What the Sephora case means for a typical business: some basic CCPA approaches

Freaking out about CCPA (and soon CPRA) compliance? Especially after the Sephora case?

I have worked on CCPA stuff from both sides—the privacy advocate point of view (I was one of the co-authors of the Consumer Reports CCPA agent study) and from the business side. Although the regulations can look confusing at first, it turns out that most of the work needed to comply with CCPA is pretty much common sense. Although some vendors offer specialized software to help you handle CCPA requests from consumers, there are good and bad processes both with and without specialized CCPA tools. Tools can help if you have the fundamentals right, but don‘t help if fundamentals aren‘t addressed first.

Here are some CCPA basics (that have other benefits, too.)

Finish up your CRM project: You already know it‘s a good idea to move all customer and prospect info into CRM, for lots of reasons including not just compliance and security, but also marketing effectiveness. By far, the best use of your CCPA compliance time and budget is continuing or restarting your company‘s CRM project. The fewer places to check where a person‘s info might be, the more quickly and accurately any CCPA task can be completed. Put old data stores into “archive” status so you are no longer required to search them when handling a CCPA RtK or RtD.

Train and empower customer service reps: CCPA “right to know” and “right to delete” senders are all individuals. A response that‘s technically compliant but leaves a specific question unanswered is going to cost more time than an informed response. A little human attention gets them satisfied that you‘re basically doing the right thing. Most companies don‘t get enough volume of CCPA RtKs to justify a specific tool for it, but empowering the people who answer calls and emails can help do better at other tasks, too.

Buy ads from compliant sources: Check your ad logs, and don‘t accept any impression if you don‘t know where it ran! Buy direct when you can. Look for sites your customers read, sites that come up in customer support chat, and sites that mention your company.) Avoid agency or service provider defaults that put ads on “confidential” or “unknown” sites, because they are likely to have brand-unsafe or otherwise risky content, and raise privacy questions when people see ads there.

Check your software supply chain and run QA tests: Many CCPA issues are the result of a default setting, or sample code copied from a pre-CCPA document. Removing old tracking pixels and scripts is good software housekeeping, and makes it easier to do the small code changes that are required (Global Privacy Control is one line of JavaScript, easy to add if the rest of your code is easy to keep up to date, test, and deploy.) This isn‘t just good for compliance—it also helps with audience data leakage and makes the site work better for users.

Listen to customers: People will tell you where they found out about you if you ask nicely. Sometimes the best marketing data isn‘t from a marketing project at all, it comes from sales and service people who spend all their time helping customers. You can optimize advertising and content marketing budgets buy running ads on domains that show up in customer surveys, help requests, and other communications – saving money on conventional social and web advertising, and avoiding the compliance issues they create.

Participate in the online communities that customers use: Reading is fundamental. Real content that‘s of interest to humans is generally no more expensive to advertise on than low-engagement, made-for-advertising, content that creates compliance risks. Read what people are saying about the markets that you participate in, and yes, read the blog comments. The same content creators that you‘re working with for influencer marketing or a reviews program are the ideal starting point for a list of known good sites to advertise on.

You may end up deciding to go with dedicated compliance-ware. But before you line up a demo for a CCPA-related software product, get the basics right and they will help either way.