The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Like the General Data Protection Regulation (GDPR), the CCPA will further raise the bar for honoring consumer data privacy rights.
As data nerds, we believe your business can’t survive without data. Given the new privacy landscape, we also believe your business won’t (and shouldn’t) survive if you misuse it. That’s because every person has a right to data privacy.
From the CCPA to the GDPR, and even the laws that have yet to be drafted, Segment is committed to helping our customers prepare for data privacy regulations.
In this blog, we’ll bring you up to speed on how the CCPA may impact your business and share how Segment can help you better leverage your first-party data while respecting your customers’ privacy.
The CCPA and the future of data privacy regulation
In many ways, the CCPA is quite similar to the GDPR: both are data privacy laws that 1) outline requirements which impacted businesses must adhere to and 2) grant consumers key rights over their personal data. For instance, both the CCPA and the GDPR grant data subjects the right to disclosure (what’s called access in the GDPR) and deletion (also granted in the GDPR).
This means consumers are entitled to learn exactly what information a company has on them and have the company delete it if they so choose. The good news is that businesses already equipped to address the GDPR can use the same systems to honor many of the rights granted to consumers by the CCPA.
The CCPA also grants consumers some different rights compared to the GDPR, including the right to opt out of having their personal data sold. Businesses must not only make it easy for consumers to opt out, but they also cannot discriminate against any consumers that choose to do so. For example, a media company cannot say “if you opt out of the sale of your personal data, you can no longer read articles on our website.”
Keep in mind, the CCPA doesn’t just apply to businesses that are located in California. Instead, it applies to all companies who have information regarding California residents if the company meets one of the following criteria (Cal. Civ. Code section 1798.140(c)):
Annual gross revenue over $25 million;
Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; or
Derives 50% or more of its annual revenue from selling consumer personal information.
While technically only California residents are protected by the CCPA, the law considers “every individual who is in the State for other than a temporary or transitory purpose” a California resident. As a result, businesses may be better off honoring requests from all individuals than spending the time and resources to evaluate if a consumer is a California resident.
Even if the CCPA doesn’t apply to your business, it’s only a matter of time before similar legislation is passed at the federal level or in another country that may impact your business. Nevada, New York, and Texas are a few of the many states we expect to follow with similar regulations. It’s impossible to know exactly how future regulations will play out, but it’s safe to assume that they’ll require businesses to honor at least a few core data subject rights, including: the right to deletion, the right to disclosure, and the right to opt out.
Be prepared to honor data subject rights
To meet both the legal requirements and customer expectations, businesses need to be prepared to honor data subject access rights. Even though the CCPA goes into effect in 2020, businesses are required to delete and disclose data that was collected during the 12 months leading up to the enforcement date (that means data that you’re collecting right now).
Since the GDPR went into effect in 2018, we’ve helped companies around the world honor data subject rights for more than 7 million users. Segment customers can rest assured that our data rights functionality built for the GDPR extends to support compliance with the CCPA.
Manage user deletion across Segment and supported destinations via our UI or API
When you request a deletion via Segment, we not only delete the data from our system and records, but we also delete it from your connected warehouse and forward that deletion request to supported integrations like Amplitude, Braze, and more.
Data deleted from Segment’s internal systems.
Deletion requests forwarded to supported integrations.
To help you manage large volumes of deletion requests, we now offer bulk deletion for up to 5,000 users at a time.
Respect your customers’ preferences with one-click suppression
If your customers no longer want you collecting their data, you can quickly honor their request via our UI or API. Once you add a customer to your suppression list, we’ll automatically restrict their data from being sent to Segment and cloud mode destinations. You can also use our open source consent manager to collect consent in the first place.
Compile user data for disclosure requests
Segment’s raw data integrations, warehouses, and Personas product enable you to analyze and export the information you have collected about a given customer.
Whether your customers want you to delete, modify, or disclose the data you’re collecting, or even stop collecting data entirely, Segment has you covered.
Wean yourself off third-party data
If the GDPR was the first real strike against third-party data, consider the CCPA the knockout hit. Unlike first-party data (data collected directly from the customer), third-party data is user data that companies purchase and/or share with other businesses. Third-party data is most often used to target new potential users for advertising, to personalize websites for net new visitors, and to monetize apps without another revenue stream. Given how often third-party data changes hands, it’s hard to determine if it was collected with consent.
If your business sells personal information, the CCPA requires you to provide a “clear and conspicuous link” titled Do Not Sell My Personal Information on your homepage. We expect many consumers to take advantage of this. Imagine going to a website you don’t completely trust, and the first thing you see is a link that says Do Not Sell My Personal Information. In just a few clicks, you’d be able to prevent them from selling your data. This will inevitably make it harder for businesses to rely on third-party data. If you haven’t already, it’s time to start to wean yourself off third-party data.
The good news is you can still use data to provide relevant experiences for your customers while also respecting their privacy and complying with these regulations. Here’s how: leveraging first-party data. First-party data is data you collect directly from your customers. For instance, this includes data on how your customers use your website or app, data from surveys you send out, and data from subscription or purchase information. Because it is data you collect from your customers, you can ensure it is collected with consent and trust that it’s high-quality. By using first-party data you can continue to drive growth for your business without forgoing customer privacy.
It’s time to treat data privacy as a right
Wherever you’re at in your privacy journey, we’re here to help. Segment is committed to enabling our customers to use good data (and good data practices) to provide relevant experiences for their customers. At Segment, good data not only means high-quality, complete, and actionable data. Good data also means first-party data that respects consumer privacy.
Moving forward, we will continue to maintain our focus on first-party data, develop tooling to help you be ready for new regulations, and protect your customers’ data with a holistic security program. Stay tuned for new products that will give you even more controls to manage and audit personal data.
Want to learn more about the CCPA and the future of consumer data privacy? Join data privacy experts, Mark Kahn (General Counsel, Segment), Melissa Maalouf (Shareholder, ZwillGen), and Jeremy Greenberg (Policy Fellow, Future of Privacy Forum), for a webinar on June 26, 2019 at 11:00am PT/2:00pm ET.