For more insights, download the full Marketer's Guide to CCPA.

Ever since the implementation of GDPR, and the Facebook and Cambridge Analytica data debacle last year, data privacy has been a huge issue in the customer loyalty industry. The good thing about loyalty programs is that they enable brands to collect customer data and use it because the customers opt into them. They agree to hand out personal information in exchange for benefits.
However, just because loyalty programs give brands a way to use data legally doesn’t mean that the process isn’t complex, multi-faceted. Brands still have to make sure they use data in legal ways, and they also need to make sure that their partnerships with other companies don’t infringe on customers’ data rights. To gather some insight into this issue and to discuss the California Consumer Privacy Act specifically, we recently spoke with Michael McSunas, General Counsel for tech provider PrizeLogic.
What made you and your team take a closer look at CCPA and inspire you to share information?
We knew that the CCPA would have a major effect on how brands engage with their consumers and how they can collect and use the personal information they collect on such consumers. The CCPA is all-encompassing, and it was important for us to get ahead of the curve on its implications. Since it was hastily passed in June 2018, the CCPA has been amended numerous times and will likely be amended many more times before it becomes effective on January 1, 2020. We have a conscious effort to stay on top of the numerous amendments and how they could affect our industry. Our company has an internal workgroup from various disciplines which meets regularly to discuss CCPA issues and how to best prepare ourselves and our clients for the new law.
We knew we needed to be experts on the CCPA, along with the GDPR and similar privacy legislation throughout the world, in order to competently serve our clients. They look to us to lead on these issues, and we happily do. In talking with our clients, many of them expressed angst over the seemingly overwhelming reach of the CCPA. Trying to read and understand the CCPA can seem like a Sisyphean task, even for a lawyer. Most resources regarding the CCPA seem to be written in “legalese,” which left many of our clients confused and not learning exactly what they needed to do to comply with the CCPA. Our idea was to boil down the CCPA to the basics and make the information easily digestible. The idea was not to create an all-encompassing presentation that covered each piece of minutiae of the CCPA, but to give marketers a general knowledge of the CCPA and what they should be prepared for. That’s the idea behind “CCPA for Marketers.”
When you were researching this piece, what stood out to you the most about the new laws?
What stood out most was how much legwork it will take both brands and agencies to become compliant with the CCPA. From adding required links and notices to your website to figuring out all the exact places you are keeping the data you have collected from your consumers, it is going to be time-consuming and costly to comply. The sooner you begin preparing for the law, the better. For instance, do you need to map out where your data goes and where it currently is? Depending on the size of your company, you may or may not have to do this. The other thing about the CCPA that stands is that it is ever-changing, constantly being amended. The law that was passed in 2018 will not be the law that will come into effect on January 1, 2020. The law was passed so quickly that there are contradictory provisions and typos. Legislators realized the law would need major amendments to make it workable.
Another thing that stands out with the CCPA is that we are entering into an era where consumers will have more control over their personal information and how brands can use such data. It is all about notice and consent now, clear and concise notice and consent. Governments understandably want consumers to be in charge of their own data and be given the option to be forgotten and to know exactly what data brands are collecting about them. We are switching to a world where such notice and consent are now mandatory, instead of being voluntary and part of “best practices.”
What do you think will have the most impact on brands? 
I think the most difficult aspect for brands will be compliance with rights requests. Under the CCPA, a consumer can request that his or her personal information be deleted, or the consumer can request that the brand give the consumer all the personal information the brand has on the consumer in a readily useable format that is portable. The brand has 45 days to comply with such requests. With many different advertising agencies and different departments within the brand handling and storing personal information, it can be a daunting task to locate all this data. Will brands need to create new searchable storage systems for the data they collect, or will they rely on manual searches by them and each of their agencies? What liability or obligation does a brand’s advertising agency have for assisting and complying with rights to delete and with portability requests? Does the agency have an obligation to forward such consumer request to the brands? To that end, brands would be wise to amend their agreements with their agencies to ensure agencies will assist in these requests.
We have taken a proactive approach and have included language obligating us as an agency to assist our clients with these requests in a timely fashion. We have also added language to our agreements stating exactly how and what we do with consumer data that we receive on behalf of their consumers. But perhaps the most effective and helpful thing we have done to help our clients comply with the CCPA is create a searchable portal in which we store all such consumer data. Instead of having to do manual searches through all possible locations for the requesting consumer’s data, we or the brand can instantaneously search and access this data in order to easily comply with the 45-day requirement. In other words, we created a one-stop CCPA compliance platform. I anticipate other agencies and brands themselves will take similar approaches.
It’s our understanding that there are more than eight states considering similar laws. What’s your underlining advice for marketers when trying to keep up with this changing landscape?
In the legal world we often say, “As California goes, so does the rest of the nation.” So, there is no doubt that other states will follow California’s lead and pass similar (if not identical) privacy laws, as many states did when California created fuel economy standards for vehicles.  Most likely, California will set the standard, so you will be in good shape if you comply with the CCPA. You definitely need to pay attention and figure out what is different about each state law. However, I keep telling my team not to panic about all these consumer privacy laws that at first blush seem to restrict what we and our clients can do. We can still do everything we currently do. We just have more hoops we have to jump through to get there. Lastly, it needs to be a team approach to understand and comply with these laws. Make sure all stakeholders are at the table before you make any decisions. Don’t panic—just be prepared.

Recent Content