. According to Gartner, the full value of Office 365 is often not realized until data is migrated, so we focused on addressing that by breaking down siloes to enable enterprises to maximize their investment in Office 365 on day one. This eliminates a major barrier to adoption while also helping identify what content needs to be migrated into Office 365 based on how and if it’s being used day-to-day.”
We Were Startled by the Lack of Specific Knowledge on Threat Types and Corporate Readiness in General
Ian Woolley, Chief Revenue Officer, Ensighten
“In our survey of U.S. companies and global enterprises, we set out to better understand exactly where these executives stand regarding real-time control and management of enterprise and customer data on their websites and other digital properties. After all, a company’s website is more than a branding vehicle, more than a marketing piece. It is a data-supported Sales and Marketing hub, a core business asset that needs to be protected. So, while our survey certainly showed a relatively high level of awareness—due to the uptick in breach-related headlines over recent years—we were startled by the lack of specific knowledge on threat types and corporate readiness in general.”
Brands Have a Responsibility to Educate Consumers About Data Usage
Tom Wentworth, SVP – Product Marketing, Acquia
California’s CCPA data privacy law and Maine’s Internet privacy protection bill, some of the most restrictive in the nation, are standing behind the consumers who want to understand and control their data — and other states are following. Brands trying to reach those consumers will need to act accordingly, and the stakes are high. Acquia’s research found that consumers are not willing to give brands a second chance to protect the integrity of their data. This means that businesses have only one chance to make sure their customers know that their personal information, and their privacy, is in safe hands.
“Brands have a responsibility to educate consumers about data usage, proving that they can trust the Internet again. Our research indicates the beginning of a new paradigm where businesses need to find personalized ways to engage consumers without going too far. Allowing consumers to opt-in or out of data sharing will become more common over time as brands recognize that giving consumers back control of their data is not only the right thing to do, but it will also benefit their business in the end.”