CCPA (California Consumer Privacy Act) is a comprehensive legislative package that many experts are saying will become standard baseline rules for consumer data practices here in the U.S. – soon. Very soon.

They’re about to become law. What’s more, they’re core and critical to the way you need to be thinking about your customer data.

CCPA (California Consumer Privacy Act) is a comprehensive legislative package that many experts are saying will become standard baseline rules for consumer data practices here in the U.S. – soon. Very soon. (If you’re wondering what the specific regulations look like, you can find a good primer here.)

But CCPA and its older cousin, GDPR are table stakes for how companies should be thinking about the customer data they keep, compile and use. Think of them as the lowest common denominators – the bare minimum you’ll need to consider to keep your organization compliant*.

*Basic CCPA compliance is no guarantee against liability.

Consumer expectations with regard to their personal data (PII) are changing fast. Consumers are becoming more aware of the risks they shoulder. They are becoming more aware of the value of their own data to brands they shop with. And they are becoming more aware of the commoditized buying and selling of their data on the open market. All of which changes the buyer / seller dynamic and gives a lot more weight to the customer in this kind of transaction.

Companies should expect that awareness – and the rights that consumers are demanding – to grow and become more one-sided over time. The wild west days of data are coming to a close, if they haven’t already done so. And to them we say good riddance.

We’ve spoken with several CIOs recently who have expressed that same opinion. The time for corporate hand-wringing is past. But what does this new world look like?

PWC breaks the regulations down into 5 major components. Companies serving or employing California residents may find these five CCPA requirements have the biggest impact on their business plans:

  1. Data inventory and mapping of in-scope personal data and instances of “selling” data
  2. New individual rights to data access and erasure
  3. New individual right to opt-out of data selling
  4. Updating service-level agreements with third-party data processors
  5. Remediation of information security gaps and system vulnerabilities

Note – that same article provides a side-by-side comparison of CCPA & GDPR scope & reach.

As consumers we’re accustomed to the idea that we’ve given away bits and pieces of our souls through the dozens of EULA’s (End User License Agreements) we’ve agreed to every time we use another app, website or software package. So it was with some side-eyed surprise that I opened a recent email from Strava – the workout tracking app – announcing their new, no-nonsense Privacy Policy. Unlike most companies that present a compendium of fine print to “agree” to, Strava seemed almost proud of their new simplified approach and encouraged users to click through to understand it. I did. And I can see why they’re happy to let their customers peek behind the curtain, so to speak.

What I found was uncommonly friendly and easy to understand. The main points of interest were presented with a simplicity and with a degree of humanity that I’ve not encountered in a Privacy Policy before. Yes, there’s still more text there than I care to read in its entirety but by providing something of an executive summary in an easy-to-read format, Strava has effectively enhanced my loyalty to them because of their transparency.

I think there is a lesson there. Maybe a few of them.

Customer loyalty is hard to come by and Strava has found a way to use something that typically creates a sense of fear and dread (albeit momentarily) and re-frame it in a way that lets me know they get it – that they get me. Not bad, Strava. Not bad at all.

Want to know what the approach the new world of customer data is going to look like? Take a look at Strava. They get it.


This article originally appeared in TheCustomer.