This big privacy penalty is a cautionary tale for all


How to make sure you’re on the right side of CCPA to avoid expanding crosshairs 

It sorta came from out of nowhere. 

A well-known retailer was recently hit with a $1.2M fine for a CCPA data privacy violation. Media outlets reported the action as the first CCPA enforcement. 

Translation? There will be others. Hopefully, not you. 

I don’t want to link to the reports or even disclose the retailer involved. My take is this was mostly bad luck (someone had to be first), but also that there’s going to be a lot more bad luck to go around. And that this particular unlucky retailer likely runs a marketing operation not dissimilar to many, many others. 

From what I can tell, the violation primarily stemmed from misplaced trust in a third-party data provider, failure to properly notify customers they’d collected certain data and being ill-equipped to respond to customer requests on the matter. It’s evident that the non-compliant data represented a very small percentage of the retailer’s overall data operation. 

No matter. A violation is a violation, however “small” in the grand scheme of things. 

Welcome to a world where regulation is swirling but still quite new, old processes have yet to adapt, and legacy data providers are failing to serve the best interests of their buyers. 

Can it happen to you? 

Have you validated that the companies supplying data to you have not only permissioned that data but are authorized to sell or share it with you? When you use that data in campaigns, are you doing so based only on the specific uses defined when consumers gave consent? Can you respond to customer privacy complaints within 30 days? 

If you answered no to any of those questions, then it can most certainly happen to you. 

This is by design. Too many bad actors flouted common sense rules for too long. It couldn’t be easier for consumers to give express consent or permission for data usage. Now it’s on all the reputable stakeholders to ensure they color only within the lines when it comes to using it. 

Privacy is not the only factor at play

This isn’t just about privacy though. This is about control. Control of the ad market. Control of consumer data. 

Just over a year ago, we said “Apple is not your friend.” We accused them of privacy theater as they put tighter controls around what kind of consumer data escapes their platform. 

It was quite obvious they were simply building their walled garden higher and higher. In the past year, we’ve seen a very public spat with Facebook on data. We’ve seen iOS 15 make email marketing more challenging. 

It turns out that as we suspected, Apple simply wanted all that data for themselves so it could launch its own ad solution and make it harder for others to compete. Apple users basically sign all their privacy over to Apple as users and now Apple can monetize that data as it sees fit. 

At the core of competition in an environment that looks drastically different than even just a few years ago, is consent. We know it’s easy for Big Tech providers like Google and Apple to manage consent (i.e., use our service and you consent). We also understand it’s a lot harder for others, even major brands. 

At BRIDGE, consent is at the core of our business. It’s exceedingly complex but we’ve made it a focus for so long, we understand how to maximize success on this front for our customers and partners. 

We’ll spend more time diving into the nuances of this evolving discussion in future posts. In the meantime, here are some top-level thoughts for any brand that doesn’t want to get caught in the CCPA dragnet:

  • Pseudo-anonymized data is risky. If you’re still relying on pseudo-anonymized data in your campaigns, don’t. It’s impossible to tell for certain that this is a real person, which means you can’t eliminate them from your database if a complaint is filed. 
  • Real data doesn’t = permissioned data. Using information based on real people is a huge step in the right direction, but it’s only a start. You need to ensure you have the proper permission to use the data for each specific use. 
  • Complying means replying. You have 30 days to reply to consumer complaints or removal requests. If a consumer wants to opt-out, make sure you opt them out of everything and that you are able to do it quickly. If they want to know what data you have about them, it should be at your fingertips because that also needs to be shared quickly. 

The good news for all brands is the support you need exists. The bad news is that this is a problem that won’t simply go away if ignored for long enough. 

Don’t be the next cautionary tale. Let us know today how we can help. 

Subscribe to our Newsletter

Our biweekly newsletter shines a light on the top trends and revenue-generating opportunities for your business.

Share this post with your network

Access Audiences

Fill out the form below to start using our top-ranked custom audiences. 

Get Started
Upgrade to People-Based


Up To 75% Off

June 21-24 * Online Only

Download Now

Access Premium Audiences