When GDPR was rolled out, marketers were required to review and modify their privacy policies significantly to demonstrate compliance with the new regulations and ensure consumers were in control of their data. However, since then many companies haven’t updated those policies to stay in compliance with emerging regulations, leaving them open to potential legal liability. Last year’s rollout of California Consumer Privacy Act (CCPA) added another regional layer to marketer regulation intended to protect consumers data, and adding a whole new hoop for online data collectors to jump through in order to remain compliant. Have you reviewed your policies recently? 

Consumer data is powerful, and highly regulated 

Data makes the internet tick, it is a powerful tool for everyone from digital advertisers to policymakers and is one of the key drivers of innovation and growth online. That said, data privacy is a growing concern these days, and with good reason. Over the past few years several high profile hacks and cases of data impropriety from major platforms have led to an increasing number of measures both local and national intended to protect consumers data from improper use, unauthorized sale and hacking. This has lead to new regulatory measures intended to protect consumers and publishers alike, such as the CCPA.

What exactly is CCPA? 

The California Consumer Protection Act (CCPA) is a new consumer data privacy initiative, passed into law in 2020 that aims to safeguard consumer privacy for Californians the same way the GDPR protects Europeans. The CCPA may seem like a pain for companies, but it's a huge leap forward for consumers who value their data privacy. After all, we are all consumers and should care about the privacy of our personal information.

So much of our interaction with businesses is now done online, and in doing so we share incredible amounts of personal data, often data we don't even realize we have. Up until now, the entities that use that data weren't held responsible for what they did with it. The CCPA aims to change that, giving California residents new rights in how their personal information is collected and used.

This effectively means that if you are using data owned by any California resident, you must give them the option opt out of the use and sale of their data, and give them at least 2 ways to do so. This can be through an automated exemption, a phone number, a contact form, an opt-out email, or any number of alternatives but your customers must have options in order to remain compliant. You must then make sure that these options are clearly and explicitly called out and presented to your customers.

Noncompliance may result in lawsuits or fines and, with more and more scrutiny being put on digital brands every day, enforcement will likely only get more stringent with time.

The CCPA applies to brands that meet one or more of the following criteria:

• Has a gross annual revenue of $25 million

• Buys, receives, or sells the consumer's personal information of 50,000 or more consumers, households, or devices

• Derives 50 percent or more of their revenue from selling consumers' personal information. 

You may already be using this data

The qualifications outlined above may seem like a high bar to clear, but the second bullet should give you pause if you are using online platforms to publish digital ads. If you operate your business online there’s a good chance you meet this requirement.

Remember this law does not only cover brands that operate their business out of California, but all brands who buy, sell or otherwise engage with data from consumers in California. With more than 1 in 10 Americans residing in California there is a slim chance any advertiser could run a nationwide campaign without hitting thousands of Californians. A $100 national campaign on the FieldTest platform with a $2 CPM would be enough to hit the 50,000 California intenders mark. Now imagine what $5000 monthly cross-platform campaigns hits.

At FieldTest we have made data transparency a top priority, but this does not mean that we are exempt from these laws. In fact if you are buying data for your prospecting campaigns, or using tools such as our Lookalike audience predictor in your ad campaigns, then you are currently using the very same consumer data covered in these news laws and will need to ensure compliance to protect your brand from fines and other, more serious implications of non-compliance.

Compliance protects your customers

Initiatives like the CCPA are not without merit. There is a genuine organic consumer desire for control of their data and transparency with how it is used, and acts such as this are a natural result. By complying with these measures you will not only put yourself right with the law and protect yourself from legal recourse and fines, you tell your customers that their concerns are valid and worth your consideration.

As data transparency becomes more and more important in the eyes of consumers, taking the measures to comply with the law and protect your customers will be an ever more important step in achieving consumer confidence and brand loyalty.

So what exactly must a brand do to become CCPA compliant? According to the law all brands who meet the qualifications bust do the following:

According to California's Office of the Attorney General, to remain CCPA-compliant, businesses must:

• Provide notice to consumers at or before they collect personal data

• Allow consumers to opt-out, read, and delete their personal data from the business's storage. Companies must provide a "Do Not Sell My Personal Information" link for opt-out requests

• Show consumers privacy settings that signal their choice to opt-out

• Verify the identity of consumers who ask to read and delete their information, even if they have a password-protected account with the business

• Disclose financial incentives for retaining or selling the consumer's personal data and how they the value that data

• Maintain records of all access requests for 24 months, as well as how the business responded.

  While we tried to hit all the major points, this list is not exhaustive. Read the full text of the bill here to see all the guideline specifics.

All of this may seem complicated, but it doesn’t have to be! There are simple solutions to cover yourself and ensure that you remain in control of your data and that it is handled safely and securely by those who you have entrusted it to.

One: You must give your customers the chance to opt-out, twice

This is the primary way you can protect yourself and make your business compliant. Adding two options for your customers to opt our of data collection brings you most of the way to compliance and gives your customers the full control their data that they deserve. As outlines above, these options can be a form submit, a contact form, a phone number or even an email. As long as you have two clearly marked ways for customers to opt out you will be covered.

For example: One brand who used a contact email to give their California consumers the option to opt out added the following to their contact page

If you are a Californian resident, you have the right to opt-out of the sale of your personal information. Under the California Consumer Privacy Act (the “CCPA”), the “sale” of personal information broadly includes any communication of personal information to any business that is deemed to be a “third party” (as defined in the CCPA) for monetary or other valuable consideration, subject to certain exceptions and limitations. We do not sell personal information. However, if you would like to submit such a request, please send your request to Email@brand.com

Two: You must update your privacy policy to disclose any data usage

The second move you’ll need to make is considerably less complicated. If your business is consumer facing then it’s likely that you already have a Privacy Policy statement directly addressing your data collection practices linked at the bottom of your website; this is where you have an opportunity to clarify your data collection practices to your customers. All usage of consumer data must be disclosed, particularly any sales or usage that results in financial incentives.

Consider adding a few sentences, such as these to your Privacy Policy if you target audiences in your advertising, do any retargeting, or use lookalike modeling for your ad campaigns:

“We share personal information such as mobile ad ids and/or cookies collected with advertisers and other unaffiliated third parties, including business partners such as advertising businesses who are obligated to comply with applicable laws concerning usage of such information. Please see the remainder of this Privacy Policy for your opt-out choices.”

By taking these two simple steps you guard against violation of any applicable regulations (for example CCPA). Of course, we always recommend seeking your legal counsel’s review and approval for any changes to your business agreements, but these types of updates are important to ensure you continue a trusted relationship with your customers around your handling of consumer data.

FieldTest is not an attorney and cannot offer legal advice. Please consult competent legal counsel for legal advice.