In the US, we often notice that what starts in California will eventually spread to the rest of the country. Whether it's related to fashion, culture or legal issues, if it starts in the golden state there's a good chance it will spread east in the US.
On June 28, 2018, California Governor Jerry Brown signed into law another California "first" – the most comprehensive (and the first statewide) consumer privacy law in the US. It’s known as the California Consumer Privacy Act (CCPA), and other states have taken notice, with up to nine states now actively pursuing their own laws, and there’s even talk of a possible US federal privacy law.
Consumer rights under the California law?
As of January 1, 2020, the California law applies to: any for-profit business that collects California residents’ personal information; does business in the State of California, and: (a) has annual gross revenues in excess of $25 million; or (b) buys, sells, receives or shares for a commercial purpose the personal information of 50,000 or more California residents, households or devices annually; or (c) derives 50 percent or more of annual revenues from selling California residents’ personal information.
From an AAF.org summary: "The CCPA broadly defines the term ’personal information‘ as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The new law gives residents the right to:
- Ask for the business reason for collecting their information.
- Know all the data that a business has collected about them.
- Refuse the sale of their data/information.
- Delete the data a company has about them.
- Agree to a mandated opt-in before the sale of children’s information (under the age of 16).
- Know the categories of third parties with whom their data is shared.
Some have questioned this new law, as well as similar ones around the world. The sentiment is that these are needless regulations and that most consumers aren’t really paying that much attention when it comes to their data and the privacy surrounding it.
A recent survey from Futurum - and sponsored by SAS - however, sheds light on consumer views toward data privacy. And if there was any illusion that consumers don’t care, Futurum smashes it, making this distinct point within their report: ”The level of distrust on the part of consumers is high, a point that brands must address today in order to remain viable 5 or 10 years into the future.”
The Futurum survey says:
- 73% are concerned with how brands are using their personal data.
- 76% of consumers are concerned with the amount of data brands gather when they search for or purchase a product.
- 73% of consumers are concerned with how brands are using their personal data to the point where they feel it is out of control.
- 71% believe that companies and brands should not be allowed to share their data with other companies or brands.
- 61% feel they have no control over the level of privacy they need for themselves, their family, or their children.
- 50% believe brands are hiding “bad things” they’ve done with user data and privacy.
What does this mean for marketers?
Similar to what organizations encountered with the EU General Data Protection Regulation, organizations in the US are now scrambling to figure out how to tackle the CCPA. They're asking questions like: What technology should we use? Do we have the right experts in-house? And who should be in charge of data privacy?
Based on our work with organizations affected by the European laws, SAS has developed best practices for personal data protection. Here are some of the things we've learned:
- IT alone should not be in charge of data privacy; it must involve every department that works with personal data.
- A culture of data privacy must be established. Every employee must understand their role in securing the data privacy of their customers, and how to best accomplish this.
- Companies must evaluate their current data governance structure and make all data privacy endeavors part of data governance rather than having separate data governance programs.
- All technology considerations must take into account – at a minimum – data access, data quality, data governance and auditing capabilities.
Every organization is different, and the path to a privacy program will vary. But one thing is true across the board: Organizations need to act now. The government is taking notice, your customers care, and fines and potential loss of reputation are on the line.