FullContact is a Colorado-based company and the firm has gone so far as to extend CCPA protections to its business nationwide. This makes for an interesting case study where a digital and tech company is working with and seeing the new standards as something positive for both businesses and consumers.
The California Consumer Privacy Act (CCPA) AB375 came into effect on 1st January 2020. Included within the framework of the act is the proviso that any Californian resident will have legal right to request to any major firm in the U.S. questions relating to what is being done with their data.
To learn more about working with the CCPA, Digital Journal spoke with FullContact’s President, Chris Harrison.
Digital Journal: What are the main implications for the CCPA for businesses?
Chris Harrison: Businesses that were diligent in their compliance with GDPR would have been in good shape as they were preparing for CCPA. For example, GDPR had provisions that required businesses to disclose or remove the data they collect, much like CCPA. However, even though privacy legislation was foreshadowed across the pond in Europe, most companies still don’t appear to be as prepared as they should be and that can be costly due to fines of $2,500 per penalty enforced by the state AG.
Companies that do business in California, and meet the thresholds outlined in the legislation, must also identify if the consumers they interact with are California residents. There are still many companies that cannot resolve an interaction back to an individual and don’t know where those consumers reside.
Additionally, this legislation expands the notion of what data should remain private beyond what had been typically expected, including browser history, email addresses, or really any personal data a business collects.
DJ: How does the CCPA differ from EU GDPR?
Harrison: The biggest difference in the two laws is the fundamental disposition the law takes regarding opt-out and consent. CCPA is an opt-out law. GDPR codifies a right to prior consent.
CCPA also doesn’t address a legal barrier that businesses have to meet to be able to collect personal data, like GDPR does. Additionally, although California is the world’s fifth largest economy, the penalties do not appear to be as harsh as those that might materialize through enforcement of GDPR.
DJ: Are most businesses ready for the CCPA?
Harrison:According to recent studies, apparently not. Even Though many EU companies have been dealing with GDPR compliance for nearly two years, and some have enacted Consent Management Platforms to help them, they still are not fully compliant. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, touches on the companies that did implement CMPs and even those companies appear to not align to the letter of the law. That study covers the EU, but according to Adzerk only about 20% of the top US websites even deploy a CMP. Given the cost of preparation for legislation like CCPA, the speed in which it was ushered into law, and the lack of formal consent management implementation, it would seem reasonable to conclude that a lot of companies are still not ready.
DJ: What are the benefits of CCPA for businesses?
Harrison:Businesses that are taking the introduction of GDPR, CCPA and other potential forthcoming legislation seriously are planning for the long-haul. They recognize that the dialogue in the press, with legislators, and federal overseers is going to continue. Changes, like the recent announcement from Google regarding the restriction of 3rd party cookies in a couple of years are changing the fundamentals of how marketing and advertising is executed and measured. These are not short-term challenges. The privacy landscape will continue to shift over the next several years and it will get more complicated.
However, there are some basic patterns that continue to underlie many of the privacy frameworks. Adapting to these patterns could put some businesses in a position of strength. Among the patterns we consistently see across legislation, industry frameworks and the Democratic lead “Privacy and Data Protection Framework” include the following:
• Be transparent with what data you’ve collected, where it came from, and where it’s going.
• Only collect data you need and are authorized to collect.
• Ensure you are authorized to share the data you’re entrusted with.
• Keep the data you are stewarding secure.
• Enable an individual’s identity and personal data to be portable and within their control.
All of the above should be wrapped up into a privacy program that institutionalizes privacy within organizations.
Both the limitations with the use of 3rd party cookies and the existing and potential privacy legislation makes the 1st party data that businesses collect even more important. Wrapped in the privacy program above, that data and the ability to resolve that data back to a person (instead of a household or device) gives a business power in the new world. This first party data will help them craft better experiences and further build trust by applying authorization across all channels in which the business interacts with their customers.
DJ: How about consumers, what do they benefit from?
Harrison:Today, a lot of people do not understand the unintended second and third order effects on their privacy through the sharing of their personal information. Likewise, marketers are trying to balance the privacy of their customers with their own commercial interests. We believe that a balance can be achieved and considering consumers or businesses without evaluating the impact on each other is unlikely to produce a viable and scalable solution.
The NAI survey on this topic is enlightening, as they find that people are concerned about privacy (88%) and believe Congress should enact laws protecting their privacy (67%), but they are also aware (75%) that most of the digital content they consume is free due to the advertising model. If they had to pay for that same content, it would likely be beyond their economic reach. The reliance on advertising seems to be an accepted mechanism for the consumer to obtain what they are desiring and to fuel innovation in the same ecosystem to create apps and content.
So, it would seem throwing out advertising isn’t a realistic answer, but changing the fundamentals of how it is done by leveraging the emerging privacy principles common across proposed legislation and industry frameworks would be game-changing and in the best interests of consumers.
Regulation should be well written and thoughtful about downstream effects. GDPR had the effect of consolidating more power to large companies. We believe that identity and personal data should be something that a consumer has more direct control over and the relationships that businesses have with their customers shouldn’t be intermediated by other 3rd parties.
DJ: Why did you decide to extend CCPA protections to all of your businesses worldwide?
Harrison:We would like to see individuals, and the businesses they interact with have more autonomy regarding first party data, and we’d like for the industry as a whole to be more transparent. We had extended our GDPR tools for privacy to everyone already. The slight modifications for CCPA were not unreasonable. We believe transparency is a key tenant in supporting privacy and we will continue to operate in that fashion.