CCPA compliance: A 3-step plan

Fingers on keyboard entering card details Countries around the world are responding to consumer concerns about privacy, stepping up requirements that companies take seriously the protection of personal information. Besides complying, your company can add business value by staying informed as the regulatory landscape evolves.

The privacy regulatory landscape: Impacts to digital marketing Since Europe’s Global Data Protection Regulation (GDPR) went into effect in 2018, it has been seen as the global standard for privacy regulations. Following suit in the United States, the California Consumer Privacy Act (CCPA) has its own extensive requirements to provide individuals with rights in the processing of their personal information. In addition, close to half of the states have their own draft privacy regulations in the pipeline. And we can expect that eventually there will be a federal perspective, as well. It will take some doing to manage the assemblage of regulations.

For now it’s worthwhile to concentrate on the existing GDPR and the rapidly approaching CCPA (enacted on Jan. 1, enforced beginning July 1). A comparison of marketing requirements will help in understanding your obligations under each. One important difference is that under the GDPR, affirmative consent is required to continue to market to individuals. An individual can withdraw consent anytime and can object to the processing of information. Under the CCPA, consumers have the right only to opt out of personal information sales to other organizations.

Understand the difference between GDPR and CCPA marketing requirement

As you update your digital marketing program to stay current with compliance, incorporate a flexible framework to adapt to regulations as they materialize. The effort will result in more than compliance. A well-managed privacy program can be a business driver. It can establish and maintain customer trust, and enhance the overall customer experience.

Digital marketing: Balance regulatory requirements and business objectives Capturing audience attention through complex digital marketing activities entails the processing of personal data. These activities must be closely monitored to ensure proper disclosure, transparency and consent.

Personal data is at the heart of digital marketing. A company might choose to work with a third-party marketer that handles a data sale. Under the CCPA, consumers have a right to opt out of the sale of their information. The company must take two actions — identify a sale and appropriately apply the marketing practices.

Defining and interpreting “sale” The CCPA defines “sale” as any sharing of personal information with a third party for monetary or other valuable consideration. Companies are divided in interpretation. Some take the approach that sharing data with third parties for personalization or experience enhancement falls under business purposes and is not a sale. Others are more conservative, understanding a sale to be anything received as a benefit. Until a narrower definition is provided by regulators, best practices are to document how data is being shared and how sharing is determined to be or not to be a sale.

For high-target, high-yield results, audiences can be engaged while protecting privacy through approaches such as a gated offer — personalized promotion to a targeted segment — and user-centric practices across the board. A consent and preference management program provides a portal for consumers to opt out or discreetly manage the communications they receive, including agreeing to or withholding consent to receive texts, emails or other contacts. The choices promote consumer engagement, said Lindsay Hohler, Grant Thornton principal in Privacy and Data Protection: “The ability to say, ‘I prefer to receive emails daily, weekly, monthly; I don’t want to receive emails about this. I want to receive emails on that.’ When they’re receiving the communications they want, they’re more likely to click versus when they’re just receiving communications general to all consumers.”

Operationalize and centralize a consent and preference management program There are high-stakes risks in not maintaining an effective consent and preference management program. Fines and penalties are a significant threat. Additionally and importantly, if consumers feel that their consent and preferences aren’t being honored, not only is their trust lost, but they could escalate grievances and increase the likelihood of regulatory scrutiny.

Satisfy both consumer rights and business goals by operationalizing and centralizing a consent and preference management program to align with CCPA requirements.

To do so, follow this three-step action plan:

  1. Conduct a data inventory
    Data inventory is the foundation of your privacy program. Conducting an inventory at a detailed level enables identification of the business processes that rely on consent, and granularity makes it possible to evaluate each new regulation against your current practices to address gaps. The inventory also informs consent and preference management activities and data sale determinations.
    Conduct a data inventory
  2. Integrate a PIA
    Integrating a privacy impact assessment (PIA) helps identify risks associated with data collection and inventory. The PIA is usually performed when the design process begins — at the software or product development stage, prior to implementation, integration and vendor onboarding.

    The PIA can answer questions about the purpose of a new product, feature, activity or vendor; the scope of data collection; the use of data; and how the business or marketing department bottom line is being advanced.
  3. Simplify and centralize program management
    In some cases one emailing system is used for paid users, another for free users and another for leads, and all are pulling different parts of the same information. A centralized system provides a more secure marketing process. By dynamically updating records, depending on the request for an update, an opt-out or an opt-in, it goes further in ensuring compliance. And centralization allows users to opt out or opt in discretely.

Take the opportunity to make better informed business decisions Think about how you can turn compliance into a competitive advantage by re-evaluating your marketing practices to look at data in a different way.

“Instead of quantity of leads, it’s about quality of leads,” said Grant Thornton Manager in Privacy and Data Protection Sonia Siddiqui. “Whereas prior digital marketing practices pursued data volume, companies have taken an opportunity to realign their digital marketing strategies as overall marketing strategies for better quality leads to convert into users or consumers. That’s something to think about — leveraging this opportunity as a time for overall change.”

The key takeaway is taking a consumer-centric approach, giving consumers control and building trust.

To learn more about CCPA compliance and business benefit and risk implications — including a recent court decision involving the use of Facebook — register to replay Privacy and digital marketing: Building a program to engage customers while respecting privacy.


Lindsay HohlerLindsay Hohler
Principal, Privacy and Data Protection
T +1 703 847 7529

Sonia SiddiquiSonia Siddiqui
Manager, Privacy and Data Protection
T +1 703 562 5971