While compliance with the CCPA may seem daunting, many marketers view it as a continuation of the work they did to comply with the GDPR. Tim Geenen, General Manager and Co-Founder of Faktor, a LiveRamp company, shares how his company shepherded its clients through the GDPR compliance process and how Faktor continues to work with them on how they interpret the law and use their consent management platform (CMP) to reflect this.
Listen to the podcast or read an excerpt of our conversation to learn how you can apply Tim’s learnings to your data and regulatory compliance strategy.
Albert: We’re seeing the CCPA come out soon in the U.S., in addition to the GDPR, which went into effect in 2018. What are some of the key differences you’re seeing right now between the EU and the U.S.’ approach for privacy?
Tim: There are quite a few interesting differences. I think the first one everyone relates to is opt-in or opt-out. Do I need to have informed explicit consent from a user before I can continue and collect and activate data? I think in the U.S. with CCPA it’s a bit different. The CCPA explicitly states that you need to have proper disclosures and you need to inform the consumer what’s going on, like which data is being used and for what. It’s an all-around ‘do not sell my personal data’ request, whereas GDPR relies on an opt-in or consent. That seems to be the key difference.
I would also argue that in Europe we were very happy to have a law that covers all the countries. Here, with CCPA, it’s California only. I do think that other states will follow with their own interpretations and privacy laws—it’s a similar trend that we see globally. Consumers are increasingly aware of privacy and platforms are under scrutiny, and the reality is, things need to change.
Albert: I understand that the opt-out to consent, ‘do not sell my data,’ and the lack of a federal law for privacy make things difficult for marketers. Are there any other aspects of consent management that you feel are important for global marketers to understand to comply with the GDPR, CCPA, and any other regulations coming down the line?
Tim: I think ultimately we’ll deal with privacy regulations globally. I think in different states, countries, and continents you’ll see various privacy laws—they will be in effect pretty much everywhere. If you’re a global marketer or a global publisher, it’s going to be very tricky to figure out how to manage that on a geographic level. That’s also why we’re redesigning the platform at the moment so we can serve the proper notice—the proper configuration—to the user depending on their geographic location and which interpretation or law there is. This is not a small feat.
What we’ve seen with GDPR is that our clients all face the same issue—they all want to solve their GDPR challenges. GDPR is one law, but somehow, all of our clients interpret it differently, and we didn’t expect that. We expected an out-of-the-box product—you install it, you rent it, and your pain goes away—but it wasn’t like that. Each of the companies we work with had a different interpretation of what that law meant to them. I see the same thing happening in the conversations we have around CCPA.
When we went into these companies and met with the individuals involved, we found ourselves sitting around the table with six or seven people who had different functions within the same company but had never met each other. Before GDPR, they never had to collaborate with each other, and that was all changing. So we made sure that our software is flexible and that it interoperates with existing technologies, but also made sure it can be changed on the go, and that’s a different challenge. If you make changes to your privacy notice or your privacy settings, you need to keep an audit trail. That’s something we have solved for.
Albert: That sort of flexibility is key for companies, and it makes total sense. My next question is regarding the consumer point of view. If all these companies are interpreting the laws differently, how does that reflect on the consumer? Do you think they’re starting to pay more attention, and if they’re paying more attention, do they really understand what’s going on?
Tim: That’s a very difficult question with several answers to it. First of all, there’s the value exchange. If you’re a consumer and you want access to a website or an app—for example say you want to play a game, watch a video, read the news, or do your banking—there’s a trade-off. The company that’s offering you these services either needs to monetize your visit or they need personalization in order to deliver the best service. That value exchange hasn’t really been clear. A normal consumer doesn’t expect that if they read an article on a website that it’s being paid for by advertising.
We actually did field research. We went out and interviewed people, and it quickly became apparent that they didn’t have a clue—and most of them didn’t want to know. If you look at the analytics behind their consent management platform, by far, most people automatically click ‘I accept all’ without investigating first.
But there’s a growing number—and it’s still a single-digit percentage—of people who go into our platform and actually toggle around and make changes to their advertising or social preferences. But if you’re a publisher, that user has effectively become less monetizable to you. Do you have a different solution for that in place? I think that’s the discussion that we see at the moment around choice. Do publishers have a right to monetize and/or do they also have the right to effectively set up a pay wall and present the user with a choice: share a certain amount of your data or buy a subscription to our publication.
I think once that starts happening, people can make a better choice. Yes, there’s a detriment that you’ll end up paying for something that was previously ‘free,’ but there really is no such thing as ‘free,’ and I hope both companies and consumers increasingly become aware of that, because then you can start to talk about an actual value exchange. You can truly start to talk about privacy and what that means.
When we started Faktor, obviously we wanted to give consumers control and choice over data, but we thought that the upside would lead more to a first-party internet, where consumers take control over their data and share it with you. We did a test and it turned out they didn’t really understand what that meant. They didn’t want to take control over it and they certainly didn’t want to pay for it.
Albert: It sounds like consumers don’t really understand the value exchange, but they also don’t understand that the internet, at the end of the day, just isn’t free. You made a great point earlier about the GDPR and how it means companies need to be more up front and transparent with consumers about why they should share their data. How do you think regulations like GDPR help consumers understand the value exchange? How do you think that might compare with the post-CCPA world?
Tim: Interesting, because that happens when websites and apps make changes—it triggers the attention of their everyday users. If they have to make a choice about whether to buy a subscription or effectively pay with their data, it leads to a healthy discussion. There’s still a lot of work to do—don’t get me wrong—but once consumers become aware of the companies that collect their data and what they do with it, the consumer can reach out and ask questions or object.
If you want to a privacy-safe way of browsing the internet, there are absolutely ways to do that, but let’s be realistic, that’s not going to be everywhere. I think it’s the right of the company not to actually refuse the service, but to offer a different type of service. As long as that’s clear and transparent, I don’t see any harm.
Albert: That’s really interesting. I was just saying that’s one of the stipulations of the CCPA which is the right to equal service. Also interestingly enough with regard to the CCPA versus the GDPR, the opt-in versus the opt-out deployments mean that sometimes the user might not be making that sort of choice. They might not understand what’s going on. How do you think that would influence their reactions?
Tim: With GDPR you have to make a decision, that was also part of the law. You have to make a decision about whether or not you are okay with sharing your data or not. With CCPA and the right to equal service, the fact that you cannot offer different services based on whether or not a person wants their personal data to be sold is a discussion point that will come back very often in the next three to four months. I do feel that it’s open for interpretation.
Pre-GDPR, we had the same discussion, and we still have an ePrivacy legislation that’s coming up. Everyone was saying, ‘we’ll cover that there.’ This same point [in ePrivacy regulation] is about conditional access to web or app environments. What we see is that some of the European countries don’t want it while others do. There’s a difference of opinions shockingly. I see that happening with CCPA as well when it comes to approaching the right to equal service and many other aspects of the regulation.
To learn more about CCPA, download our ebook.
The information provided in this podcast does not constitute legal advice. Please consult your legal counsel to obtain legal advice.