“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Cory Munchbach, president and COO of BlueConic.
You’ve heard the news: Sephora is the first company to be fined under the California Consumer Privacy Act (CCPA) to the tune of $1.2 million.
According to California Attorney General Rob Bonta, Sephora received the fine because third parties were able to create consumer profiles by tracking whether they were using a MacBook or a Dell, the brand of eyeliner they put into a basket and even their precise location.
Sephora’s relationship with these third parties constituted a sale of consumer information under the CCPA, triggering basic obligations such as informing consumers and providing a way to opt out. However, Sephora failed to do that.
So what does this first instance of CCPA enforcement mean for other brands and the future of privacy?
The complexity of privacy
There are a few parts of this enforcement effort that are notable, particularly the characterization of it as a settlement and “public enforcement action” rather than explicitly a fine. In fact, Sephora doesn’t even have to admit any liability as part of the settlement. The fine is also a relatively small amount for a company that is reportedly spending well over $100 million per year on digital advertising. Plus, it’s unclear how the AG arrived at this figure.
Nevertheless, it’s a start. The industry needed it to progress meaningfully.
The problem with CCPA, GDPR and almost all existing privacy regulations is how loosely they are written. Data privacy is complicated to get right. In the scramble to deal with third-party data deprecation, most marketers have been tossing the subject over to legal teams or ham-handedly attempting to manage consent across dozens of platforms.
But the latter approach in particular introduces enormous latency and risk. Without a centralized solution for collecting consent, preferences and first-party data directly from customers – and synchronizing that consent across data sources and delivery channels/platforms – is it any wonder that protecting consumer data privacy is a losing game?
Sephora is far from the only company still failing to embrace a centralized first-party data collection and governance model. That’s likely because they’re still approaching privacy from the lens of “How can we continue to collect data while staying on the right side of the law?” They should instead be asking, “Have I fostered the kind of trust necessary for customers to share the data I need to provide ongoing value?”
Prioritizing privacy is a must
Marketers and customer experience teams have one of two choices. They can either be pulled along with all the privacy changes against their will or proactively start thinking about how they’ll handle data collection and governance.
Taking these steps makes good business sense, precisely because it’s also better for the consumer. Studies reveal that consumers are becoming increasingly intentional about what data they share and with whom. A whopping 87% of respondents say they would not do business with a company if they had concerns about its security practices.
By embedding privacy considerations into their larger business strategies, companies can build longer, more loyal relationships with customers.
Like it or not, privacy is coming for you. But it can also be an enormous opportunity. As it stands, over 120 countries have national privacy laws, and more U.S. states are enacting privacy bills. Not pivoting fast enough will damage your customer experience, impose fines on your business and put your brand reputation at risk. The time to act is now.
Follow BlueConic (@BlueConic) and AdExchanger (@adexchanger) on Twitter.
For more articles featuring Cory Munchbach, click here.
