Any marketer in the digital ecosystem knows about the California Consumer Privacy Act (CCPA), which technically went into effect on Jan. 1 of this year. According to the State of California’s Attorney General’s office, the CCPA “grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors.”
Given that California’s $2.9 trillion economy would rank it fifth largest in the world if it were a sovereign country, what happens in California affects virtually any company doing anything on the Internet anywhere. CCPA’s guiding principle revolves around the concept that a consumer should be notified that their data is being collected. That component is really powerful if it’s done correctly or with integrity, bringing an added level of education to consumers that they never had before.
However, it differs dramatically from the General Data Protection Regulation (GDPR), a European Union set of rules enacted in 2018, which are far more stringent in what they mandate companies to do with regard to online data collection. I like to think of the main difference between the two in simple terms: Where CCPA asks you if you permit your friend to keep stealing $10 out of your wallet, it does nothing to stop the behavior or penalize your friend for stealing without your permission. GDPR ensures that your friend must ask permission to borrow $10 before doing so. And if the friend keeps doing it, penalties ensue. That’s a huge difference.
It boils down to permission versus forgiveness. In nearly all aspects of life, we’ve heard the phrase “Better to ask forgiveness than permission.” That kind of thinking is what’s plagued the digital ad-tech world, particularly those firms dealing in the selling and reselling of data. There’s no permission, also known as consent, with the data they assemble, repackage and resell. And frankly, there are some “bad actors” in the digital space that didn’t seek permission and had hoped they wouldn’t get caught, then have to ask for forgiveness.
I think we as an industry need to take a stand and insist that permission is more important than forgiveness. Any marketer or agency doing business with a platform, DSP or other ad-tech firm needs to demand a well-articulated process for how they would notify a consumer about the use of their data. If a salesperson or other executive at that firm can’t articulate it themselves, then it’s not clear enough.
Let’s look at this from another perspective. It’s as if GDPR is an adult-to-adult relationship, where a choice is given to the consumer; CCPA is more of an adult-to-child conversation, where the consumer is simply told what’s happening but not given a choice.
The inherent risk, at least when it comes to CCPA, is that the consumer is more empowered than ever before to take any complaints (as in, being treated like a child) to the court of public opinion through social media. A consumer with a decent following can negatively impact a bad actor with a single tweet. If a company wants to avoid running into conflict with an angry, socially savvy consumer, they just need to ask permission in a clear and understandable way.
Most companies are trying to do just that. Because they know that, in reality, these laws help to create an ecosystem of higher integrity that consumers want to participate in and that marketers are far more comfortable putting more of their ad dollars into. It’s a rising tide that lifts all ships. If you’re contributing to improving the ecosystem, then you will benefit from better measurement, better, ad serving and reduced fraud.
Marketing dollars will follow the cleanliness of the data, the inventory and the ecosystem overall. Because brands will feel far more comfortable investing in something when they know they’re getting real humans that want to see ads. Let’s give them permission to make their own choices.