The Department 3 Blog

CCPA and Your Direct Marketing Data: Getting Cali-Compliant

May 3 2019, Michael Concannon

Department 3 Resouce

The impact of the GDPR has only begun to be felt by direct marketing professionals. Now they’ve got the CCPA looming on the horizon. Is it more of the same, only with a California flavor? Not exactly – and understanding the differences is vital.

The California Consumer Privacy Act of 2018 was signed into law last June, but won’t go into effect until January 1, 2020. But just like the GDPR, businesses are only just beginning to be prepared for CCPA.

One factor in that is that many experts are still puzzled as to exactly what constitutes “compliance” under the new law, which is vague in places.  Add to that the fact that proposed amendments are under consideration that could change the scope of the law in notable ways. As of right now, there are 19 “technical amendments” being debated.

The California Attorney General has until July 2, 2020 to publish actual regulations based on the CCPA.  Also, the AC can’t bring legal action against violators until either July 1, 2020, or six months after final regulations are published…whichever comes first. So marketers need to both get ready for CCPA at launch, and monitor any subsequent changes based on amendments, et al, so they accommodate those.

As currently drafted, the CCPA is touted as being more “business-friendly” than the GDPR. Consumer data rights will be protected, as they gain the right to know what personal data is being collected, and whether or not it’s being shared (and with whom). They can opt out of the sale of their data, access it, and request it be deleted.

All very similar to the GDPR, but one primary difference is in the area of consent: The CCPA doesn’t require a marketer obtain it to collect and process consumer data. They are, however, required to clearly tell consumers how they collect and share it, and provide an opt-out.

Another difference?  The GDPR is far more inclusive of more businesses than the CCPA. The CCPA only targets for-profit businesses with $25 million or more in annual revenue, or trade data from 50,000 or more persons, or get 50% or more of their revenue from selling consumer personal data.

D3 Direct Marketing Guide to Success
Get the free eBook

A “baby” every marketer has to contend with

Some of the pending amendments will, one hopes, provide better definition for consumers and marketer alike. One example? Companies can’t sell data for cash, but what constitutes a “sale” of that information is pretty broad. The law encompasses any data transfer where there’s value or benefit to the “seller,” but it’s hardly crystal-sharp on what constitutes “value.”  A direct marketer swapping email lists with another DM marketer in order to run a joint promotion might be seen as enjoying just such a value-creating situation, since they’re each looking to gain sales and profits.

With all its vaguenesses, CCPA still has to be reckoned with. Otherwise, marketers would be forced to consider dropping out of the world’s fifth-biggest economy, and there are probably very few businesses willing to go that far.

Ruby Zefo, Chief Privacy Officer with Uber, might have put it best at this year’s RSA Conference by comparing CCPA to a baby: “Whether you think it is attractive or not is up to you, but you still need to take care of it.”

GDPR and the price of non-compliance

CCPA may never result in the kind of regulatory penalties in place in the EU right now, but could a marketer be blamed for worrying? The current fine stipulated for mishandling consumer data under CCPA is just $7,500, but some privacy advocates – and seemingly even new Governor Gavin Newsome – are pushing for harsher penalties.

France hit Google with a $57 million fine for GDPR violations, and there are rumblings that Facebook may face a fine that’s, well, Facebook-sized.  Consumers are using the law to lodge complaints that regulators are obliged to address. Even Ireland, a friendly home for tech firms, has seen a 100% uptick in privacy complaints since GDPR inception.  The dangers of the GDPR actually compelled a third of the biggest US news sites to block access to the EU.

Direct marketing vulnerabilities under CCPA

If enough consumers take advantage of their data privacy rights under the CCPA, one immediate impact might be on the third-party data market. Data brokers will be under enormous pressure if there’s a substantial number of opt-outs by California consumers. Third-party data already suffers from a reputation for inaccuracy; a 2017 Deloitte survey found two-thirds of respondents rating third-party data about them as being only zero to 50% accurate.

If more consumers opt out, the advantage of scale that brokers possess – the ability to deliver a lot of names, cost-effectively – will be compromised.  Marketers will be hard-pressed to open up their wallets for those lists if they’re both smaller and still of dubious quality.

Targeting of ad campaigns, including direct mail, may well suffer in the event of a rising tide of opt-outs. Effective direct mail depends on analytics and personalization driven by sizable quantities of data. The less data on hand, the less effective your targeting may become.

Personal Data

One solution? Demonstrate the quid quo pro consumers receive for sharing personal data. Study after study proves how consumers simply want A) to feel their data is being safely handled, and B) there’s something in it for them when they share that data. When asked to share their spending habit data with an airline, just 4% of consumers said yes – but when told they’d get a “personalized itinerary” based on that data, 45% of them opted to share their information.

Drafting a CCPA compliance model

Many of the same steps a direct marketing organization took to become GDPR compliant will work for the CCPA.  In fact, it may be best to draft an operational template for using those procedures beyond CCPA, as about another dozen US states are contemplating data privacy laws, many patterned on the California example.

Despite hopes from both sides of the aisle in Washington, there’s not yet any unifying, overriding federal legislation anytime soon, leaving marketers to contend with a patchwork of state-by-state regulations in the near term. Many are turning to consent management platforms to ensure they’re capturing defensible consent from consumers, regardless of location, though (as we’ve said), opt-in is less of an issue under the CCPA.

Other steps to take?

  • Educate your organization about the details and potential impacts of the CCPA, and on the efforts the company and its employees need to take to be compliant.
  • Conduct a data audit to identify where consumer data resides, not just on your own platforms but on third-party solutions; vendors and partners can leave you as exposed to compliance risks as your own team and policies.
  • Review data privacy policies so all data-handling practices are transparent to consumers, and to accommodate their new rights under CCPA.
  • Employ data optimization to make the most of the data you’ve already got on hand, or manage to obtain within the guardrails of the new regulations.

Why is data optimization on the list? Because it’s key to maintaining your marketing success even in a post-CCPA world:

  • Optimized, high-quality data lets a direct marketer still enact highly targeted direct campaigns, wringing the greatest possible ROI from the information they have on hand.
  • Personalization will prevent opt-outs if you’re able to demonstrate value to the consumer, and personalization utterly relies on data quality and the insights it provides.


Learn about Department 3 data optimization

Get our newsletter

Every month, receive new insights about direct marketing data ROI and optimization.