As the California Consumer Privacy Act comes into effect January 1, it is both under question and under renovation.
The law mandates that California residents know what personal data is being collected and to whom it is sold or disclosed. It further allows people to access their personal data, stop the sale of it, have companies delete it and then not be discriminated against for asserting their privacy rights.
The act is considered to encompass the toughest privacy laws in the country.
Yet, Alistair Mctaggart, the wealthy Bay Area real-estate developer, whose 2018 petition was headed for the voting booth when the California state legislature passed a pre-emptive privacy law, is already promoting a new ballot initiative for a beefed-up version. His concern is that lobbyists will water down privacy rights.
Mctaggart’s take-two includes strengthening people’s control over data about race, health, finances, their social security numbers and location tracking. Companies that wrongly track and sell data about minors would be stiffly penalized.
Meanwhile, Facebook, one of the behemoth data merchants the law was targeting all along, has indicated it may not even need to comply with CCPA. Facebook posits that its routine "transfer" of data may not be construed as selling data.
"We’re watching to see the first litigation here, for someone to set a precedent for how CCPA will be interpreted and who will be targeted," said Jess Barkley, vice president of data-driven marketing at Barkley, the independent Kansas City-based agency.
Campaign reached out to Best and other CCPA stakeholders and reviewed new research on privacy to gauge if the law will click by much like the GDPR opt-ins or herald real changes in the marketing business.
Big picture: Be ‘rightfully freaked out,’ says Jess Best, VP of data-driven marketing at Barkley.
While media folks are lit up about CCPA, and rightfully freaked out about how much harder it will be to buy targeted eyeballs, most brand-side marketers are possibly over-worried about what processes they need to have in place right away.
We’re watching to see the first litigation here, for someone to set a precedent for how CCPA will be interpreted and who will be targeted. For example, CCPA is targeted at companies over $25 million in revenue, or companies who make over half their revenue from consumers’ data. Will the latter only mean list and advertising vendors? Some speculation suggests that just about all marketers make money from collecting/using consumer data.
That said, brands are—and should be—preparing to provide insight to consumers on what data the brand stores about them. There are whole industries popping up to address this task, not just in the face of CCPA, but in response to GDPR in 2018. The gist of both laws is, people have to be able to control whether you target or track them and have to be able to revoke that permission easily. Marketers have sold cookies and data collection as convenience, i.e. remembering my favorites when I return to a site, or making ads that I see more relevant to what I actually want to buy. Now all of that has to be transparent and explicit with the option to opt out of it at any time.
The freak-out for brands is mostly around the labor, processes, data connectivity and data systems it would take to be able to give someone the data we have on them and/or set their global permissions.
The good news for most brands is that big advertisers like Google and Facebook will likely take the first hits, like they were with GDPR. The rest of us will watch and learn.
The bad news is that, if even one% of your consumers asked for all the data you have on them—what would it take to deliver on that? For some brands, the answer is "a lot."
The industry already has the know-how to solve this, according to Daniel Sepulveda, SVP of Policy & Advocacy for MediaMath, in New York City. Sepulveda served as deputy assistant secretary in the Obama State Department, where his work covered digital economy and internet governance.
The tech for enabling the exercise of consumer rights under CCPA exists, it just needs to be modified for that purpose. We, as people and an industry, must solve for the law’s purpose - to increase consumer control and understanding of the use of their data. This is particularly important for those of us in the digital advertising industry because our ecosystem is complex, interconnected, and somewhat opaque.
We believe that a compliance solution requires four key elements:
- Surfacing to consumers the fact that the company they are directly interacting with and third party companies are engaged in the collection and sale of their personal information when that is happening,
- Ensuring that consumers have the option to bar any or all of them from "selling" (as CCPA defines it) that information,
- Signaling those choices to the rest of the ecosystem, and
- Creating legally binding obligations on all participants to respect those choices.
As for how consumers will react to these laws, Sepulveda continues:
The law recognizes that in the modern economy data flows between firms all the time. This law and the conversation around it creates an opportunity to better inform consumers on how those transfers work. Consumers will tend to consent less and opt out more, particularly in the beginning, because they may believe there is no downside to doing so.
If publishers wish to continue processing consumers’ personal data in order to monetize their content, and if advertisers wish to continue delivering targeted advertisements to individuals or measuring the effectiveness of contextual ads, then both parties will need to adapt their messaging to consumers to demonstrate the value consumers receive from the processing of their personal data (i.e., access to lower-cost or free content and services they would otherwise have to pay for).
Third-party data will continue to be under pressure, especially where the sources of the data and the level of transparency and control provided to users over the use of that data remains murky.
First-party data will continue to be king, as direct relationships with consumers are increasingly favored by law, self-regulation, brands, publishers, and consumers themselves. More direct relationships allow for better consumers experiences and tend to provide users with more transparency and control over how their data is collected and used.
A shift from third-party data and GDPR have prepared some for California’s privacy act, notes Samantha Weinstein, director of data & programmatic at the Boston-based digital marketing shop, AMP Agency.
Our primary approach is to be proactive. The past year of education and learning surrounding GDPR fortunately means we are not starting over for CCPA, but rather it is something we have been thinking strategically about for some time. As an agency, we have been shifting away from third party data primarily based on performance, which benefits us as we now think about CCPA. We rely heavily on brokering data partnerships on behalf of our clients.
This reliance on 2nd party data allows us to ensure each vendor we buy data from is compliant. We have added addendums to our agreements and are able to know exactly where, when, & how the data we buy is collected. Additionally, we are working closely with clients on their CDPs & DMPs. Utilizing their own first party data becomes even more important as this is where they have the most control and transparency into collection methodologies and compliance.
As data privacy comes under scrutiny, a majority of people told Pew Research Center that data harvesting is a reality of modern life and they don’t like it.
In fact, just over 60% of respondents believe it is not possible to go through daily life without companies and the government collecting data about them.
Consumers told Pew researchers they had very little control over what companies collect about them (81%) or government entities (84%). More than three-quarters of respondents are very/somewhat concerned about how companies handle their data.
Yet only 22% said they read those frequent privacy-waiver pop-ups.
This ambivalence about data and privacy protection promises to keep the issue on the table.