The new California Consumer Privacy Act (CCPA) is set to go live in June this year. Already, clothing retailer Hanna Andersson is subject to a data privacy lawsuit under the rule. Brands should watch this lawsuit carefully as they think about their ongoing approach to data management and privacy. By building data best practices directly into their business, rather than patching on workarounds, brands will be in the best position to navigate the ongoing rollout of new privacy rules across states and countries, explains, Charles Mi, ADARA, CTO.
The California Consumer Privacy Act (CCPA) is not supposed to be enforceable until June, yet Hanna Andersson Opens a new window and the company’s technology partner, Salesforce, are already the subject of an early lawsuit as a result of a data breach. The prosecution argues that the two companies let the data breach go on for nearly three months, and more worryingly, that they failed to effectively manage and communicate the situation, with different stories after the fact being told to consumers and state authorities.
Large companies from Google to British Airways have run into similar situations in Europe under the GDPR, where the policy is already enforceable. California allows for damages up to $750 per resident per incident, which can mean settlements of millions of dollars for brands caught compromising data. Data compliance is not a nice to have, it’s a need to have. And what Hanna Andersson shows us, a good communication plan that surrounds data compliance is essential to maintaining consumer, regulator, and partner trust.
Global Compliance Is the Way to Go
The high profile lawsuits and fines are starting to have an impact on the way companies do business online. Penalties from CCPA non-compliance apply to companies that have annual revenue above $25 million, or buy, receive, or sell the personal information of 50,000 or more consumers. It also applies to businesses that earn 50% or more of their annual revenue from selling consumers’ personal information. This means that nearly every major brand and their technology partners are liable, even if they are not located in the state of California.
In a recent survey from PWCOpens a new window , 52% of tech, media, and telecom companies rank data privacy as a top issue in 2020. PWC offers a “Risk Atlas,†which tracks all of the varied privacy regulations around the globe and helps companies stay ahead of changing and emerging requirements. They note that companies that talk about data privacy upfront for any new initiative tend to be significantly more profitable than companies that neglect privacy compliance early on.
Build In Best Practices, Not Workarounds
By having privacy professionals in the room early, brands make sure they ask the hard questions first, so they can build compliance right in. Patrick Hounsell, Google’s head of consumer insights, data, & measurement notes that their company is turning away from workarounds like fingerprinting, and instead recommends that company partners collect data directly through transparent practices. They also recommend working only with partners (agencies, data companies, publishers, and vendors) that follow similar transparent best practices.
One of the biggest issues with Hanna Andersson was their poor response to the issue. Proactive monitoring and proactive communication can help brands as they face regulators in different regions. Working with partners who have demonstrated best practices in their region and globally is a good start, but it’s also important to work with those partners to create an action and a communication plan in the instance that a data issue does occur.
Savvy brands are also focusing on finding higher-quality partners, and are asking upfront for very transparent information, such as the origin of data that they will be sharing. If a company is truly following best practices, then they should be more than happy to provide detailed information about how they collect, store, and manage all of their data at a granular level.
Data segments are a good example. In the past, many data companies have named data segments based on an internal naming structure and included data from a broad variety of third-party partners that may or may not be privacy compliant. A brand could expect a high-level description of the segment as well as a “sample list†of the companies that originated the data. Today, sample lists are not nearly enough. Brands should not only expect a full list of data origination, but also written assurance that every data partner follows data privacy best practices.
New Best Practices Require Innovation
As companies become more accustomed to increased regulation, it’s likely that new systems will come into place that help ensure compliance. New state-level laws will add complexity, and data privacy compliance does not have an expiration date. Not only does data need to be obtained and used correctly, brands must track how long data can be processed for, how to manage opt-out and deletion requests, and have a policy for how the delivery of the intelligence from data can be audited.
Data rights management, which can steal a page from the more mature digital rights management sector, is a growing industry, and new tools will emerge for brands to stay ahead of shifting regulation. Innovations like Security.ai’s new privacy platform automates privacy compliance with patent-pending “People Data Graphs†and robotic automation. Companies like LIveRamp can help brands centralize data flow for both more manageable compliance and confidentiality at scale. And, if companies collaborate on standard tagging, it can help with compliant and consistent data sharing.
It’s likely that these types of tools become more common and ultimately become another layer in the martech stack. These innovations can help brands vet data quality from partners and make sure that they keep up with evolving regulation. The important takeaway is that data is a necessary part of doing business, but there is a liability associated with it that requires a new level of scrutiny, investment, and diligence. This liability should be assessed professionally by executives, the legal and the financial team for an overall approach as well as for every new data use case or partnership. For example, addressing the data liability between a brand and their agency. Determining the need for data liability insurance in case of a breach. And, calculating added costs for data audits and other quality assurance measures.