Thanks to National Consumer Protection Week and World Consumer Rights Day, March is essential for consumer protection and consumer rights awareness. On the occasion of these events, let's look at what you should know about these two topics regarding GDPR and CCPA.
Consumer data is now an essential resource for businesses worldwide. Although stringent measures to protect customer data, breaches and leaks are not uncommon. Aside from such security threats, many organizations engage in unethical practices such as unethically acquiring customer data or selling it to third-party vendors without customers' consent.
Governments have taken decisive steps to reduce data fraud and leaks and restore consumer power. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act are examples of such regulations and compliances (CCPA). The European Union (EU) and the state of California, respectively, mandated these regulatory requirements.
As we approach National Consumer Protection Week (March 1-7) and World Consumer Rights Day (March 15), consider what you, as a marketer, should know about consumer protection and rights.
What Is the General Data Protection Regulation (GDPR)?
GDPR applies to any company that collects and processes EU citizens' data. The organization need not be EU-based.
GDPR gives customers control over how companies collect and use their data. Organizations can be fined 4% of revenue or 20 million euros for violating the regulation.
It opens a new window for EU data subjects to choose how their data is managed. Marketers should know these eight GDPR consumer rights:
Right to Information: Data subjects can choose to know how a business collects and uses their data and why.
Individuals can access and copy their data.
Right to Rectification: The data subject can request changes to their data.
Right to Restriction of Processing: Data subjects can withdraw consent to process their data. Personal data accuracy or illegal processing may be the reasons.
Right to Erasure: Also known as the right to be forgotten, this right lets data subjects ask organizations to delete their data.
Right to Data Portability: The individual can request that the organization return their data to them or a third-party controller. Structured, machine-readable data should be transferred in such cases.
Right to Object: Data subjects can object to personal data processing based on their situation.
Right to Automated Individual Decision-Making: The data subject can object to a decision using automated processing. The organization may have to review the request manually.
Besides these rights, the organization must perform a data protection impact assessment (DPIA) before processing personal data and informing users of a data breach.
What Is the California Consumer Privacy Act (CCPA)?
CCPA, introduced on January 1, 2020, is less strict than GDPR. CCPA applies to businesses that serve Californians, but they must meet specific criteria, such as having $25 million in annual revenue, 50% of which comes from selling Californian consumer data. The company should collect and manage 50,000+ Californian customer data.
Marketers should know CCPA consumer rights:
Right to Notice: Also known as the right to be informed, businesses must notify customers of the categories of customer information they collect before or during collection.
Right to Access/Disclosure: Californians can request businesses' 12-month-old personal data. Companies should disclose information collection sources and goals.
Right to Opt-Out: Customers can ask businesses to stop selling their personal information to third parties. CCPA sales open a new window for selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating customer personal information.
Right to Request Deletion: California residents can ask the organization to delete their personal information from the past year, with some exceptions. The organization can keep the data for security, free speech, or legal reasons.
Right to Equal Services and Prices: Businesses can't charge different prices or refuse sales. With customer consent, businesses can offer financial incentives for personal data.
3 GDPR/CCPA Compliance Tips
Marketers can avoid legal issues by following these data collection practices, similar to GDPR and CCPA.
Before reading the tips, audit your email list and remove entries without opt-in details. Send another opt-in campaign to update subscribers' preferences.
1. Update the Privacy Policy
Before CCPA and GDPR, CalOPPA mandated privacy policies. Update it now.
CCPA and GDPR require businesses to update their privacy policies if they share or sell data. Also, mention the third parties with whom the information has been shared.
Your privacy policy should address customer contact. Keep the privacy policy simple.
2. Redesign Opt-In Process
GDPR requires users to explicitly opt-in to your newsletter or subscriber list when filling out a form. Marketers must keep opt-in boxes unchecked by default. Keep the default field nil in drop-down menus and let users opt in.
Content marketing can increase opt-ins. Include your privacy policy on opt-in forms and tell subscribers how to unsubscribe.
3. Document a Data Collection Process
Marketers collect unneeded data to improve personalization. GDPR and CCPA require disclosure of data collection purposes upon request. To avoid such instances, document how you collect customer information to justify the drive. Use marketing funnel logic. For top-of-the-funnel users, collect the bare minimum of customer data points; for qualified leads, collect as much as possible.
Helia Mohammadi
Social Media Specialist