With the California Consumer Privacy Act (CCPA) into effect as of January 2020, you may be wondering how to adjust. Don’t panic at the prospect of being held accountable for the consumer data you collect, manage, store, or share. But, don’t ignore the law, either. It’s the leading edge of the data privacy and transparency movement that is spreading across the United States and might someday lead to federal legislation. (More on that later in this post.)
As California email marketing laws affect the nation, we’re here to suggest ways to adapt and succeed in the new landscape. Here are 10 steps to take to adjust for CCPA.
What is the CCPA?
First, let’s talk about how the CCPA affects California email marketing. The California Consumer Privacy Act (CCPA) statute grants residents of California privacy for their personal information and data. It gives consumers more control and protection against businesses trying to collect their information.
People protected by these new California privacy laws are granted:
- The right to know the personal information collected about them,
- The right to know if personal information is being sold or distributed,
- The right to delete collected personal information (to a certain extent),
- The right to opt-out of the sale of personal information,
- The right to non-discrimination / the same services if they opt out of the sale of their personal information.
What businesses does the CCPA apply to?
Second, let’s tackle who the CCPA applies to. While CCPA email marketing effects are what this article focuses on, it isn’t just marketing agencies that feel its effects.
The CCPA applies to for-profit entities that meet any of the following requirements:
- Has an annual gross revenue larger than $25 million,
- Receives or discloses the personal information of 50,000 or more California residents, households, or devices each year, or,
- Makes 50 percent or greater annual revenue from selling California residents’ personal information
Only one of the above needs to apply for a business to be regulated by the CCPA. Nonprofits are exempt from CCPA regulations, and so are for-profits that fail to meet any of the criteria above.
Our 10 steps to CCPA email marketing
1. Treat every customer as if she/he is a California resident.
We hear from many marketers that they don’t have location data on their customers, so they don’t know who’s covered by the law. Our response: Treat all of the people as if they’re from California, especially because many other states are passing similar laws. California email marketing agencies aren’t the only ones who need to watch their step – everyone should be equally careful to protect your audience’s privacy.
Typically, we have found that companies have more information than they realize. Look for information such as when, where, and how customers opted in; IP addresses; web form locations; and other data that their behavior generates––as well as any preference data-showing location.
2. Add an opt-in form that can serve up different versions to accommodate local requirements.
For example, a form could request each subscriber to indicate country of residence. The form could present a request for an explicit opt-in from residents who say they live in EU countries, Canada, or other places where data laws require a positive action.
Or, revise the opt-in form to require an explicit opt-in from every subscriber (e.g., an unchecked checkbox that says “Yes, please send me email messages from your company”). CCPA marketing compliance focuses on consent and transparency for every subscriber.
Opting in shows benefits beyond personal privacy – it’s also a great way to boost engagement in general. Check out our blog “Double Opt-in and Its Effect on Deliverability Rates” to learn more.
3. Map data.
When we work with clients, we look at how they map their data. A marketer might use a WordPress site to collect data, or an ESP web form. It will synchronize information from the CRM system over to their ESP or marketing automation program.
We will then analyze and map the data from the CRM to a billing system. Knowing how they map information and where it goes helps companies comply with the law’s “right to be forgotten.”
4. Create a Privacy Impact Assessment (PIA).
A PIA helps companies understand where their data flows and how they map the data. We work with companies, clients, and prospects on data mapping and PIAs. They reveal vulnerabilities and compliance gaps with CCPA.
As part of this process, we look at multiple databases, products, and applications, and how they collect, share, sell, and grant access to consumer or customer data. CCPA marketing is best conducted with careful consideration of how to identify consumer data in the event of a removal being requested.
5. Review third-party contracts and vendors.
People often overlook this area in data and privacy compliance. Lots of marketers have third-party contracts with vendors to store data in their data centers or share their data for surveys or analytics.
We look at those contracts to see what the vendors are doing with the data. Review all contracts now to see if the third-party vendor is up-to-date with CCPA’s provisions. Use this information to decide whether or not it would cause trouble to give data to that vendor.
6. Create an in-house privacy/compliance roundtable.
The marketing department isn’t the only one that has to comply with CCPA, GDPR, CASL, and other data laws. Take the lead, and bring reps from Marketing, Sales, Legal, Privacy, and IT to the table so everyone can learn about the law, share information, and understand how other departments collect, store, and share data.
Make each member of the roundtable responsible for one part of the process: locking down the database, updating data-collection forms, or changing data acquisition processes. All participants should be assigned certain responsibilities and told what specifically they need to recommend for compliance. This helps create a cohesive CCPA email marketing strategy.
7. Seek allies in IT to get in front of a data breach.
For many companies today, data breaches aren’t a matter of “if they happen” but “when they happen.” No matter how carefully a company safeguards data, always prepare for the worst.
Marketing and IT often have a contentious relationship. But, if a breach happens, these two departments will be the company’s first line of defense in complying with legal notification requirements.
Know how the data is being watched. Monitor log files, watch third-party systems for breaches, and be sure everyone on the privacy roundtable knows the procedure and whom to contact if the unthinkable occurs.
8. Find out where the needed information is located.
Assign this function to members of the privacy/compliance roundtable. Functions can include tracking down and listing locations and people responsible for policy and procedural manuals and for databases of consumer information, whether they’re on-site or stored in cloud-based systems.
9. Prepare for the “right to be forgotten.”
This section of the law allows California residents to request that companies delete certain categories of their personal data and requires them to notify residents that they have that right. A similar provision is also a key element of GDPR.
But, as noted earlier, companies can retain some personal data that falls into protected categories. Know what data you are entitled to retain and how deleting data that is eligible for removal could interfere with business processes or databases.
Then, create a process to handle these requests.
Adopt a multiple-channel approach. Allow consumers to contact you by phone, in person, via email, or through a web form. Create a guide in both print and digital formats to explain the law, the consumer’s rights, and how to request removal.
Don’t forget customer-facing teams, either, including the customer-support and in-store personnel. Write and test scripts to handle questions, concerns, and complaints.
To provide transparency, use guides and scripts to explain procedures and how long it will take to remove the data. Run everything past the legal, compliance, sales, and IT reps on the privacy roundtable to make sure everything is accurate.
10. Stay tuned for changes, updates, and new legislation.
We’re keeping our eyes on CCPA and other laws, including amendments that could change the law’s definitions, requirements, and scope. See the next section on potential changes, and sign up for blog updates to get the latest news.
Also, contact us to see how we can help audit your data gathering and management practices to reduce exposure to violations. Our experts can create a Privacy Impact Assessment Report and assist in an overall gap analysis.