Consumer brands and selling consumer data: put these two things together and eyes start twitching.
No respectable consumer brand wants to have a reputation of selling consumer data. And who can blame them? It seems like consumer sentiment towards the topic has been shaped purely by headline-generating scandals and breaches. In a 2021 report from KPMG, 78% of consumers surveyed expressed fears about the amount of data being collected, with 51% saying they were specifically worried about it being sold. Which might be why only 17% of business leaders in the same survey admitted that their company actually sold data.
But while some of those business leaders may be trying to save face or avoid public backlash, my POV is that it’s nothing so nefarious. Chances are, the majority of them don’t actually know that they’re selling consumer data, even though, by certain very clear regulatory definitions, they are. And that can land them in some pretty hot water; not because it is bad, but because we as an industry are still shaping and reacting to changes in data privacy. To compete in today’s world, these are the types of areas which require education and the right investment.
This post will define what constitutes “selling” (henceforth italicized to differentiate from the colloquial definition of “sale”) under the California Consumer Privacy Act (CCPA), explain why most brands engaging in modern marketing techniques are doing it, and why they need to own it.
What constitutes “selling” data?
Since the inception of the California Consumer Privacy Act (CCPA) brands, advertisers, marketers, and solutions providers have struggled to interpret the meaning of a sale under the CCPA.
So let me clarify in no uncertain terms:
Under the CCPA, the practice of engaging in interest-based consumer advertising — e.g., remarketing or retargeting – is deemed to be a sale of consumer data.
Sure, it might not seem like using consumer intent data to remarket is a sale, but in this context – as defined by CCPA – it is. As PebblePost’s Chief Privacy Officer, I’ve had many conversations with brands regarding their obligations to disclose to consumers (among other CCPA requirements) that they are selling data when they engage in marketing with us, as well as with any other type of advertising that is interest-based.
The CCPA’s 2.0 version (which goes into effect in 2023) will help to clarify the definition of a sale, expanding the requirements to sharing consumer data, but if your brand is currently engaged in any interest-based advertising, the sooner you acknowledge and disclose this to consumers, the better.
With regard to PebblePost, the situation is slightly different. We do not sell customer data, or in the case of the CCPA’s language, “onward sell” that data. PebblePost simply uses the brand’s data to power our services and deliver the kind of high-performance Programmatic Direct Mail that our brands come to us for – but under the CCPA, when a brand engages marketing services using consumer’s data the brand is likely selling or sharing that data with marketing partners, such as PebblePost.
So I’m selling data… now what?
Now that it is abundantly clear that when you engage in interest-based advertising you are likely selling or sharing data, there are some things you need to do immediately to make sure you’re in compliance with California consumers’ rights under the CCPA.
2. Be Proud of Your Compliance
Just because you’re selling consumer data in this fashion doesn’t mean you’re doing anything nefarious or underhanded. We are proud that we’ve taken a strict interpretation and did not shy away from our obligations. We are compliant, we do not onward sell data, we have enhanced our platform to honor all CCPA requests, and we are SOC 2 certified.
3. Stay Informed
It can seem like there are new laws or regulations being rolled out every day. That can be a lot to stay on top of. That can often mean having a dedicated person to stay on top of these changes, or simply knowing which of your partners you can rely on to keep you informed.
With other state privacy requirements just around the corner (in 2023), PebblePost will continue to stay ahead of the privacy compliance curve and work with our partners’ counsel to navigate best practices and privacy requirements when working with us.