A little over a year has passed since the General Data Protection Regulation (GDPR) took effect, but marketers are not out the woods yet. On the contrary, the wave of privacy regulations seems to have just begun, and the latest legislation, the California Consumer Privacy Act (CCPA), is scheduled to take effect in six months’ time.
The new regulation, which is similar to GDPR in its intent but differs on the details, is designed to protect the privacy and data of California citizens. Under it, consumers in California have the right to:
- Know what information companies are collecting on them;
- Say “no” to data collection and the selling of their data;
- Ask companies to delete their data; and
- Sue any companies that violate these rights.
Rather than wait until the law takes effect on January 1, 2020, some B2B companies — including Bottomline Technologies, Iron Mountain and DemandWorks Media — are taking proactive steps to ensure internal compliance and confirm that their partners and vendors are CCPA compliant as well. By getting ahead of CCPA and making privacy a business priority, the companies aim to improve customer relationships and build trust.
“The CCPA follows the trends we’ve seen in other areas of the world, driving protections for the consumers by providing greater transparency, accountability and data protections,” said Gwendolyn Lefevre, VP of Marketing Operations at Bottomline Technologies, in an interview with Demand Gen Report. “While it can feel a bit daunting coming into compliance with these regulations, it’s a great opportunity to review your current marketing practices and explore new strategies.”
Mapping Out Data Processes & Making Sure Partners, Vendors Are Compliant
Data privacy is a growing concern in the B2B world. Industry research shows that 89% of marketers say there is a rising need for tools and technology to manage data privacy and 71% plan to spend more than $100,000 on CCPA-related privacy compliance.
“We take privacy seriously because it is the right thing to do, gives our clients confidence and is the law,” said Gareth Brown, Owner and Co-Founder of the demand generation company DemandWorks Media, in an interview with Demand Gen Report. “So, like other businesses, we will be spending the time and money to make sure that we are compliant and continue to be so.”
According to Brown, the first step to CCPA compliance is creating a data map and understanding how customer data flows into, through and out of your company and tech stack. Leslie Alore, Director of Regional Marketing at the data and records management company Iron Mountain, agrees.
“Organizations should be going through an exercise of mapping out every single vendor that they work with, going through every single piece of technology that they have and documenting all of the personal data that is collected and what it is used for, because that information will need to be provided and tracked,” said Alore in an interview with Demand Gen Report. “It will also give you a roadmap to identify where you might have gaps for risk and creates the master vendor list that you need to make sure is compliant.”
Practitioners and experts alike note that it is not just important for marketers to ensure their own companies are compliant with the new privacy regulations, but they also have to make sure their vendors and partners are compliant. If not, the company may be liable and subject to fines up to $7,500 per intentional violation and $2,500 per unintentional violation.
“CCPA is beginning to force marketers to really question the ethics and the processes of lead gen and demand gen, as well as the agencies, publishers and partners that they're working with,” said Liz Miller, Senior Vice President of Marketing at the CMO Council, in an interview with Demand Gen Report. “It’s not just ‘do we have a compliance checklist?’ We really have to start asking much harder questions, like ‘what are our partners doing? What are our third parties doing? What are our agencies doing?’”
Bottomline Technologies, a business payment automation provider, has been working with its Chief Security Officer’s department to meet CCPA compliance requirements. This includes updating its privacy policies and auditing its entire marketing database to remove any data that does not comply or is no longer necessary. In addition, the company is reviewing all of its service and third-party contracts to check whether its vendors are compliant, or if the company should cease activities with them.
Iron Mountain also has a rigorous vetting process for its vendors, which includes security reviews, compliance reviews and an internal questionnaire for its team. As a result of this process, Alore says the company has had to end some relationships with partners and vendors who were uncompliant.
“We don't just do this for new vendors and partners. We are also going back and re-vetting the current vendors and partners that we utilize if they handle any type of data for people in California,” said Alore. “I won't lie to you, it's time consuming and resource consumptive. We went through the same process for GDPR, but we view it as critical to hold our vendors and our partners equally accountable.”
GDPR Compliance Sets Stage For CCPA Readiness
According to research from OneTrust and the International Association of Privacy Professionals (IAPP), only 26% of businesses say they are highly prepared for CCPA. Respondents noted lack of time and bandwidth as their two biggest challenges to preparing for the new privacy regulation. However, the research also shows that companies who are highly compliant with GDPR are better positioned for compliance with CCPA and are 51% more likely to be compliant with CCPA by the January 1, 2020 deadline.
“What we're seeing is that companies are still quite unprepared in general terms for CCPA,” said Linda Thielová, Data Privacy Counsel at OneTrust, in an interview with Demand Gen Report. “[However,] we are definitely seeing companies that have already prepared for GDPR in a meaningful way, or have made some other privacy laws their standard, are able to set themselves up much better in terms of preparation for CCPA. This shows that when you have already done your homework under some other privacy law, you are much better positioned to comply with CCPA.”
Nevertheless, experts caution marketers not to think that just because they are GDPR compliant, there is little work to be done to prepare for CCPA. There are major differences to note between the two regulations in terms of scope, data rights and penalties. For example, while GDPR applies to any organization offering goods/services to or collecting data on EU subjects, CCPA only applies to for-profit companies that meet certain qualifications and collect data on California residents. CCPA also goes a step further to protect the rights of consumers from having their data sold.
“Another important thing to mention is that those rights for the consumers actually stretch back 12 months under CCPA,” said Thielová. “The data that is being processed about consumers right now would be involved in the personal information access requests that companies will be receiving after January. So right now, companies should be working towards documenting how they’re processing personal information, how they’re transferring it in their tech stack and so forth.”
The deadline for CCPA is quickly approaching. B2B brands who recognize the severity of the regulation and see it as an opportunity to revamp their data and privacy processes to build trust with consumers will be ahead of their competition and better positioned for long-term customer success.
“Customer data is not just zeros and ones. It's the digital manifestation of your customer,” said Miller. “It’s shocking how many organizations actually don't think of customer data that way. They think of it as spreadsheets and personas. They don't think about it as Liz the customer. They think about it as line 364 in Excel spreadsheet number seven … [But] you have to understand that your data is your customer and respect the data as much as you would respect the customer.”