The CCPA and GDPR: Are they obstacles or opportunities?
Well before the General Data Protection Regulation went into effect in May of 2018, observers and analysts predicted the GDPR would provide a template for similar regulation in other countries and regions. The many stories about lapses and breaches in data privacy – many of them horror stories, to consumers and privacy watchdogs – reinforced the fact.
Just a month later, the world’s fifth-largest economy saw the introduction of comprehensive consumer data protection legislation. But, just as that particular leading economy is unlike others in that it doesn’t belong to a sovereign nation but to the state of California? Its own new data privacy rules don’t exactly mirror the GDPR.
As Gabe Morazan, a certified information privacy professional/Europe (CIPP/E) and director of product for Crownpeak’s Digital Governance solutions points out, the California Consumer Privacy Act (CCPA) shares much of the intent of the GDPR, but the distinctions between the two are significant.
One commonality, though? Each presents an opportunity, rather than an obstacle, for digital marketers trying to deepen engagement and trust with consumers.
“If you take a short-sighted point of view on this,” he points out, “you’re swimming against the tide, and you’re overlooking the fact this is a consumer movement, not a regulatory issue. So a company may miss out on the real opportunity it presents.”
A key distinction: Opt-out versus opt-in
The CCPA was drafted to protect consumer rights and drive stronger privacy and transparency when it comes to their personal information. Californians will have the right to know what data is being collected, if it’s being shared and whom with, and can opt out of the sale of that data, as well as being able to access it themselves and request its deletion. Businesses won’t be allowed to sell the personal data of consumers aged 13-16, unless they opt in. For consumers under 13, parental or guardian consent is necessary.
One key difference between the two, according to Gabe? “In the CCPA, it doesn’t explicitly require user consent to collect and process data profiles. But you have to provide consumers with a place where you, as a marketer, explain how you collect data and who you’re sharing it with, and give consumers the chance to opt-out.
“So you can collect consumer data, just as you have before, but have to provide that opt-out. GDPR requires an explicit opt-in, or requires explicit consent from whatever source where the data is being collected, as part of a well-documented record of consent,” he says. “Consumers have to be able to withdraw that consent at any time.”
Other regulatory differences?
The CCPA applies to California residents, whereas the GDPR is more vague, referring to “EU data subjects” without specifying residency or citizenship. The CCPA also protects data that’s linked to a specific household, where the GDPR only applies its protections to individuals.
The GDPR applies to any company that collects and processes the data of these “EU data subjects,” regardless of a firm’s location. The CCPA says companies under its jurisdiction must be “doing business” in California, but goes no further in identifying what’s involved.
Moreover, where the GDPR applies to all organizations, from private to public, including NPOs, the CCPA limits itself to for-profit enterprises grossing over $25 million annually, and that deal in the personal data of 50,000 or more consumers, and get 50% of their annual revenue from selling consumer data.
“The business impact of GDPR will be bigger than that of the CCPA,” Gabe says. “But in both cases, the consumer has greater visibility into how their data is used, and more control over that. That’s consistent across all these various proposed legislations.”
A seismic shift in consumer attitudes
As he explains, the deeper implications of the CCPA are what it signifies about consumer sentiment when it comes to data privacy.
“The U.S. has always had privacy laws,” he points out, “where the FTC could go after companies that violated consumer trust. There was a reliance on self-regulation by industries; an example of that is the AdChoices program managed by the Advertising Alliance,” he says. “It was voluntary on the part of marketers, and outside the scope of government, and there were very few enforcement teeth for anyone who violated it.
“Since the CCPA was signed into law, though,” he continues, “there are 11-12 other U.S. states that are proposing or adopting similar legislation. On its own, CCPA is a pretty monumental event, but it’s also a catalyst for other regulation around the collection and use of consumer data. It’s even forcing changes at the federal level; legislators are already talking about needing federal legislation or else there’ll be this unwieldy patchwork of state regulations.”
What’s this tell us about consumers’ view of data privacy? “It represents a seismic shift in consumer attitudes,” he says, “that doesn’t come out of nowhere. Prior to the Cambridge Analytica scandal, a very small portion of the population talked about data privacy. Now, everyday citizens are looking at brands and companies and asking questions they haven’t asked before about how their data is being used.”
An “unprecedented” chance to create trust
This shift should drive an evolution in how companies address data privacy in their digital marketing. “You can draw a line from ‘content marketing’ through ‘experience marketing’ that lands at ‘trust marketing’,” Gabe says, “where a marketer proves they’re honest and aboveboard in handling user data by deploying what we call ‘privacy UX.’ So to show you’re serious about protecting their data, you give everyone a more transparent, seamless, but still on-brand consent experience. That builds deeper trust and engagement.”
His point is backed up by research showing 62% of UK consumers felt more comfortable sharing their personal information after the arrival of new data privacy laws. By demonstrating their support of people’s data rights, marketers are able to leverage the sea change in consumer attitudes.
“This isn’t just about giving people a checkbox on an online form,” Gabe says. “It looks like a compliance issue, but it’s really about consumer trust and sentiment. It’s really a fundamental shift in how consumers interact with brands, and an opportunity for companies to differentiate themselves by proving they’re trustworthy. Empowering people is part of that; studies show that when users are given the opportunity to exercise their data rights, they tend to opt-in.
“You can either try to fight this wave of change,” he says, “or ride it to the crest of brand differentiation. That might sound kind of glib, but it’s the truth. It’s actually an unprecedented opportunity for digital marketers to prove themselves to consumers.”