Known as the Consumer Data Protection Act (CDPA), the bill is centered around consumers being able to opt in to data collection instead of opt out. The CCPA provides “a right to know and a right to be deleted,” according to Cillian Kieran, CEO and founder of privacy compliance startup Ethyca. But the CDPA is more far-reaching in that is provides “right of access, correction, deletion and portability.” The rights it gives to consumers are more similar to GDPR than CCPA.

When looking at the companies for which the act is applicable, the CDPA is looser than the CCPA, however. The Virginia bill does not set specific financial thresholds. Instead, it applies to businesses that possess data of at least 100,000 consumers or those that maintain more than 50 percent of their gross revenue from data sales of at least 25,000 consumers.

For more details on the CDPA in terms of defining the concept of “consumer” and how it will be enforced if signed into law, read more in AdExchanger.

The post Virginia Introduces New Privacy Legislation With Consumer Data Protection Act appeared first on Chief Marketer.

The amendment makes the privacy laws outlined within the CCPA more likely to be enforced. For one, it calls for the creation of a California Privacy Protection Agency that’s dedicated to defending consumer rights. Instead of enforcement falling under the purview of California’s attorney general’s office, the agency will take on the role and receive a $10 million annual budget.

The CPRA also expands the definition of Californians’ “sensitive personal information” that must be protected to include race, ethnicity and precise geolocation, and it enhances children’s privacy by tripling fines for violation. The amendment also places limits on data retention, requires annual audits and changes the “do not sell” personal information remit to “do not sell or share.”

The outcome for marketers? Given the additional details included in the amendment and the formation of an agency, companies that have been slow to adjust to the new rules should no longer avoid compliance. However, the new rules do not require those businesses that have begun making the necessary changes to dramatically change course or start over from scratch.

For more on the implications of the CCPA, read on in AdExchanger.

The post What the Consumer Privacy Rights Act Means for Marketers appeared first on Chief Marketer.

The new regulations eliminate the voluntary opt-out button design that version two had introduced, according to an analysis by AdExchanger. The button was a suggestion that addressed the need for marketers to communicate to consumers that they have the right to opt out of the sale of their personal information. No new solution was presented in the update, however.

The regulations also emphasized that businesses collecting personal information online must honor global privacy controls. And in terms of IP addresses, the AG issued a reversal of what it previously stated. Draft two said that visitors’ IP addresses are only considered “personal information” when directly links to a particular consumer or household. But in the third draft, that language has been removed. Read on for what’s likely to happen next in AdExchanger’s deep dive.

Other articles you might enjoy:

• Second Draft of CCPA Regulations Some Clarification on Compliance
• Insights for Marketers on CCPA Compliance
• GDPR: Three Tips for Compliance

The post Third Draft of CCPA Regulations Indicates Changes to Privacy Legislation appeared first on Chief Marketer.

The modified regulations offer some clarification for business that must comply with the legislation or be penalized. (Check out five overall CCPA takeaways for marketers, here). For instance, there was some initial confusion as to what constitutes the sharing of consumers’ “personal information.” The second draft reveals that businesses that collect IP addresses of visitors to its website are not in violation of the legislation if that IP address is not linked to a particular consumer or household.

The legislation also now includes what a voluntary opt-out button might look like. If used, it needs be around the same size of the company’s other buttons on their websites. However, since an opt-out provided through a link is sufficient, the button is optional and therefore may not necessarily be implemented by businesses.

Additional clarifications relate to global user-enabled privacy controls, like browser plug-ins or privacy settings, which need to be honored by businesses—but companies are allowed to alert consumers of such a conflict. And, apps that collect mobile data that consumers would “not reasonably expect” it to collect will need to provide an overview of the data that they’re collecting.

Read on in AdExchanger for additional regulations outlined in the second draft, including how service providers are allowed to treat personal data and how businesses must handle data that was collected before the CCPA went into effect.

Other articles you might enjoy:

• Consumer Privacy: Five Things Marketers Need to Know About CCPA
• Insights for Marketers on CCPA Compliance
• GDPR: Three Tips for Compliance

The post Second Draft of CCPA Regulations Offers Some Clarification on Compliance appeared first on Chief Marketer.

The European Union’s General Data Protection Regulation (GDPR) and now the California Consumer Privacy Act (CCPA) are being joined by other data protection regulations that make privacy a fact of life for marketers. Nevertheless, the US is following what happened in the EU—many companies aren’t prepared. The CCPA ruling went into effect on January 1, 2020. Some stats peg the percentage of firms that aren’t ready for this significant new regulation from 56% to as many as 88%. Whether companies are non-compliant because of a wait-and-see approach, lack of funding or confusion about the law, there are compelling reasons to take action. For marketers, who are most impacted by privacy regulations, it’s wise to internalize some simple truths about CCPA.

1. CCPA likely impacts your company if you have California databases.

Not being physically located in California by no means gets you off the hook for CCPA compliance. If you hold data on even one California resident, you must comply with the regulation. Keep in mind the qualifications for CCPA oversight: annual gross revenues of $25 million or more; buying or selling more than 50,000 individuals’ data; and making more than half of annual revenues from selling customer data. This throws a long shadow across many companies.

2. It’s unwise to wait until CCPA enforcement goes into effect on July 1, 2020, to begin compliance.

CCPA sets in stone a new way of handling data, and such a large change takes time to implement. Now you’ll need to disclose what information you’re collecting and reveal how personal data is being used for your social media campaigns, email surveys and any other marketing programs. Also, you’ll need to give consumers the right to opt out of having their data sold to third parties and you’ll need to let them see what information has been gathered and allow them to delete it if desired. Implementing such new processes is time intensive.

Other articles you might enjoy:

• On Privacy Regulation: Insights for Marketers on CCPA Compliance
• CCPA: Consider It a Blessing, Not a Burden
• GDPR One Year In: How Are Marketers Doing?

3. Do the math on what kind of penalties might be waiting for you.

The CCPA states that companies can be penalized $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. This is for each record but a company could have hundreds, thousands or even millions of data records. For this reason, waiting to see what enforcement looks like could be regrettable. It’s true that enforcing the CCPA, like the GDPR, will take a bit of time to hit its stride but it will inevitably grow. So, playing it safe through compliance makes business sense.

4. GDPR compliance doesn’t ensure compliance with the CCPA.

Yes, there are some similarities between the two privacy regulations beyond the focus on EU versus California customers. But there are also some notable differences with greater impact on marketers in the CCPA. It goes beyond the scope of GDPR in that it: includes household information as part of what’s covered; gives consumers absolute opt-out rights; requires stricter privacy notices; and is much more focused on direct marketing companies or digital advertising companies. While the GDPR covered government entities as well as non-profit organizations, the CCPA puts its focus on for-profit businesses, which makes it a bigger deal for many marketers.

5. Take a savvy approach toward implementing CCPA compliance.

Privacy regulations have now been around long enough that best implementation practices have emerged. Begin with a thorough data inventory and know where all data resides, building compliance into development cycles rather than being bolted on at the end. In fact, data protection should be part of every new product or service from the beginning of development, with sensitive personal data tracked across an entire product lifecycle. Work with the teams that have the best insight on data infrastructure. When it comes to data records, shift from renting to owning because this not only ensures less-expensive, less-outdated data but is safer in the long run and prepares your company for the important step of rebuilding customer trust by collecting and applying data in the most transparent way.

Shane Nolan is senior vice president of consumer and business services for IDA Ireland.

The post Consumer Privacy: Five Things Marketers Need to Know About CCPA appeared first on Chief Marketer.

A recent piece from sister publication Event Marketer looks at four additional insights to consider gleaned from a conversation with a privacy manager from Microsoft. With the legislation’s reach extending far beyond California, it’s critical for marketers to determine what compliance looks like for organizations affected. The act’s purpose is to secure privacy rights for California residents involving data collection and sharing personal information. But that can include those businesses that host California residents at an event (even out-of-state) or on its website.

Read more in Event Marketer about which companies are subject to the CCPA, in terms of revenue, size and function; which other states might follow suit; what could constitute a “sale” of personal data; and how third parties might come into play.

Other articles you might enjoy:

• CCPA Update: It’s the Final Countdown
• GDPR: Three Tips for Compliance
• CCPA: Consider It a Blessing, Not a Burden

The post Insights for Marketers on CCPA Compliance appeared first on Chief Marketer.

Only two percent of respondents to a survey on CCPA preparedness by the International Association of Privacy Professionals this summer said they felt completely ready for the new rules. On a scale of one to 10, the average level of readiness for respondents was 5.27—up from 4.75 when the survey was first conducted earlier in 2019, but still a long way from perfect.

Non-compliance will become pricey: when enforcement actions begin on July 1, 2020, the California Attorney General will be able to seek civil penalties of $2,500 per violation. AdLawAccess.com offers ideas creating a plan to get your organization ready for CCPA.

Make it clear: On your site, post notices in transparent, straightforward messaging addressing CCPA in language that a consumer would actually understand. Vet your privacy policies to make sure they accurately represent your company’s practices and don’t contain false or deceptive statements. And, include simple and easy to find directions on how consumers can submit requests to opt out of the sale of personal information.

You May Also Enjoy:

• CCPA: Consider It A Blessing, Not a Burden
• Declining Consumer Confidence and Privacy Regs Concern Marketers
• GDPR: 3 Tips for Compliance

Make protecting personal information a priority: Insure that your company is in compliance with industry standard practices. This includes reviewing software and hardware connected to a network; limiting user and admin privileges; assessing system vulnerabilities; defending against malware; providing proper security training for employees and vendors; and having a response plan in place if there is a security breach. Documenting these efforts is crucial, notes AdLawAccess. “Being able to demonstrate that it followed these controls, and how, will be a critical part of a company’s defense.”

Know how CCPA will impact your digital advertising plan: Under the new rules, companies need to look at how they use data for interest based advertising and retargeting. Publishers may be considered to have “sold” personal information if they pass along certain types of data to partner firms, depending on their relationship with the partner company and how the partner uses the data. “For partners that are not intuitively service providers or obvious recipients of data sales,” says AdLawAccess, “more analysis and industry benchmarking on interpretations are likely warranted.”

Also, if you’re working with a vendor to place cookies or tags on your site, make sure these activities are cataloged, so you know to what extent they might represent the potential “sale” of personal information.

The post CCPA: 3 Tips to Get Ready for Compliance appeared first on Chief Marketer.

For the past decade, legislation has failed to keep pace with data’s growing role in marketing and commerce, allowing brands to plot optimal strategies with little regard for the consumer’s rights, privacy and security. In many cases, this has led to unsavory and even unsafe practices, with exploitative methods and data breaches threatening to permanently damage public trust in advertisers and companies.

Passed last year and going into effect Jan. 1, 2020, CCPA ensures three basic rights for consumers: the right to request the data which has been collected about them by companies; the right to opt out of the resale of their data; and the right to request the deletion of their data.

While the regulation is limited to the data of Californians, its implications and applications are not confined to the state border and, moreover, is undoubtedly a harbinger of far more to come.

So far, six other states have also introduced new privacy legislation, and there are numerous other bills being debated at the federal level. Indeed, it seems the new regulations surrounding data collection over the next decade promise to be as unpredictable as the lack of regulation in the preceding decade.

What’s on the Line with CCPA

The new rights guaranteed to consumers by CCPA will require brands to make several critical and concrete changes to their data practices:

Brands must ensure that their data storage is mapped out and organized. Consumers are empowered to request the data which has been collected by companies. Proper organization will allow companies to respond promptly to requests for information and help to avoid penalties. Each consumer is entitled to request their data twice per year at no cost, and the company is obligated to inform the consumer what data has been collected, how it was collected, and who else has received the data.

You May Also Enjoy:

• CCPA is Coming: Are You Ready?
• GDPR One Year In: How Are Marketers Doing?
• Declining Consumer Confidence and Privacy Regs Concern Marketers

Compliance requires brands to inform consumers upfront about their rights. Brands must also state the categories of data which they are collecting, which categories of data are being sold on to third parties, and how the brand will use the data. Each company must ensure that these rights are stated clearly at the outset of the brand-client relationship.

Brands must create a mechanism by which customers can request the deletion of their data. Additionally, when a customer demands that their data be deleted, all third parties must also delete the relevant data in addition to the original collector. This detail requires brands to remain in close communication with any third party which has purchased their customer data.

Failure to adequately prepare for and adapt to these regulations could be costly. Though each individual unintentional violation incurs a mere $2,500 fine (triple if deemed an intentional violation), the major risk to a company is the possibility of a class-action lawsuit. In the event of a major data breach, thousands of California residents could exercise their rights at once, bringing about catastrophic financial consequences to a company who is not in compliance.

Building Trust Instead of Fear

These new requirements imposed by CCPA may strike marketers as draconian. However, brands should instead view compliance as a necessary and positive first step toward building a longer term, more trusting relationship with consumers. The upcoming CCPA inflection point provides a perfect opportunity to prepare in this regard for the rest of the regulatory storm to come, rather than dwelling on its impending restrictions.

Today, consumer trust is at a dangerously low point, and consumers desperately wish companies like Facebook could be more trustworthy with their personal data. CCPA should propel marketers to clean up their data collection practices and reestablish trust with their customers. Building direct relationships with consumers and relying more first-party data willingly provided by the customer in a trusted relationship, rather than third-party data, creates a longer term, more productive and positive relationship. By using CCPA as jumping off point and a fresh start for the customer-brand data exchange, companies can make an immediate positive impact on their public perception—and on their marketing ROI.

After years of data collection free from oversight, CCPA will inevitably lead to growing pains and frustration. However, marketers must take this opportunity seriously: thoughtful, methodical preparation for the arrival of CCPA will not only pay off in 2020, but will also produce benefits for the next decade of new policies and legislation.

Jonathan Lacoste is the co-founder and president of Jebbit.

The post CCPA: Consider It a Blessing, Not a Burden appeared first on Chief Marketer.

It’s no surprise the second-party data exchanges, in use for several years now, are suddenly exploding (Lotame reported a 500% increase in them). In these deals, two partners, typically a brand and a media company or publisher, exchange their GDPR-compliant first-party data in the hopes of finding synergies between the customer bases, which in turn can be used to design and launch new customer acquisition campaigns. These arrangements allow marketers to reach new customers in a transparent fashion (they know where the ad will be placed) and, of course, in this model, they aren’t going head-to-head with competitors as they’re not buying commoditized syndicate segments.

Although second-party data campaigns are often high performing, scale is frequently an issue. It’s difficult to reach millions of net-new customers, as one can easily do with a programmatic campaign using tons of third-party data. Marketing in a GDPR-compliant world quickly becomes a choice between performance or scale. Or does it? What if marketers identified whole new second-party opportunities to address their scale challenges?

The partners marketers choose for a second-party data exchange tend to be highly related to their sector, e.g. a hotel chain partners with a travel magazine. These are obvious. But what if the hotel chain could uncover non-obvious, or non-endemic opportunities, such as a high-end fashion magazine or fitness publication? Might there be opportunities to achieve scale through multiple strategic partners, and reach potential customers with more relevant messages?

The fact is, people are multidimensional. Someone can be a frequent guest at a hotel chain, but there’s more to that person than a love of travel. She may adore Italian fashion and French cooking. She may be a fan of DIY shows and gardening blogs. And, most critically, she probably shares these traits with many other frequent travelers, all of whom can be targeted with messages that tie in these other, outside-the-brand, interests. This is the true opportunity of second-party data exchanges: brands can create highly personalized engagements in much quieter environments.

You May Also Enjoy:

• LinkedIn Marketing Rises in Wake of GDPR
• GDPR One Year In: How are Marketers Doing?
• CCPA is Coming: Are You Ready?

These shared interests, pursuits and passions are natural human affinities and finding them within a given audience has the potential to change the game. These net-new opportunities offer the scale of programmatic campaigns, but do so in a privacy and GDPR-compliant way. They can also provide the marketing strategy side of the house with the kind of deep insight they need to design highly personalized and relevant campaigns upfront.

The trick, of course, is identifying these affinities at scale, but that’s where AI and graph technology are particularly useful. These technologies can identify natural affinities in massive consumer data sets based on common things people like, follow, share, purchase, watch and mention. Social data is a perfect example of this possibility.

Since the dawn of digital advertising, marketers and pundits alike have asserted that consumers benefit from data-driven advertising. With changes to privacy regulations, marketers need to find new compliant, scalable strategies to attract new customers. Being able to continuously unlock non-obvious affinities will address this challenge and improve the advertising experience for the consumer by giving marketers the insight they need to create personalized campaigns and creatives. Who knows, we just may grow to see GDPR as the spark that transformed the industry for the better.

Tim Burke is CEO of Affinio.

The post Identifying Affinities in Second-Party Data appeared first on Chief Marketer.