Consumer brands and selling consumer data. Put these two things together, and eyes start twitching.
No respectable consumer brand wants to have a reputation of selling consumer data. And who can blame them? It seems like consumer sentiment towards the topic has been shaped purely by headline-generating scandals and breaches. In a 2021 report from KPMG, 78% of respondents expressed fears about the amount of data that is collected. And 51% said they specifically worried about it being sold. This might be why only 17% of business leaders in the same survey admitted that their company actually sold data.
But while some of those business leaders may be trying to save face or avoid public backlash, my POV is that it’s nothing so nefarious. Chances are, most of them don’t actually know that they’re selling consumer data, even though, by certain very clear regulatory definitions, they are. And that can land them in some pretty hot water; not because it is bad, but because we as an industry are still shaping and reacting to changes in data privacy. To compete in today’s world, these are the types of areas which require education and the right investment.
This post will define what constitutes “selling” (henceforth italicized to differentiate from the colloquial definition of “sale”) under the California Consumer Privacy Act (CCPA). It will explain why most brands engaging in modern marketing techniques are doing it and why they need to own it.
What constitutes “selling” data?
Since the inception of the California Consumer Privacy Act (CCPA) brands, advertisers, marketers, and solutions providers have struggled to interpret the meaning of a sale under the CCPA.
So let me clarify in no uncertain terms:
Under the CCPA, the practice of engaging in interest-based consumer advertising — e.g., remarketing or retargeting — is deemed to be a sale of consumer data.
Sure, it might not seem like using consumer intent data to remarket is a sale. But in this context – as defined by CCPA – it is. As PebblePost’s Chief Privacy Officer, I often speak with brands regarding their obligations to disclose to consumers (among other CCPA requirements) that they are selling data when they engage in marketing with us, as well as with any other type of advertising that is interest-based.
The CCPA’s 2.0 version (which goes into effect in 2023) will help to clarify the definition of a sale, expanding the requirements to sharing consumer data, but if your brand is currently engaged in any interest-based advertising, the sooner you acknowledge and disclose this to consumers, the better.
With regard to PebblePost, the situation is slightly different. We do not sell customer data, or in the case of the CCPA’s language, “onward sell” that data. PebblePost simply uses the brand’s data to power our services and deliver the kind of high-performance Programmatic Direct Mail that our brands come to us for – but under the CCPA, when a brand engages marketing services using consumer’s data the brand is likely selling or sharing that data with marketing partners, such as PebblePost.
So I’m selling data… now what?
Now that it is abundantly clear that when you engage in interest-based advertising you are likely selling or sharing data, there are some things you need to do immediately to make sure you’re in compliance with California consumers’ rights under the CCPA.
1. Update Your Privacy Policy Opt-Out Process…Now!
You must disclose this in your privacy policy in as clear and transparent a way as possible and give people the right to opt-out of the selling of their data — and that means not shying away from the word “sale.” Since 2019, when the CCPA was just around the corner, we have leaned into the ugly word sale and informed our partners that when you engage PebblePost’s services, you are selling consumer data to us.
2. Be Proud of Your Compliance
Just because you’re selling consumer data in this fashion doesn’t mean you’re doing anything wrong or underhanded. We are proud that we’ve taken a strict interpretation and did not shy away from our obligations. We’re compliant. We do not onward sell data. We’ve enhanced our platform to honor all CCPA requests. And we are SOC 2 certified.
3. Stay Informed
It can seem like new laws or regulations show up every day. You may need a dedicated person or partner to stay on top of these changes and keep you informed.
With other state privacy requirements coming (in 2023), PebblePost will continue to stay ahead of the privacy compliance curve. We’ll continue working with our partners’ counsel to navigate best practices and privacy requirements when working with us.