The new California Consumer Privacy Act (CCPA) drives trust...and new behaviors.

By Michael Settles, Strategic Account Manager, Concep

The sun may be shining in California but organisations that collect, store and manage your personal data have been busy. They have been putting the final touches to new privacy notices, implementing redesigned data strategies and kicking off processes in readiness for the California Consumer Privacy Act (CCPA), which came into effect on 1 January 2020. Or at least they should be. 

We live in a digital world that generates and monetises our data. According to The Economist, ‘the world’s most valuable resource is no longer oil, but data. (May 2017). Data is in high demand. It can be bought, intentionally exchanged, or stolen. Newly empowered consumers have become increasingly aware of how their data is being used - and misused. News headlines have brought high-profile data breaches to the attention of the wider public, leaving individuals to question how safe their personal information is in hands of the organisations they engage with.

The quest for good process and transparency

2018 brought about the first big shake up to the way organisations capture and manage contacts’ personal data. At least on one side of the Atlantic. The EU’s GDPR regulation came about as a response to the growing unease and mistrust around what big organisations did with customer data.  GDPR spelt out the need for process and transparency.  If data was breached, it had to be reported – and quickly.  If an EU citizen wanted to know what data was being held and to have it removed, this was now their right.  Marketing using personal data such as an email address without demonstrating legitimate interest could only happen legally if the individual had specifically opted in – and there needed to be a record to prove it.    

The home of Big Tech responds

At the time, some US firms took the approach that as they did not do business with Europe, they would be exempt.  But consumer trust in a global world goes beyond geographic boundaries; something had to be done to reassure the consumer that their right to data privacy could be protected.

It took the trendsetting, home-of-Big-Tech, state of California to become the first to enact a law to protect their 40 million residents in an all-encompassing data privacy act that will impact any organisation that collects personal data from anyone who is a California resident.

We outlined the four main components of the CCPA in a Concep article in 2018 (GDPR Goes West, Concep 2018). At a very high level the new law gives Californians protection over their right to know what data is being collected about them and who that data is shared with. They also have control of how it is used and have the right to request that the business delete the personal information collected.

Critically the law also gives Californians the right to sue a company if their personal information is lost in a data breach caused by negligence, increasing the risk of class action lawsuits against companies that have been targeted by hackers. Lawmakers will follow with punitive fines when that happens.  

 Driven by trust

Data privacy regulation in the US doesn’t stop with the Golden State; since the act was passed, some ten states have drawn up legislation to protect their residents and grant them more power over how their data is used. Organisations that ignore contacts’ wishes are at risk of losing customer trust – and the business they bring, facing potential legal action, reputational damage - and hefty fines. Trusted organisations, on the other hand will enjoy a stronger financial performance, attract and retain talent and secure customer loyalty.  So it makes good business sense to invest in trust and look at data privacy  beyond a mere minimum-compliance approach.

Getting privacy right

 Orson Lucas, Managing Director for Advisory Privacy and Co-Leader at KPMG says:

Privacy done right – putting the customer at the core of your privacy strategy – is a game changer.  Regulations like the CCPA, GDPR and other similar global regulations provide incentive; but compliance should be a by-product, not the end goal of a well-designed privacy program.”

The KPMG advisory paper (Preparing for California’ s Privacy Laws) suggests organisations should expect significant initial efforts and resource needs, followed by migration to a sustainable operational model, leveraging, as appropriate, automated tools.

 For the vast majority of Concep clients, client data protection and privacy are a strategic imperative. The professional services industry relies on trusted relationships to do business. Even firms who were not required to comply with GDPR realised that taking a proactive approach to data protection and seeking a permission-led marketing approach was the right thing to do if they wanted to foster stronger client connections. For those that did need to comply, as much as 41% of marketers admitted they didn’t fully understand the law or best practice around the use of contacts’ personal data (Chartered Institute of Marketing).

 3 ways Concep has responded:

  1. Keeping client’s data safe. This is a primary focus at Concep and drives much of our activity and product innovation. For example, through our integration with Microsoft Azure Active directory, you will have the ability to use Single Sign on and use Multi-Factor Authentication, providing an added layer of security.
  2. Educating and working with clients to adopt responsible data management.Our account architecture and set up helps users keep their Concep account safe from data breaches. For example, platform settings that allow us to increase password security including password reset frequency, preventing password re-use, and ensuring users set strong passwords by using character limits, capital letters, special characters, and other requirements as required.
  3. Developing intelligent technology solutions that include automated tools and carefully engineered processes and workflows, specifically to meet the demands of today’s professional services’ firms. One of those solutions is designed to ensure email consent compliance is ongoing, thus protecting marketing lists and relationships.

 A consent compliance solution

The biggest challenge professional services marketers face following the implementation of GDPR is that consent is not static. Firms had sent out opt-in email campaigns to gain consent before regulation came into effect.  From then on, any new contact data would sit with the relationship holder and without a mechanism for which to record proof of consent, would be left off marketing lists for fear of non-compliance. Marketing has no ongoing system or process for tracking who they can contact or who has opted out. Those who do, are often working manually with slow, error-prone processes. The result is that marketing audiences, and consequently revenue-generating opportunities are stagnating.

Working closely with clients, Concep developed an automated consent compliance solution. Any new client entered to the CRM is automatically emailed a consent form.  Responses are logged back to the CRM,  the record and any communication preferences are logged, and date stamped. This provides demonstrable evidence of continuous compliance with data protection regulation. More importantly, contacts are in control of their data and the content they receive, helping firms foster stronger, more engaged and trusted relationships.  For marketing, it provides clarity and an ability to build and maximise full marketing reach.

As day to day activities become ever more digitalised, the global movement to protect individual data privacy will mean that regulation like CCPA will continue to evolve and impact business.  By understanding how Professional Services firms work and committing to invest in solutions, not just workarounds, Concep is in its strongest position ever to be an integrated marketing technology partner to the legal, financial and professional services’ sector.

To find out more about how Concep helps protect your clients' data and solves the challenges created by consent-driven marketing, talk to us.