Will CCPA Have GDPR-Like Effects?

As the January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) looms, marketers remain confused and concerned, particularly as amendments continue to mount. This month, government officials voted on seven new amendments covering everything from information collected for loyalty programs to consumer request disclosure methods.

Uncertainties aside, many US privacy professionals are gearing up to comply. A March 2019 poll conducted by the International Association of Privacy Professionals (IAPP) and OneTrust found that 55% of US privacy professionals planned be CCPA-compliant prior to January 1, 2020. And a quarter planned to be ready for July 1, 2020, when the law becomes enforceable.

“Similar to what we saw with GDPR, there’s a wide range in readiness for CCPA,” said Lauren Fisher, principal analyst at eMarketer and the author of our latest report, “Digital Marketing in Today’s Privacy-Conscious World: What Companies Need to Know About GDPR, CCPA and Other Industry Changes in the Next 12 Months.”

CCPA requires that companies with annual gross revenues totaling $25 million or more, those that buy or sell customer data on more than 50,000 individuals and those that make more than half of their annual revenues from selling customer data must comply with the following:

  • California residents are allowed to ask companies about the type of information they collect on them.
  • The data collected on these individuals must be made available via mail or email should they request it.
  • Companies need to provide explicit information on how and to whom personal information is sold and shared, and for what reasons.
  • Companies must honor individuals’ requests to opt out of data collection and sale.
  • Companies must honor any individual’s request to have their personal information deleted. There can be instances where a company doesn’t need to comply—if that information is necessary for security reasons, for example.
  • Individuals must be able to continue receiving goods and services from a company even if they opt out of sharing personal information. But, companies are allowed to incentivize consumers to share that information, such as charging individuals different levels of quality of service for opting out.

CCPA and the General Data Protection Regulation (GDPR) help customers better understand and access the personal information companies have on them, but the biggest difference between the regulations is that CCPA requires opt-out consent, as opposed to GDPR’s opt-in consent. Unsurprisingly, GDPR caused a reduction in marketing database contacts when it went into effect.

“Because CCPA is opt-out vs. opt-in, we’re not anticipating marketers’ databases will take as big of a hit,” Fisher said. “But so much of that is contingent on marketers and the customer experience they craft—and the expectations they set. Marketers failing to uphold practices that make consumers feel comfortable with sharing data are likely to feel the effects.”

How Has GDPR Affected Consumers and Marketers, One Year Later?

There may have been an assumption that consumer experiences would improve with the rollout of GDPR, given that those who remained were both interested and willing to share that information for more relevant communications, but this did not fully materialize.

Some marketers may have reported increased trust among customers, but others said that the regulations created greater irritation. According to a Q3 2018 CMO Council survey in partnership with SAP, 65% of senior marketing executives worldwide polled said GDPR created greater awareness of data and security issues among their customers, and 43% of respondents said it increased trust. But 24% said it caused increased irritation by requiring customers to take extra steps to opt-in.

Despite the seemingly limited benefit to consumers, digital marketers post-GDPR have made improvements to their data infrastructure, placing greater emphasis on ensuring their data is GDPR-compliant and changing the way companies collect data. As Fisher puts it in her report, “Mandates that businesses prove data is collected only for ‘legitimate business interest’ and is encrypted and protected have some companies thinking twice about how much data they really need.”

Not sure if your company subscribes? You can find out here.

"Behind the Numbers" Podcast