Anyone doing business in the United States should be aware of the California Consumer Protection Act (CCPA) that was passed last year.
It’s a California law that grants residents of California significant privacy rights in relation to data identifiable and relatable to them as an individual and its implications can extend to any company that does some form of business in the state.
We’re in, what lawyers refer to as, the most frustrating time in the life of legislation. It’s when a law has been passed but we don’t have to follow it yet, and the law is highly likely to change before it is put into action. It's very confusing for most lawyers and most businesses because you’re trying to make decisions for the future, at the present, and you don’t want to have to revisit every decision you make every 3-6 months, especially when the policy changes can have significant impact on our business operations. You have to look at your vendors, you have to look at your internal collection and storage practices and policies, and you have to look at what you’re doing from a targeting and measurement standpoint.
The CCPA goes into effect in January of 2020, so you’ve got roughly seven more months before somebody rings a bell and says ‘we’ve got to do something different’ and you’re acting surprised and asking “what?!”.
So we’re clear - it deals with transactions, of which if in any portion take place in California. And this is where it gets a little trickier. If a company is using a server in California, that would be interpreted as a portion of the transaction taking place at least partially in California.
If you want to try and avoid this legislation, or limit its implications as much as possible - you have to work through your entire company’s transaction process (including vendors, aws instances, and even payment processors aws instances) and make sure everything takes place outside of California. Whether it be your campaign targeting, credit card transactions or whether it be the data that’s hosted: all of that has to stay outside of California. Otherwise California, at least the way the legislation is currently drafted, thinks that they get to put their little hooks into you.
From a timeline perspective, the CCPA comes right off the heels, from a legislative standpoint, of the GDPR, the General Data Protection Regulation, which regulates and provides data protection and privacy rights for all individual citizens of the European Union and the European Economic Area.
We’re going to talk a little about how California’s changes work in relation to GDPR. For those of us that have been involved in the GDPR world for many years now - the GDPR is like the barometer, the first sweeping legislation that changed the notion of how we view private data and who owns it.
I’ll talk a little more about that mind-shift as it relates to government and consumers approach as to who owns data, but at a minimum GDPR is already in effect. We’re already dealing with that as you are dealing with it, depending on your company. For instance with Shareablee, we went through a lot of procedures and policies and we put in a lot of processes that deal with data removal, segregation, aggregation and then anonymization of data.
With the CCPA, we’re in this flux of what do we have to do moving forward - and the CCPA is not done - short answer. There are amendments coming down, which I think most of you will be very happy about, but are still not official law. At a minimum, as a person that is passionate about this area of law, the amendments proposed and to be passed are something that will make your jobs not as painful as maybe they could be.
It’s very similar between the GDPR and CCPA but they used different terms. So in the CCPA, they reference them as a business, a service provider or a third party and those are all in their relationship to the transaction. With the GDPR, they don’t really care about your relationship to the transaction, they care about what’s called a controller and processors. A controller is basically the person responsible for the data and a processor is somebody that’s acting on a controller’s behalf. There’s a lot more nuance to it than that but for all intents and purposes that will already get you in a very relevant discussion with whomever you’re talking about including your privacy counsel, if you have one.
Again, similar concepts different names. In California we’re talking about what’s called personal information. In GDPR we are talking what’s called personal data. Sounds very similar and they are for the most part similar, they just address it very differently. So with the GDPR and the CCPA, you have four words and these are words that are an attempt to extrapolate or take certain types of data out of the regulatory framework - so that would be anonymised, de-identified, synonymous data and aggregated data and we’ll talk more about these as it relates to CCPA in a minute, but the most important thing there is that they deal with those types of data very differently than what we talk about when its related to a piece of data that I can identify you with.
Historically for those of you that existed in the privacy shield world, which still exists but exists in a very different framework now, we had what was called P.I.I., Personally Identifiable Information and that was a very narrowly defined topic. That was your name, your address, your social security number something like that. The new terms have broadened that to your username on Facebook right, Joe-whatever1437 is now something that can be related or traced back to an individual. So what is considered personally identifiable or personal data has broadened drastically.
We have very similar notions for what we need to disclose, what we need to inform the consumers about. There are some nuances in respect to the CCPA that are a lot different to the GDPR as far as their specificity, but it’s not to the point where unless you’re responsible for this you need to get into a big discussion. You just need to know that there needs to be disclosure and hopefully those that are responsible for it are going to be thorough enough and put the appropriate disclosures in place.
The right to be forgotten was something that was introduced in the GDPR, and that was basically a right that said a consumer can come up to any company in the world, ask you what data they have of you and then tell you to delete all of it. Now that is for some companies impossible. Right? I’m sure Google stares at that everyday and says I don’t know how I would do that even if I wanted to. What do they have, a hundred different services in all disparate databases. It’s literally impossible for them to link all of those across all their services and tell you we deleted everything, but that is what the law requires.
I have a different view on why the GDPR was passed and what the purpose of it is and if you ever want to have a long conversation about why I get annoyed we can do that some time. Long story short, Right to be Forgotten is also in the CCPA. They have put in a requirement that if they say “don’t target me and forget who I am”, you’ve got to just click the flat delete button and the CCPA adds a little bit of different context to it, they say not only that, you can’t target them for another 12 months.
This next item one is really important. This is the equal services and prices. The CCPA as it stands today, says you cannot offer a different price to somebody that is a member of or subscribed to a loyalty program versus someone that has opted out of said loyalty program. Now for those of you that do loyalty or rewards programs or any type of membership or registration requirement to get coupons or whatever it may be, that should ring your bell and say maybe we have to think about this and how we approach things depending on what your lead time is for campaigns. If your campaign lead time is less than 6 months, you’re going to have some time and hopefully you won’t have to deal with this. But the way the legislation reads right and this is why lawyers love this time frame, is this is how it’s written even though that’s not how we think it’s going to be written in the end.
Really big topics and trends that are consistent, whether its GDPR or CCPA, data is being shifted to it being owned by the individual not by the collector the company whoever it is. You attending INTERACT, I don’t know that you would necessarily think - “oh nobody is allowed to know that I was here and they have to remove it if I want them to”. But that is where legislation is going. Your attendance at a location is now all of sudden your private data. Whether you have something you can actually do about it as opposed to whether the government can do something about it - those are two different points but at a minimum this is where the mindset and the theme and how legislation is pushing.
The other thing is, this is the beginning and not the end. This is something you have to be very aware of. There are 15 states that currently have legislation being proposed similar to the CCPA, New York being one of them, they all have their own minusha and nuances just to make your lives easier. There’s a big consensus, in the business legal community at a minimum, that compliance should not be the marketer’s number one budget spend and so they’re hoping to try to push through federal legislation. Whether that’s good or bad, is your own prerogative, but they’re hoping to get through some type of one law to rule them all, much like the Lord of the Rings.
You’ve got to be aware that what you could do yesterday will not be the same of what you can do as of January 1st 2020. I’m sure that you’re aware of that already but you’re landscape is changing and its changing quickly and it will only change more quickly as legislation continues to be passed. You’ve got to be aware of what data you’re getting from your vendors. Be aware of whether its aggregated versus anonymous, whether there’s actually contactable information or whether they are just providing you tools to get a better sense of a group.
Right now, employees are not excluded from the CCPA. So technically speaking you as an employee, if you’re in California, could go to your California employer and say delete all of my information and they couldn’t penalise you for it. It makes running a business a little bit difficult. Certain groups are hoping to pass an amendment to carve out customer loyalty programs so that a company is not penalized for providing price differentials for somebody who is participating in your program than what is offered for consumers at large. One of the most important issues that we are talking about here relates to the definitions of personally identifiable information and de-identified information. The CCPA lumped in a lot of public information and several amendments are trying to pull that out.
The bottom line is, if your companies are not involved in this process, they need to be because you have six months to change your future. The way CCPA is drafted right now, will be very painful for most people and most companies in this room. If you get 50 different laws and 50 different states, you will just pay me a lot of money, which you know, I’m not opposed to, but you will be stuck in compliance forever.
You don’t want to be stuck in compliance, you want to tell stories, you want to engage people, you want to change the way people think, act and breathe. If you want to be able to do that, without talking to me every single day you need to talk to your company to see what they’re doing to influence that process.
To catch Jeff’s full INTERACT Summit presentation, check out our YouTube page.