The California Consumer Protection Act (CCPA) ushered in another set of compliance risk —and with it an opportunity for organizations to level up their marketing in a digitally-mature and customer-focused way.
Our recent CCPA webinar outlined some of the critical areas for marketing action, discussed some practical CCPA use cases, and provided clear next steps for marketers to take in this era of data privacy.
We received so many great questions from attendees during the Q&A session and had our experts weigh in below.
It’s always important to consult with your legal team when navigating the world of data privacy regulation, and there are also many ways to take immediate action that will move your organization toward privacy-aware marketing practices.
If you have a question that isn’t addressed below, get in touch: info@cardinalpath.com
Q. What is marketing’s role in responding to privacy requests?
Once an organization’s legal requirements are established, marketing must play a leadership role in responding to requests. Customer communications require the type of care and finesse delivered by marketing to guard against the real risks of brand erosion that can result from poor messaging and bad experiences.
Q. If you could suggest just one thing to do as a starting point, what would that be?
A critical first step is data mapping. Understanding what data is being captured and where it is being stored is the starting part of an organization’s ability to respond to data requests efficiently.
An added value is that the process allows organizations to discover what information is not being captured, leading to the development of data capture strategies to improve marketing sophistication.
Q. Does CCPA apply to tracking unauthenticated users?
It could. Even when unauthenticated, there are still methods that can be used to identify an individual. If, for example, an unauthenticated user can be identified through data mapping (e.g. Client ID), then the CCPA would apply.
Q. Do all websites need a pop-up window asking the user to agree to privacy terms?
It doesn’t necessarily need to be delivered in a pop-up window, but the CCPA requires businesses to disclose certain pieces of information in their privacy policy. This would include a description of a consumer’s rights, a list of personal information categories an organization has collected, etc.
Q. What about advertising to get new members (beyond first-party)?
Levering campaigns that have people sign up or create an account in a value exchange is an effective approach.
The key is having a symmetrical exchange: what information you ask for from the customer must be of similar value to what they receive from you. Offering that which is of value and interest to the customer contributes to brand trust.
Q. If sales leads are being added to a database, do they need to receive a CCPA privacy notice?
Sales leads added from a networking event, for example, would not need to receive a privacy notice. However, individuals have the right to follow-up to see if their information was stored, what information was stored about them, and to ask that your organization to delete it.
Q. Our website has Google Analytics on it and it helps with tracking our customers. Are we responsible for providing a customer with a summary of stats about them from GA as well?
If you are able to match website behavior to an actual person, you would have to provide them with website browsing behavior data because it is personally identifiable information.
If however, there is no way to identify an individual within Google Analytics, then you would not have to provide that data.
Q. Can brands advertise only with publishers that are CCPA compliant?
If the publisher is collecting data and selling it to the advertiser, then we would recommend the advertiser thoroughly audit how any personally identifiable information was captured.
If the advertiser is collecting personally identifiable information directly through a publisher’s website, they would need to provide this data to a user (or delete it) upon request.
Q. Regarding customer match with third-party platforms, how would we know which vendors follow best practices?
You can provide them with a self-assessment form to complete that will allow you to review a vendor’s data practices. You may want to amend language in any contracts or agreements with vendors that would help protect you in the event of a privacy incident.
As always, check with your legal counsel to determine the preferred methods to ensure your vendor organizations meet your privacy standards.