Six Ways Eloqua Can Help You Comply With The California Consumer Privacy Act (“CCPA”)

On January 1st, 2020, California’s new privacy, the California Consumer Privacy Act “CCPA” law goes into effect. The law is rigorous and complete. You can expect other states to follow. Ideally other states will be exactly or very close to the California law. Ideally, making sure you are ready for California means you can be ready for the other states, too.

Fix Your Attitude - CCPA is a Marketing Opportunity

It is easy to develop a bad attitude about new regulations, they are often scary, costly and without benefit. However, in this case, I’d encourage you to have a good attitude. Legitimate and well meaning companies will thrive with this new law. It is a chance to usher in better practices for handling consumer data. Less scrupulous actors will either shape up or be removed from the playing field. Also, because the law will affect your competitors equally, it means barriers to entry will rise. Barriers to entry always help with price protection. Plus, you might be able to steal away consumers with one of the law's little known requirements - data portability. So, let’s tackle this together!

A Practical Summary of CCPA

Here is a summary of the law based on my own experience and analysis. (Emphasis: This is a summary. I am not a lawyer. This is not legal advice. Use this article to get started, not to get finished!) You can read the actual regulation here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1355

1. This goes into effect January 1st, 2020
2. The regulation applies to businesses (B2C) that deal with consumers in California. It does not apply to B2B. If you are B2B marketer please double check my claim. Point your lawyer to Section 8, 1798.145, (I) (1) which I have copied at the bottom of this blog.
3. It looks to me like California almost hit copy/paste on Europe’s General Data Protection Rights (“GDPR”) law. If you are GDPR compliant, you won’t have a lot of difficulty meeting the CCPA requirement. Note: There are subtle differences, so be sure to read the fine print.
4. This law is bigger than just one system. Just making some configuration changes to Eloqua and say “we’re good with CCPA” because the law is broader than any one system. You will need to provide an 800 number for California residents to call as well as do the things below. One final challenge is thinking through how you will verify that the person who is requesting their info is really the person they claim to be and so forth. I do not cover methods for doing these things here as they are outside the scope of Eloqua.
5. The law gives consumers power over their own data in your systems. This means consumers have the right to:

• Know what information you have about them.
• Correct their information.
• Tell you not to market to them.
• Request you remove their information from your systems
• Provide their information to them so they can give it to your competitor. Idea: Might there be an opportunity here for you to get information from a consumer from your competitor?

These rights mean that you will need to have processes in place to handle requests from consumers and those processes will involve a lot more than just Eloqua.

How Eloqua helps with CCPA Compliance

There are a lot of tools Eloqua already has that assist with CCPA compliance. Using these tools will help you get on your way to CCPA compliance quickly.

1. Provide forms that allow consumers to request their rights. For all the rights above, an Eloqua form that captures and centralizes the requests allows you to manage consumer requests from a single place, send consumers automatic acknowledgement of their request and route the request to the right internal department for processing.
2. Evaluate your customer preference page. Almost any customer preference page will allow consumers to globally unsubscribe as well as allow them to pick and choose the email groups they wish to receive. You might want to provide a link on this landing page that allows Californian’s to navigate to an additional page with their CCPA rights.
3. Evaluate your customer data and forms – You might find that requiring customers to specify the state in which they have residency is now mandatory, which means your forms are going to have to include this field and make it required.
4. Adjust your customer profile (and forms) to allow people to opt out of having their information sold if they are a California resident. I.e. Do Not Sell My Personal Information should be a check box on forms.
5. Evaluate your customer data – If you do not know the state where many of your contacts live, you might consider sending them an email from Eloqua encouraging them to provide your address so you can manage them properly. This idea will not apply to all Eloqua systems equally because you might be able to enrich your customer data from other sources within your means (such as other applications).
6. Create a report in Eloqua that tracks the date and volume of the CCPA related requests. It might also be a good idea to track the status of those requests on the contact profile or with a custom data object. You can use this report to ensure that you are responding to consumers within the time allotted (usually 45 days) for most requests.

CCPA Beyond Eloqua

Based on the brief summary above, I am sure you realize that managing CCPA compliance is bigger than merely Eloqua. Here are some things to consider:

1. Who will handle CCPA requests? When a request comes in from a consumer, it might be a good idea to have an email alias that receives an alert. As you iron out your process and get a feel for the volume of requests you will receive, that will allow you to be flexible.
2. Where is consumer data stored? Chances are your consumer data is stored in a lot of different locations (Marketing automation, CRM, Financials, Order Management, etc.) When a consumer requests their “right to be forgotten” you’ll have to find a way to purge their data from all of these systems and document it. You will need a check list and a procedure to ensure that data is removed.
3. How can you export consumer data efficiently? When a consumer requests their data transferred to another company, you have to give it to them in a reasonable format. The law is not clear about that, but my guess is that an export into a CSV file should meet that criteria. Be sure to create a checklist of all the places where data should be exported.
4. For more information about the law itself, I also found this blog article which had a lot more legal interpretation of the law. You might want to check it out: https://www.jacksonlewis.com/publication/california-consumer-privacy-act-faqs-covered-businesses

Want Some CCPA Help?

Motiv believes that improving customer experience makes lives better. If you want our help with CCPA and making your customer’s experiences better we provide best practices, implementation and systems integration across most of the Oracle Customer Experience suite. To inquire about our CCPA practice, please visit us at https://go.motivcx.com/power_2037_ccpa

About Motiv

Motiv believes that improving customer experience makes lives better. Our clients are ambitious people who are taking bold risks (often their career and reputation) to challenge the status quo and make the customer experience of their company better. These brave people (we call them Motiv-ators) tap Motiv to aid them on their quest. Motiv’s 100% focus on customer experience allows Motiv-ators to consider Motiv a trusted adviser. Motiv has analyzed every Oracle Customer Experience application and organized its capabilities into a series of Powers (e.g. The Power to send email to Canada legally, The Power to cross sell to Customers) and structures every engagement into a collection of Powers. Motiv’s mission for 2020 is to enable 2,020 powers for Motiv-ators within the year. Will you help us achieve our mission?

Footnote: The section below is from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1355 The bold emphasis is mine:

Section 8, 1798.145, (I) (1)

The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.