What Digital Marketers Need To Know About CCPA & GDPR Rules

Do you know how if your marketing tech stack is GDPR compliant? Are you prepared for the new CCPA rules that go into effect on January 1, 2020? The California Consumer Privacy Act (CCPA) could spell trouble for unprepared companies across the U.S. – even more so than the EU’s General Data Protection Regulation (GDPR), which landed earlier this year.

In this video, Megan Upperman, analytics manager at Augurian, digs into how to keep your marketing tech in compliance with the new and existing regulations. We’ll discuss the most searched questions around GDPR and CCPA including who is liable for mistakes, what the differences are between the European and American regulations and how to use Google Tag Manager and Google Analytics to handle personal data and respect user consent.

Transcript

Josh: Hello, everybody. This is Josh Becerra from Augurian, I’m here with Megan Upperman.

Megan: Hi, I’m Megan, I’m the Analytics Manager here at Augurian.

Josh: Yes, we’re hanging out at The Stray Dog again. We’re going to be talking about GDPR. Megan brought this topic to my attention here recently. What’s happening in January?

Megan: In January is when the California Protections go into place. CCPA for consumer data is going to take into effect on January 2020, and then B2B rules, we have one more year to get into compliance there. The search demand has just really been ramping up and we’ve seen a ton of really good questions come through. GDPR specifically, it applies to people who work within Europe but there’s a lot we can learn from GDPR about how to roll that out successfully for CCPA here in the US.

Josh: One of the questions we’re seeing in the search demand is, is Google Analytics compliant with GDPR? What do you know about that?

Megan: That’s a really good question because it can be, but it also could not be. It depends on how you have it set up. By default there’s a lot of settings that have been rolled out for about a year, around May of 2018 was when they first rolled out the introduction of this, that’s when GDPR first went into effect. Since then, there’s a lot of things that Google has done to step up their compliance, but a lot of it, they put in your hands to make sure you utilize those tools. Everything from making sure that you anonymize your IP addresses to making sure that you understand how to use the deletion tools. It’s very possible to be compliant, but not by default.

Josh: Okay, another one of the questions is around liability, right? As a marketer or an agency, what kind of liability do I have if I’m not complying?

Megan: It seems a little scary off the bat, but the short answer of this is from the perspective of marketers and agency specifically, it’s not something you need to sweat. Like all legal matters, it depends on what precedent has been set and what’s gone into effect in the courts. Realistically, it seems like we can all relax on any individuals being held to account. It seems too from the agency perspective, we’re likely not to be held to account there either although I can’t imagine if you’re found out of compliance that your client would be terribly happy and want to stay working with you for long.

Josh: For sure, it’s all about legal precedence and we’re still pretty early, there isn’t a tone of that necessarily out there, especially not holding individuals liable so that’s a good thing. It makes people feel more at ease.

Megan: From my perspective, the most important thing for me is to know enough to be able to raise my hand and say, “Hey, you might want to run that past your legal department.”

Josh: There you go, very smart. Another question is around consent, whether it’s always required and if you can actually get verbal consent, what did you find out about that?

Megan: This was a really interesting question, too. Yes, it’s always required for everyone who interacts with European users. So far, nobody has tested the verbal consent argument in court. I couldn’t tell you specifically that that won’t work, but I’m assuming that that one’s not going to hold up very well. It seems pretty thin. Generally, though, the agreement here is that consent has to be freely given, specific, informed and it has to be an unambiguous indication of the subject’s agreement to the processing of that data. It’s got to be specific.

Josh: Sure, for a long time it’s been, agree to the terms of service and you just click a button and you’re on your way, and now they’re requiring you to actually say, “No, here’s what I’m actually going to be doing with your data and getting that consent.” What happens if people opt out? They see all these things and they are like, “No way, I’m not giving you my data for that,” what happens then?

Megan: This was my favorite question that we researched so far. It’s not enough to just have a kind of a yes or no option. You see a lot of those sites that have you accept their cookies and privacy terms at the bottom of the site there. What isn’t okay that was proven in court the day after GDPR rolled out was that you cannot, then, bar someone from using your site. That all or nothing approach is considered manipulative because people still want to be able to use your products.

Josh: Yes, either you accept these terms or you don’t get to look at my site, so that’s not allowed?

Megan: No, that’s not allowed. You have to have the alternate option to be able to have people use your site but not store their data. One of the cool things we found about this is, this is actually something I had come across and I didn’t understand a couple of years ago why this was configured this way. You can actually use Google Tag Manager to turn on and off your analytics tracking, based on the response to that cookie question.

Josh: That’s very cool.

Megan: That’s a really good workaround, you can come up with all kinds of creative solutions. That’s my favorite that I’ve seen.

Josh: Awesome. That’s great info. At the beginning of the segment, you mentioned this CCPA. Can you tell us a little bit about that and then what the difference might be with GDPR?

Megan: With GDPR, it’s really centered around enthusiastic consent and fully informed consent. We’re looking at things like data’s got to be processed lawfully, fairly, transparently. You have to be able to delete it. You have to be storing it securely. It has to be kept accurately. You can really only do with it what you specifically said you were going to do with it. Anything beyond that is going to be outside of regulation.

With the CCPA, it’s a little bit different. It only applies to the last 12 months of data collected. It doesn’t have to be deleteable. That’s still something you can do, analytics still offers those features to us here in the US. Realistically, if you have opted in to sharing data with third parties, it doesn’t mandate that you’re able to withdraw that consent later. GDPR does allow you to basically in real time control exactly who has your information and where. The CCPA is a little bit looser around that. You’ll give the consent one time, but you don’t necessarily have to be able to revoke it later. There’s that. Then really, in addition to that, it’s just much more strict on all your documentation, and your requests and your consent needs to be in very plain English.

Josh: Got it. All right. Well, the last question that we researched around this topic was about email addresses. You’ve been collecting email addresses all this time. You may not have been doing that in a compliant way. Can you actually keep and use those email addresses or not?

Megan: I’m about to give the famous answer of all marketing people. It depends. Basically–

Josh: Right, and politicians.

Megan: Exactly. Can I use my precious email list? The answer is sort of.

Josh: It depends.

Megan: It depends. If you collected those email addresses in a way that is compliant, you absolutely can still use them. If it’s not compliant, some of those common pitfalls to watch out for, for example, at the bottom of a contact form. A lot of times, people have a checkbox there that lets you opt in or out of marketing communications outside of just the contact form. If that box is automatically checked, it’s not compliant.

Josh: I see.

Megan: That’s a big one. If it doesn’t explicitly spell out that it’s for commercial marketing purposes, again, then that one’s not going to be compliant either. Generally speaking, if you have just a regular subscribe to our email list form there that’s totally compliant. You can definitely still use those email addresses. If it’s a separate form, that’s a really good benchmark for knowing that things are totally compliant. I would basically just caution you, though, to make sure that you do a little bit of research if you have an email list and you’re worried about your compliance. Because there’s other things that are going to impact you, like CAN-SPAM laws and other things that have been in effect for a while.

Josh: Sure. Well, this has been great, super informative and super helpful. I hope all of you also feel that way. Thanks, Megan.

Megan: Yes, absolutely. If you have other questions around your compliance, definitely feel free to give us a contact.

Josh: All right. Thanks, everybody. Bye.