What the U.S. Can Learn From the EU’s Privacy Laws

Using GDPR as a road map for navigating CCPA

blue background; yellow lock; in the lock is a cutout of the state of California
We'll likely see what's happening in the EU with GDPR play out in a similar fashion following the CCPA. Twitter: @caprivacyorg
Headshot of Andy Evans

With just over a year until the California Consumer Privacy Act (CCPA) comes into effect, it’s time for U.S. publishers to get their data affairs in order. There’s a lot they can learn from the GDPR.

With the CCPA still subject to amendment, publishers could be forgiven for delaying preparations but they must get ready for the inevitable privacy changes, in whatever form they eventually take. Here’s what they can learn from the EU and the GDPR.

Take a positive view

With GDPR as a workaround, some U.S. publishers blocked European traffic, and more than 1,000 websites are still unavailable to EU readers. But applying this tactic to California residents is problematic because geo-targeting tools aren’t completely accurate, and it could result in significant revenue losses. If publishers attempt this practice initially, it won’t be sustainable as more states and regions, like New Jersey and New York City, implement their own laws.

Rather than walking away from revenue by blocking traffic, publishers should embrace privacy regulations as a positive step. In the EU, we see consent rates of up to 90 percent, indicating readers welcome the changes. With the CCPA strictly an “opt out” law where readers are not required to affirmatively consent to personal data use, it’s likely even fewer readers will object to data processing.

Start preparing now

Publishers who are already GDPR compliant will have a significant leg-up with the CCPA.

Complying with data regulations takes effort and resources, so publishers should start preparing now. Although the nature of the CCPA means the CMPs we see in Europe are unlikely to be necessary, there is still work to do, and those who end up rushing things are bound to regret it.

Before GDPR came into effect, many companies hadn’t given much thought to what the regulation required. In fact, it’s only now when the first fines are starting to materialize that some businesses are taking it seriously. The regulation crept up on publishers, with compliance solutions still under construction weeks before the enforcement date.

In Europe, the IAB stepped in to assist compliance with its GDPR-related Transparency and Consent Framework, but it remains to be seen whether an industry association will help drive the CCPA. Currently, the IAB in the U.S. is pushing for a federal privacy framework to avoid a patchwork of state laws, so it’s unlikely to take action to simplify CCPA compliance.

For EU publishers, a lack of preparation often meant pausing regular activity to devote all resources to compliance. If U.S. publishers learn one thing from the GDPR, it should be to build CCPA compliance activity into their day-to-day schedules now, making it part of the conversation at team meetings so they aren’t playing catch up in 12 months.

Understand data flows

A major step toward compliance is understanding the data flowing through the organization, where it comes from, where it is stored and who it is shared with. Publishers can use numerous online tools to undertake audits, mapping data flows and documenting the personal information they hold.

As with GDPR, the CCPA gives consumers the right to access and delete personal data. Publishers should consider how they will fulfil such requests, as this may be their biggest challenge. Four months after GDPR, 70 percent of companies in Europe still couldn’t comply with requests within the required time limit. The good news is that publishers who are already GDPR compliant will have a significant leg-up with the CCPA.

Put the user first

It’s easy to forget privacy changes are for the benefit of the reader. Publishers should always strive to put the reader experience first and shouldn’t be dragged into that by legislation. Some publishers with annual gross revenues under $25 million may be exempt from CCPA, but they can still embrace its spirit and be respectful in consumer data use. Improving the reader experience will increase engagement with content, attracting higher paying advertisers and opening doors to other revenue streams such as subscription and native commerce.

Measures such as updating privacy policies at least twice a year to fully disclose data practices, displaying a “Do not sell my personal information” homepage link and delivering equal service to users that choose to withhold their data all demonstrate respect for the reader as well as allowing publishers to comply with CCPA.

Consumer privacy is undergoing an unstoppable evolution and as the regulatory landscape changes, publishers all over the world will feel the impact. With CCPA looming as the next big change on the horizon, publishers could learn lessons from its predecessor and spend the coming months preparing for its enforcement, understanding their data flows and ensuring they put user experience at the heart of activities.


@DigitalAndy Andy Evans is chief marketing officer for Sovrn.
{"taxonomy":"","sortby":"","label":"","shouldShow":""}