Since the Cambridge Analytica debacle of 2018, data and data privacy have been hot topics. Consumers are increasingly aware of the personal data they elect to provide and are demanding stricter regulations regarding the use and sale of their personal information. As a result, data regulation is top of mind. Legislation like GDPR and the California Consumer Protection Act, or CCPA, have begun to come to fruition in governments across the globe.
The common thread through these new laws is the definition of an entirely new human right -- the right to be forgotten. Although this is California based legislation, as a national or global brand, it is difficult to segment consumer data collection and storage based on location or residence, meaning changes will likely need to be made universally in your organization. This will not be the only state or federal-level legislation passed in the United States, so your organization should be prepared to comply with new state or federal requirements as they arise.
In a marketplace where consumers are increasingly educated and express concern over data privacy, your brand should be concerned too. The success of your marketing programs and the life of your business depends on it. Besides the risk of severing trust with your consumers, non-compliance in these new legal landscapes could result in significant monetary fines and legal action against your company.
GDPR and CCPA have established a new baseline for consumer rights and we will see other states and federal legislation follow these models. Maryland and Massachusetts are already working to implement law following the CCPA model and Washington is following suit with the GDPR model. We will likely see significant changes to advertising platforms as they work to comply with these new definitions of personal information. I also predict we will see a rise in data privacy and tech services as companies work through implementation.
CCPA is groundbreaking, first-of-its-kind data privacy legislation in the United States, passed in California in June of 2018. It is the most comprehensive piece of US legislation protecting consumer data and privacy to date. It is similar to but differs from GDPR in scope and territorial reach. It outlines consumer rights to data privacy including the right to access and delete consumer information. CCPA outlines requirements of businesses and the penalties for non-compliance.
Personal information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. These identifiers include:
Publicly available information such as information from federal, state, and local government records is not considered personal information.
This includes selling, renting, transferring, communicating, releasing, or disclosing information for monetary gain or other valuable consideration. This could have implications for ad platforms, 3rd-party vendors, and partners. Legal language in the legislation does protect parties acting on behalf of the business but it is not clear how this distinction will be made or enforced.
If a customer opts out of your data collection or requests their information be deleted, what happens? Do they lose access to special pricing or quality of service? Under CCPA, this is considered a form of discrimination. Marketers can defend themselves from this risk by understanding the value of data. Marketers can, by law, adjust pricing or levels or quality of service where the difference in price or quality is reasonably related to the value of the data lost. Marketers can also offer reasonable incentives to discourage opt-out but incentives must not be unjust, coercive, or unreasonable.
Disclaimer: Room 214 is not authorized to provide legal advice and the information in this article should not be constituted as legal advice. Speak with your legal team to decide what steps need to be taken for your organization.