The California Consumer Privacy Act went into effect Jan. 1 but will not be enforced until July 1. Those in the customer experience realms of sales, marketing, e-commerce and customer service who’ve already created GDPR compliance plans are a good chunk of the way to CCPA compliance, experts say.
CX teams who work for companies outside California may view CCPA compliance as a lower priority than GDPR, because it only represents one U.S. state. That is the case for a majority of clients of Blue Fountain Media, a New York-based digital agency specializing in marketing, e-commerce and overall customer experience, said general manager Brian Byer.
“This particular law isn’t going to be what drives the behavior across the entire United States,” Byer said. “Being a New Yorker, California is looked upon as being a little quirky, and once this becomes a federal mandate you will see a massive consumer effect. As of today, until somebody gets a massive fine, it’s going to be something consumers aren’t as cognizant of as, say, HIPAA compliance if they’re going to the doctor every week.”
Nationally, consumer data protection proposals are under consideration in Washington and Oregon as well, prompting some companies such as Microsoft to make CCPA compliance its national standard as it prepares for users to scrutinize cloud companies’ data-privacy practices as a patchwork of state laws may eventually lead to a national umbrella regulation.
Differences, similarities to GDPR
For CX teams, protecting customer privacy under CCPA is similar to the European GDPR law, which took effect in 2018, in that a core principle involves consumers’ “right to be forgotten,” or requiring a company to delete their personal data.
The differences between the two laws are borne of the different mindsets of the European and California legal systems, said IDC legal analyst Ryan O’Leary. CCPA makes an exception for customer loyalty programs, which are not covered under the law, while the GDPR doesn’t. CCPA also puts more responsibility on consumers to opt out of their data use for commercial purposes, rather than the company that holds the data.
Another difference with CCPA is that it gives consumers separate control over sale of their consumer data, the extent of which will remain somewhat “up in the air” until regulators decide what will and won’t be enforced, O’Leary added. But California consumers, in effect, can tell a company to hold on to their data, but not to sell it.
Ryan O’LearyAnalyst, IDC
“Businesses have to provide a clearly visible and worded opt-out link on their websites [for data sales],” O’Leary said, adding that cloud software platforms add more legal questions about who is responsible for data-selling violations — which can add up quickly, with fines of $7,500 per violation — for selling a consumer’s data after consumers have opted out. “If you’re not selling the data, but third parties you’re working with are leveraging your consumer data and going ahead and selling it, you could be held liable.”
That said, O’Leary added that he sees companies trying to limit the number of opt-outs — and therefore, the compliance load — by making it harder to do. Those can include benign “are you sure?” boxes, more onerous web forms, or even requiring consumers to call a contact center to opt out over the phone. It’s all legal, fitting in with CCPA’s mandate requiring companies to offer consumers two modes of contact for consumers to opt out of personal data retention.
What companies CCPA covers
Despite the fear of potential CCPA fines that could intimidate digital marketing and call center teams for mishandling consumer information, not every company is affected by the regulation. First, a company has to do business with Californians. Second, the law covers only companies that either do $25 million in gross revenue, receive personal information from at least 50,000 consumer or derive at least 50% of annual revenue from selling consumers’ personal information.
Some nonprofits may be excluded, according to Jackson Lewis attorneys Joseph Lazzarotti and Jason Gavejian in their analysis of the law, which also includes which data points that the law considers personal information, such as biometric data, education records and even “audio, electronic, visual, thermal, olfactory or similar information.”
For CX teams using cloud platform technology platforms, complying with CCPA and other potential consumer data-protection laws coming down the pike involves unifying consumer data and breaking down data silos — something they’re been working on already for business purposes, said IDC’s O’Leary.
“The first step in complying with these types of laws is to clean up your house and information governance practices,” O’Leary said. “We really need to stop thinking and working in silos. We need to start data mapping. There’s plenty of tools and consultants out there to help. … It will cost, but [consumer trust] is worth any cost to get a handle on your data, where it is and who has it.”