We all remember where we were when the towers fell, when Diana was in Paris, and also when GDPR was put in place. It was May 25th 2018. Businesses rushed into meetings all over the world to discuss the EU’s latest regulation as it was rolled out. Bloggers panicked. Suddenly every user was asked at the gate of any website if they can, in various methods of longwinded-ness, use your cookies and personal data that may or may not be personal. It seemed a bit daunting at the time. “We’ve to ask every single user permission? Every time?” And soon it became nothing. A slight nuisance to users. CCPA is about to be another one.
But the GDPR is an important regulation. One that was designed to protect users, should they want it. And in an argument about big companies “stealing” and using personal data in unethical ways, it’s a topic that comes up often.
As explained by the official GDPR legal text: “1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
“2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
“3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
So, with the news that the US Government is looking very closely at this text and are close to launching their own version, named the California Consumer Privacy Act (or CCPA), we’re asking, what will brands and businesses have to do to adhere, and how will it affect performance marketers.
What does the CCPA entail?
In order to get more information on the CCPA, we watched a live event hosted by Performance Marketing Association, featuring PMA Executive Director and Davis and Gilbert LLP partner and attorney, Gary Kibel discussing the changes.
Gary said: “GDPR is very different from the laws in the United States, in that GDPR is very much an opt-in approach. In GDPR World, if you’re processing the personal data of someone, you need to have a legal basis to do so.”
“Looking at the laws in the US, we’re mostly an opt-out world, which is very good but it’s a very different approach. So an important takeaway for anyone listening to this is: say you’ve complied with GDPR, you can’t just slap that over here in the US and say ‘Hey now I’m in compliance’ because it’s a very different approach with different requirements.”
So, what are these different requirements? Well, to sum up, we have a checklist of requirements for the CCPA.
- Inform users of how you use their personal data.
- Maintain a data inventory to track data processing history.
- Alert the user before or at the point of data collection, which would be those “Accept” and “Reject” buttons at the entrance of every website.
- Give users the right to access their data
- Explain how users can contact businesses to request to delete their personal data as part of the Right to Be Forgotten
- Outline the users’ rights under the CCPA
- Create a Do Not Sell My Personal Information page if you do sell personal information
Differences between the CCPA and the EU’s GDPR include the requirement to hire a Data Protection Officer to handle all of these regulations, creating a GDPR diary or Data Register, constant evaluation, for instance when using a new technology or tracking location or behaviour of new users, an instant report system in place for breaches, and avoiding pre-ticked boxes.
How will this affect performance marketers?
Gary said: “By the end of 2023 there will be five states, with comprehensive consumer privacy laws. … California has a law in effect and Virginia has a law in effect. Starting July 1, Colorado and Connecticut’s laws will take effect. And starting at the end of the year, Utah’s laws will take effect. So we have five different states, and the challenge is that those five laws don’t line up perfectly.”
So, what means is that performance marketers should start doing some research. At least the US isn’t going to deal with a sudden and impactful regulation that must be adhered to in one day, but there is time to get your ducks in a row as the different laws come into effect.
And you can bet this won’t be the last of them, either. As data becomes more valuable than gold and third party cookies get replaced, we see a lot of regulation changes in the future.
If you are interested in more affiliate and social media marketing insights, take a look at our blog for all the latest news and advice. Or for a more personalised approach, book a free call with a member of our team.
Or, for the very best advice from industry peers, register to gain access to our Amplify Action Day. Taking place in January 2023 doesn’t mean you’ve missed it. Amplify aims to bring you the latest affiliate, performance, and partner marketing insights from across the globe and it’s all available to stream from our website.