The alphabet soup that began with GDPR is about to get thicker with CCPA in California (Jan 1 2020), LGPD in Brazil (early 2020) and forthcoming legislation in India and across APAC.

“Analyzing and implementing the California Consumer Protection Act (CCPA) in 2020 will be a major challenge for companies across virtually every industry sector, according to Kirk J. Nahra, writing in Bloomberg Law. “We can anticipate an impact that mirrors the European Union’s General Data Protection Regulation (GDPR) process in the spring of 2018, with less clarity, a shorter time frame to work with, and an even more confusing set of obligations.” In the U.S., Nahra envisions additional privacy regulation likely to follow from other states’ Attorneys General and possibly at the national level.

But despite knowing that CCPA was coming for some time, a majority of U.S. companies view themselves as unprepared. According to a report from privacy tech company, Ethyca, “88% of companies feel they have not reached an adequate state of compliance ahead of the implementation of CCPA.”

This is a microcosm of what’s happening globally as more laws come into effect. Companies are struggling to comply in their own regions and are even less prepared to evolve a global game plan. Yet data-driven companies must address this rapidly, both for reasons of compliance and to please consumers who increasingly want to know what’s being done with their information.

John Mitchison, director of Policy and Compliance at the Data & Marketing Association UK says “prior to GDPR, serving ads to people used to be impersonal,” but now the relationship with consumers is far different and they view sharing their data as part of an exchange. He says “when asked in a survey how happy they were with the amount of personal information they gave to organisations, sixty-one percent initially claimed to be happy with it and sixty-nine percent said sharing data is part of the modern society. But at the same time eighty-six percent said they would like more control over the data they give, and eighty-eight percent wanted more transparency about how their data is collected and used.” When asked who benefited the most from the data exchange, seventy-eight percent said the business, with only eight percent feeling consumers got more.

Companies have many decisions to make. First is to understand what laws are in their home country and what they need to do to comply. Secondly, they need to understand how outside laws may impact them, and thirdly, they need to decide how they will handle the data they collect and have.

Key areas of concern are:

· Access – who in marketing and in other areas will have access to specific customer data,

· Storage – how long will the company keep Personally Identifiable Information (PII), and

· Transparency – how will the company ensure customers are kept informed of how their PII data is used.

Christoph Bauer, of ePrivacy GmbH in Hamburg, says his consultancy sees a wide range of response from companies. “Some pride themselves on being very consumer friendly and want policy and their relationship with customers to reflect that. In marketing that becomes a selling point. Other companies want to know what they must do to comply but still are most concerned about maximizing use of the data they have.”

The World Federation of Advertisers identifies eight key areas of GDPR of relevance to marketing: extra territorial scope, basis for processing, children’s data, data breach notification, right to erasure, sanctions, data protection officer, and impact assessments.

According to Bauer, when companies were asked how they are doing with compliance, most estimated that they were at about the 30% level with some saying they were at 80% or more, but “the tendency has been to wait until more decisions are made” on ePrivacy and on GDPR enforcement. Bauer and Mitchison agree that companies need advice from their own legal team on all of their legal options and finally on compliance – and, going forward, will need advice on other countries’ legislation from local market experts there.

The International Association of Privacy Professionals (IAPP) is a key source for understanding what is happening globally and runs conferences, a list-serve and peer-to-peer networking events. They also publish extensive content for their members, who come from across the corporate landscape, including from marketing, product design, engineering, sales and, of course, legal.

According to Caitlin Fennessy, IAPP’s Research Director, “direct marketing folks are among the top people who should be looking at this today. Marketers should be proactive in making sure there is two-way, conversation between themselves and privacy experts at their company to ensure: 1) that they have a full picture of the data marketing is working with; 2) that they have a clear understanding of what is and is not personal data; 3) that it is determined what special protections should be put in place with regard to personal data; and 4) that there is a clear picture within the corporation of who needs to be informed with regard to how this information is handled and that a regular schedule is set up to check in.”

“You need to be clear who is touching that data inside and outside the company,” says Fennessy. She stresses that this is not a one-time process and that it requires diligence and persistence to ensure that you’re staying on the right side of privacy law.

With CCPA, there’s a lot of focus on the advertising industry and how data is being used by your company’s vendors. If customer data you collect is shared with a vendor or other company and there’s a chance data may be used for commercial purposes, the customer needs to be able to opt out with a “do not sell” button or something similar. “This gets complicated in the ad space,” Fennessy says, “where you drop a cookie that can be used by others.” She emphasizes the importance of enabling consumers to have access to their data, giving them the chance to opt out, and making certain all is clearly outlined in your privacy policies.

Here’s an IAPP infographic on CCPA compliance:

^{© IAPP}

We’re in early stages of understanding how this will work, but those who are focused on this area believe that it is an issue for companies and marketers to address proactively particularly with CCPA and other new legislation. Fennessy also explained that CCPA 2.0, which is much closer to GDPR, is anticipated in the future as well.

Mitchison sums up saying, “I believe the data marketing industry is at a crossroads. We can be an industry that puts short-term profit above long-term loyalty, an industry that uses data, technology and creative to trick customers into a quick sale. Or we can be an industry that chooses to create truly engaging customer experiences…an industry that builds trust.”