Part 2: What Demand Generation Experts Are Doing for CCPA Compliance
With Ray Estevez, Chief Data Officer, True Influence.
(Enjoy Part 2 of this short but informative series on CCPA and B2B marketing. Catch Part 1 as well if you missed it.)
Add Full Data Use Disclosure to All Consent Transactions with consumers and B2B buyers
Now we get to the heart of what should matter to demand generation experts.
At any point where your business engages with a consumer or B2B buyer and gathers data, you must clearly express exactly what type of data you are going to gather and how you plan to use it. (I’ll get to some details on privacy policies and the like in the next section.) And you need to methodically document each of these consent transactions, in case of a data request or challenge from said consumer or B2B buyer.
This not only applies to email registration and content download forms – it applies to any touchpoint you have with consumers or B2B buyers. If you, as a demand generation expert, have a telemarketing team, each contact needs to have privacy and consent statements built into the call notes. And you likely need to record these calls, to have them on record in case of complaint.
Again, this is a best practice you should already be following, or at least have in your strategic plan, regardless of immediate CCPA implications.
Updates to privacy policies and disclaimers that every demand generation expert should be making
The CCPA guarantees consumers (including B2B buyers) the right:
Responding to requests for data, erasure, and objection to sale from consumers and B2B buyers
CCPA also grants to consumers and B2B buyers the right to know the specifics of data collected about them, including how you plan to use it and whom you share it with, and prohibits businesses from discriminating against consumers who ask for this information.
And, as I’m sure you’ve heard, it requires businesses to expeditiously respond to requests to erase a consumer or B2B buyer’s data, or not sell or share it with other parties. There’s a lot of discussion about the specific tactics involved here, but in the context of best practices, this is how you should consider responding to these requirements.
Requests for Data
The report provided to consumers and B2B buyers who request information about the data you collect or sell must cover the 12 months prior to the request. Requests are subject to a “verification” process, and should be met within 45 days of receiving the request, pending some open-ended concessions in the CCPA for “complexity.” The report must be free for consumers, and (again) a business can not discriminate against a consumer for requesting such a report.
The CCPA gives businesses 45 days to respond to a “verified” request to erase all data. But the law does include some vaguely worded exceptions that say businesses aren’t required to erase data if it is being used specifically for the purpose for which is was provided – a primary example of a possible exception is customer loyalty programs. This helpful post includes other possible exceptions, including data retained for the purpose of tracking wrongdoing by a consumer. Generally speaking, these do not extend to marketing or ad targeting, which is of course the main use of consumer data.
In short, demand generation experts need to have a clearly defined process in place to aggressively verify erasure requests (including database checks for the most obvious exceptions), and once the request is verified, execute the erasure quickly. If you can process Big Data in near-real time, you can remove a user ID and associated data in under 30 days.
Objection to Sale
At any time, a consumer or B2B buyer can request that you not sell or share their data with other parties. The trade press has labeled this as a “no sell” button, and you absolutely need to have such functionality on your site’s account management center, as well as all your customer service contact points.
A point I want to make here is that B2B sellers, in particular, should make every effort to clearly distinguish their “no sell” opt-out from the data erasure request. B2B buyers tend to be purpose-driven, and may well want to maintain contact with your business, even if they have concerns about data sharing. It is well worth the effort to try to maintain relationships with such B2B “consumers.”
De-identified and aggregate consumer data
The CCPA goes into some fine detail as to its definitions of de-identified and aggregate personal data. Most notably, it requires that data collectors not only take no steps to re-identify data, but also put in place business practices to make sure that de-identified data can’t be re-mapped to a specific individual. It also clearly defines aggregate data as having no linkages to specific individuals, including by device.
Under these definitions, many observers suggest that anonymizing data after the specific transaction it is collected for, in addition to simply not selling data, is a way to avoid the scope of CCPA.
In all, I’d say that for most demand generation experts, established best practices for handling personal data (including anonymization) will put you in a strong position for CCPA compliance. Encrypt PII and anonymize it as soon as you no longer it need it for its expressed purpose. Leaving this data lying around only creates risk and encumbrance under CCPA – or any privacy regulation, for that matter.
I’d add that there’s also been a lot of media coverage about the need for data maps to clearly lay out exactly how data flows and is used within your organization. For a small company that’s concerned only with contact data in their CRMs, this may be worthwhile. But for larger organizations, I believe this can be a recipe for over-engineering and unneeded overhead. Modern enterprises collect so much data and use it in so many ways that a formal data map will be out-of-date almost as soon as it is finalized.
CCPA requires only that you document categories of data collection and use, and doing that should put you in a strong compliance position.
Demand generation experts should verify that partners are CCPA compliant
One of the more daunting aspects of CCPA and similar regulations is the requirement that you and other demand generation experts not only keep your own house in order, but also verify that data partners are compliant, as well.
This begins with asking your partners the same privacy compliance questions you are asking yourself. Where do you get your data? How do you collect it, both explicitly and implicitly through cookies and devices? And are you informing consumers about how you plan to use the data you collect about them?
Depending on how deeply engaged you are with a partner, you’ll likely want them to sign a privacy addendum to confirm their compliance with CCPA and other best practices. This is the approach we’ve adopted at True Influence. It gives demand generation experts concrete proof that they have engaged in the needed diligence, and it typically involves sign-off by a CEO or Chief Privacy Officer (CPO).
I’ll add that I’d be cautious of the “CCPA Certification” labels that are certain to start popping up in the market shortly. In real terms, there’s no such thing – it’s a new law that will be fully fleshed out in practice over the next year or two. The State of California is the only entity that could actually certify a potential partner’s compliance, and it’s not offering certificates. Again, best to handle the diligence yourself.
How much is this going to cost?
As I said at the start of this post, CCPA and other privacy regulations are now a reality of life as a B2B marketer and demand generation expert, and wrangling this complexity comes with a cost. Some surveys show that most marketers plan to spend more than $100,000 on CCPA-related privacy compliance and technology.
For any company that is not already taking data privacy seriously, that number seems low to me. A highly qualified CPO may well run $200,000 or more, and that individual will need support technology and staff. Most survey respondents who say they aren’t ready for CCPA cite the time and resources to reply to consumers as their primary challenge.
I’m sure privacy-as-a-service will emerge as a tech category, but this option will also be costly and still require buy-in and resources at the executive level. Securing consumers’ and B2B buyers’ privacy is now simply a cost of doing business as a B2B seller and demand generation expert. It won’t be cheap, but it is better than the alternative.
You don’t want to be the one in the news.
CCPA Compliance Is Just the Start
The CCPA consumer privacy regulations soon to go into effect in California, and are certain to be just the first of many such laws to come, both in the U.S. and internationally. Understanding and embracing the principles and privacy best practices reflected in CCPA is the best way to build a strong compliance strategy going forward.
Got questions about CCPA or other B2B marketing issues? We’re right here at 1-888-301-4758.