Since May last year, we have all been familiar with the European GDPR legislation. But also in the US people are getting ready for privacy protection laws. In 2020, the California Consumer Privacy Act (CCPA) will become effective, a bill that protects the privacy rights of consumers in the US state. CCPA and GDPR not only have a sounding abbreviation in common, both laws are extraterritorial and, in other words, also valid outside their own territory. (E-mail) marketers should therefore be better prepared for the arrival of CCPA. We have ten simple tips and advice about cookie consent management which will help you on your way with CCPA Compliance.
Start using the CookieFirst consent management platform and make sure if your cookie usage, cookie declarations texts and third-party tracking procedures comply with the CCPA guidelines.
The EU as an example | CCPA Compliance
The European Union is at the forefront of setting privacy standards. The GDPR legislation protects the data and personal information of all citizens of the EU and the European Economic Area. This legislation also affects the privacy behaviour of companies outside the EU and the EEA areas, as the legislation also applies there. Most marketers doing business in this region have been well informed since the introduction of the GDPR on 25 May last year.
The US response | CCPA Compliance
The United States, on the other hand, is not very advanced in terms of privacy legislation. Nevertheless, the Cambridge Analytics and Facebook scandal has unleashed a great deal: American citizens are increasingly concerned about their privacy. The demand for federal data protection legislation is therefore becoming louder and louder.
In California, people have listened carefully to this. On 1 January 2020, the Consumer Privacy Act (CCPA) will become effective there. It protects the data of consumers in California. Marketers can become more aware of these new regulations, including the changes and differences, so that they can strictly comply with them.
GDPR & CCPA: a comparison
EU (GDPR) and California (CCPA) regulations have both similarities and differences. It is important to note that both laws are extraterritorial, which means that they are valid outside the territory of the country or state in which they were introduced. Marketers who do business in one of these European countries, or in the American state of California, have to abide by the new rules of the game.
Tips for secure email marketing
A Symantec poll found that 83% of Internet users around the world were concerned about their privacy. As a marketer, it is important to be careful with your customers’ data. This way you are best approachable when you ask for someone’s data. Make it easy for your customers to give their consent and change their preferences at any time. The data fields on your forms are an important data collector, so only ask for the data you need in the short term. And a clear process to remove consumer data is also very useful.
CCPA Compliance in 10 steps
It is important to remember that when you sell consumer data, you also understand how the law affects your business. So how do (email) marketers prepare for CCPA? Some practical steps to take into account:
- Step 1: See what personal information is currently being collected by your company.
- Step 2: Assess this information to understand how it is used, whether it is sold or shared with third parties, and why, because the CCPA gives consumers the opportunity to access data sources.
- Step 3: Review your company’s data policies and procedures for collecting personal information.
- Step 4: Update your internal and online privacy policies to meet disclosure requirements.
- Step 5: Remove all information you no longer need about consumers.
- Step 6: Prepare new policies and procedures so that you are ready to respond to consumer data requests.
- Step 7: Prepare technical solutions for processing consumer data requests and opt-outs.
- Step 8: Create training materials for everyone responsible for dealing with questions about consumer personal information.
- Step 9: Review the contracts with third parties & service providers to whom you currently provide consumer data.
- Step 10: Conduct external audits of service providers who have access to your customers’ personal information to ensure compliance.
CCPA compliance and cookie consent
- Personal information – A visitor might not share directly identifiable personal information on a website. However, under the CCPA the data collected by cookies will be considered personal information.
- Cookies on the website – The company behind the website is accountable for all data being collected. Accountability is for management, security and storage of the personal data. If a website uses third party scripts (and cookies), the company should be able to manage the collected data.
- Management of consent – A website visitor must be offered the option to give consent or change consent for the use of certain cookies. Each consent should be stored for reference at a later point in time.
If you would like to know more about the types of cookies, then read our article: What are cookies ?
Under the CCPA, the treatment of cookies differs per type of cookie. For a website to properly function, essential cookies are required. Therefore, it is not required to offer the possibility to opt-out for essential or necessary cookies. So visitors don’t have to be allowed to disable essential cookies, but it is advisable to provide disclosure of their use.
Then there are functional cookies. These can have multiple functions, web tracking could be one of them. Part of them could have influence on the performance of the website. And others can be optional. Website are required to have the ability to opt-out for some of these functional cookies. A clear description of all types of cookies being used should be easily visible for the visitor. For any cookie that is not necessary for the website to function there should be an opt-out possibility. These types of cookies can be third party cookies or first party cookies. The CCPA letter is not specific. However, clear disclosure is implied. Disclosure includes the ways in which cookies collect data, use data and the possibility to opt-out for unnecessary cookies.
It is clear that advertising cookies fall within the non-essential categories of cookies. It can be about third party cookies or first party cookies. The CCPA requires the ability to opt-out for this type of cookies. A cookies name and purpose should be clearly disclosed.
Cookie consent management | CCPA Compliance
Websites have to implement cookie consent management. This is recommended for all websites. Cookie consent management gives the visitor the ability to give, change or revoke consent for certain types of cookies, the ability to opt-out. The way how websites are doing business at the moment is not really impacted by opt-out consent management. For email marketing most organisations already have consent management in place. Consent management will need to be extended to website visitors.
Under the CCPA organisations need to manage consent across a lot of functions. A companies website needs to log cookie preferences of its visitors. About opt-out consent for adults the CCPA is clear. The CCPA is also clear about opt-in consent for young adults and children. On how to implement these two types of consent for different types of visitors the CCPA is not entirely clear. We will update this article when we know more. Website will need a consent management tool with the capability to share consents with third parties.
The cookie consent management tool must have another capability. The tool must be able to recognize the visitor through multiple devices which the visitor uses and keep tracking consent and changes to consent. So this will be advanced cookie tracking cross devices like computers, tablets and smartphones.
Cookie Banner | CCPA Compliance
The CCPA has no specific requirements yet on cookie banners and their use. However, we recommend to use a cookie banner with a button in order to give visitors access to their cookie consent preferences. There is also a clear requirement to have a ‘Do not sell my personal information’ button on the home page. A cookie banner can have both of these functionalities.
- Give insight in cookie details, name, purpose and expire date
- Collect, store, secure and manage personal data collected by cookies
- Offer Opt-out consent management unnecessary cookies
- Track and log consent / cookie preferences of your visitors
- Use a cookie banner or button to give access to cookie preferences