CCPA: Questions of Privacy, Compliance, Enforcement

0
65


Business, boiled down to its simplest terms, is often one elaborate game of risk. Come January 1, 2020, a slew of companies doing business in the United States will be forced to weigh theirs like never before.

Effective on that date, a landmark consumer privacy law, the California Consumer Protection Act (CCPA), goes into effect. As a result, for the first time, many US businesses will be subject to a far stricter set of privacy regulations.

In short, American consumers will now have the legal right to instruct a given company to disclose what personal data has been collected about them, and request the company immediately dispose of it. This process is known as a consumer request to be “forgotten.”

As a consumer, the new law is straightforward: One’s right to privacy has been significantly elevated. And if a company chooses not to comply with the new regulations, it will incur a financial penalty larger than ever before.


But that’s only the start. Because things get far more complex—and, for marketing measurement and consumer tracking analytics people like me, quite interesting. That’s because as it stands, so many companies remain unsure as to how these new regulations will impact their marketing strategies:

  • What will need to change about their data collection processes
  • How sensitive their current models are as it relates to consumer privacy
  • Whether the marketing measurement tools employed by their respective vendors are compliant—and less accurate—with the new regulations

The new law also has wide-ranging implications for a company’s marketing strategy. Even if a company audits its process and complies with the new regulations, it’s no exaggeration to say the law will greatly affect the accuracy and efficacy of long-held marketing measurement approaches like attribution.

When consumers remove themselves by invoking the right to be forgotten, gaps are introduced in the measurement picture. And, mind you, those are not random gaps. Attribution approaches attempting to stitch together a “path to purchase” now have missing pieces, and the entire approach starts to crumble. Brands today are also using a host of probabilistic mechanisms to identify consumers; additional holes in this data throws off its accuracy more significantly.

The result is a swarm of potential problems in terms of both overstating and understating the value of marketing, and so getting that part of the equation wrong.

More than draining the marketer’s confidence, these issues have real financial implications for businesses.

Although the law is still some weeks away from implementation, some brands are already jumped ahead of it. Those in more heavily regulated industries, such as insurance, have long been sensitized to privacy matters and therefore have mature processes in place to manage it. They’re on the forefront, as if saying, “Our current approaches aren’t going to work anymore under CCPA, so we’ve got to find other ways to measure our marketing investment that don’t rely solely on consumer identities.”


Furthermore, several Fortune 500 companies have done exhaustive and comprehensive audits of their marketing approach to trace through all those points of data sharing and consumer data capture. They’ve already started contacting their vendors to inquire about compliance. In this way, brands are detailing out and mapping their exposure and then remediating exposure and risks. Beyond compliance, these same brands are asking whether their current measurement approaches are creating more exposure and risk. And the answer with CCPA is a definite “yes.”

Other—often smaller—brands, however, are playing the waiting game. Yes, bigger companies in the middle of the data collection process naturally have larger targets on their backs. But smaller-scale brands, whether smartly or not, feel as if they may be able to potentially fly under the radar. In essence, they’re saying, “Let the Googles and Facebooks of the world take the hit first and we’ll see how the chips fall.”

It’s a shortsighted approach, though: What these companies fail to consider is the massive can of worms just under the surface, particularly in relation to consumers’ asking to “be forgotten.”

Let’s take a simple case: programmatic display. When a customer says, “forget me,” that request triggers a cascade across a half-dozen potential vendors to properly wipe out tracking and consumer identity data along with audit requirements to prove it was done properly. It’s not a stretch to say that mistakes will be made when consumers ask to be forgotten, and Americans are not exactly the most forgiving if they don’t get what they want.

So where does this leave brands? For better or worse, it becomes a waiting game. The largest question mark remains how harshly and quickly California will enforce the new law.

We can turn to the European Union for an example of what to potentially expect: The EU implemented the General Data Protection Regulation (GDPR) in May 2018, and many conscientious brands immediately began to overhaul their marketing and data collection processes. That was followed by an unannounced grace period whereby the EU delayed enforcement in most cases while companies moved toward compliance.

Steadily, however, GDPR enforcement has ramped up and the financial bottom line of companies, both large and small, will naturally be impacted.

We can only wonder, then: Will this process repeat itself on this side of the pond?



Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here