With the rise of big data, there has been increased attention on privacy and data protection. Now, privacy and data protection regulations are coming into play.
On January 1st of 2023 California will have a change in the scope of its Consumer Data Protection Act (CCPA), thus increasing its scope and concepts, such as sensitive personal data.
According to the United Nations Conference on Trade and Development, currently, 71% of countries already have some regulation for data protection and privacy, while another 9% are drafting their own laws.
In addition to all this, browsers like Mozilla Firefox, Brave, and Safari already have features to block third-party cookies, and as we discussed in this post, Google is also studying strategies to phase out third-party cookies.
This scenario tells us that regulations such as GDPR and CCPA are here to stay; user data is becoming increasingly valuable and, of course, companies need to adapt their digital marketing strategies. Failure to do so will leave them either having to take legal risks or not capturing user data.
In this article, we’ll talk a little more about the changes to the CCPA, what marketers need to do to keep capturing high-value data, how Rock Content can help your company prepare for the future of data capture, and what your business needs to do to be legally compliant.
What is the CCPA
CCPA stands for California Consumer Privacy Act of 2018, a Legal Act, effective throughout the state of California, in favor of consumers, giving them greater power over their data.
This Legal Act came into force on January 1st, 2020, it discusses privacy issues and how companies should behave in terms of collecting data from people residing or transiting through California.
Among the objectives of the CCPA you will find:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Thereby, establishing rights that consumers residing in California have over their data; defining legal limits for the collection of data carried out by companies, specially informing consumers as to what data is being collected, therefore giving greater control over what companies know about this same consumer.
What changes with the CPRA
The California Consumer Protection Act of 2018 is already in place, and now it is being updated by the California Privacy Rights Act (CPRA), which will come into force on January 1st of 2023, adding some significant changes to the previous law.
The first thing you should be aware of is that the Personal Information category changed a little and now includes Personal and Sensitive Information (PSI), which includes:
- Direct identifiers, which are personal data that identifies a natural person, such as: real name, alias, social security number, driver’s license number, fingerprint, etc.;
- Indirect identifiers, meaning data that can jointly identify a natural person, such as cookies, telephone numbers, email addresses, IP, consumption histories or tendencies, internet history, geolocation, etc.
- And sensitive data, which means data that can lead to identifying characteristics of a person, such as religious beliefs, sexual and gender orientation, party affiliations, medical, educational, and financial background, etc.
CPRA also adds 4 new rights, they are:
Right to access information about automated decision-making
Consumers, under the CPRA, now have the right to access the information that was collected to make automatic decisions. In these cases, your company must inform the user what data was used and how it was used, including what the outcomes of these decisions were.
Right to access and opt out of automated decision-making
As consumers have the right to know what information is collected for automatic decisions, they also have the right to opt-out of this type of decision, including profiling a consumer for automatic decisions.
Right to Correction
As the name suggests, the right to correction empowers consumers to request an update of their data if they believe it is inaccurate or outdated.
Limit use for Personal Sensitive Information
This new right gives consumers the power, at any time, to instruct a company that collects SPIs to limit the use of the consumer’s information, only to the use necessary to perform the services, or provide the goods purchased by the consumer.
What Do Marketers Need to Do to Comply?
You may notice that some of the requirements depend on the context of the website, e.g. if it doesn’t collect sensitive data, it doesn’t need to halt sensitive data usage.
That said, to be compliant with the CPRA changes, marketers need to empower their customers to:
- Know about the data that is being collected and for what purpose;
- Having the possibility to opt-out of the data that is captured automatically;
- Provide a way for customers to request a copy, update, and deletion of their data.
- If you make automated decisions based on SPIs, your users need to be able to know which data is being used and opt-out of this type of decision;
- Your website must feature a Do Not Sell My Personal Information link that users can use to opt-out of third-party data sales.
- If your website has minors under the age of 16 among its users, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. In the case of consumers who are less than 13 years of age, they must affirmatively authorize the sale of their personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt-in.”
About the SLAs: in case a consumer requests a copy, update, and/or deletion of their data, you have 45 days to do so.
If you need more time, this SLA may receive an extra 45 days, but remember that in these cases, you also need to inform your consumer on why you need more time.
As you may notice, there are many things to deal with, which is why we recommend that Marketers do an assessment to understand what the legal requirements that apply to their businesses are.
What efforts has ION taken to prepare for it?
Now that you know what the requirements are to be in compliance with the CCPA and its CPRA updates, let’s talk about how Ion helps reduce your business risk while enabling you to collect valuable data about your audience and guide your journey through the conversion funnel!
Firstly, it is essential to point out that these sensitive data are sensitive for a reason: through them, you can identify specific users, that is, invade their privacy.
To address this, Ion anonymizes IP and geolocation data so you can understand the big picture of your audience and gain insights from them. We enable clients to understand their audience profiles, answering questions such as what are your best acquisition channels? And your conversion rates? Without invading your audience’s privacy!
Another important point, Ion works with zero-party data, also called self-declared data, which means that the user has the power to decide whether or not to share data with a company. Once they decide to share information, you will receive information directly from that user, that is, data with high reliability and in compliance with the law.
In addition, if you are collecting any other sensitive data, you can configure rules and routines for deleting this data on our platform based on your needs, ensuring that you will always have minimal risks related to sensitive information.
What are ION’s customers’ responsibilities under CCPA?
Finally, we still have to delimit things your company should do regardless of the chosen data capture platforms.
The good news here is that most of the requirements in this topic have a lot in common with the GDPR, and your company may already be complying with some of them:
Provide a way for users to request a copy, update, and deletion of their data;
If you sell your user data, users should be able to ask your company to stop selling their personal information, this should be done through a Do Not Sell My Data link on your website or at your company’s Policy link.
In case your business has consumers who are at least 13 years old and less than 16 years old, the consumer’s parents or legal guardian must affirmatively authorize the sale of the consumer’s personal information.
On your website, customers must be able to navigate without data being shared. That is, they must be able to opt-out of the automatic sharing of data, and if you keep IP backups or other sensitive data, they must be anonymized.
By now you may have noticed that the biggest difference between GDPR and CCPA is that under European law you must explicitly request opt-in, while under California law you must allow users to opt-out.
Other US privacy acts following next year
With stricter regulations in place for third and second-party data, marketers now have a strong incentive to invest in building up their own zero and first-party data, which customers can intentionally and proactively share via engaging interactive experiences and through a personalized experience.
As I mentioned at the beginning of this article, more than 70% of the world already has its specific legislation, and almost 10% are looking to create their legislation right now.
This is the case in other American states, so I strongly suggest that marketing teams keep an eye on the following acts:
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act (CPA);
- Utah Consumer Privacy Act (UCPA);
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring.
Thank you very much for your time and I wish your business success!