Certainties might be few in the time of Coronavirus, but data regulation is still one of them.

There was a moment when it looked as though COVID-19 disruption could be set to derail the long-awaited California Consumer Privacy Act (CCPA). In a letter to the attorney general, multiple trade organizations and businesses asked for enforcement of the CCPA to be delayed in light of current pressures. Privacy advocate Consumer Reports even felt the possibility of deferral was real enough to launch its own plea for the legislation to go ahead.

The ambiguity didn’t last long. The CCPA will arrive on July 1st as planned, and that means businesses have just a few months grace to get their data affairs in order; publishers included.

12 weeks in: the CCPA so far

Officially, the CCPA went live months ago when the act became law on January 1st, 2020. But suspended enforcement has driven a relaxed attitude to compliance. Ahead of the legal deadline, only 30% of US security professionals said their companies were CCPA-ready and, judging by recent evidence, it seems this leisurely approach has continued post activation.

According to PwC, just 16% of American companies currently offer a do-not-sell (DNS) link on their sites — as per the CCPA requirement to ensure consumers can easily opt out — and around 40% have a data portal where users can exercise other rights, such as data access or deletion. An article in TechCrunch also cites the example of one California resident who tried to use their rights and felt the process was deliberately confusing, pointing to overly complex navigation and a suspicion ‘dark patterns’ were being harnessed to direct user choices.

With confirmation that there will be no last-minute CCPA extension and many other US data regulations looming — including legislation in Nevada and Maine — it’s clear that publishers need to start dialing up their privacy efforts and set a speed course for responsible data use.

Putting consumer needs first

Once, the data regulation conversation revolved around raising awareness of the data value exchange; where consumers share information in return for varied benefits, such as relevant content. That’s no longer the case: 76% of consumers globally know allowing data access is often necessary, but a further 86% feel companies have a responsibility to protect their data.

If publishers want to maintain positive audience relations, they must keep up their end of the data value deal. Part of that is actively following data law, but there is also a need for publishers to show their commitment to respecting core elements of data privacy.

1. Ongoing transparency:

Above all, what audiences want is clarity about what steps companies are taking to keep their data safe and how it’s used. In fact, transparency into data practices and whether it is shared or not are listed as two of the biggest consumer priorities for ethical data management. As a result, the best way to meet CCPA requirements and retain long-term consumer confidence is offering complete visibility into data processes and user-friendly data options.

At a practical level, this includes making sure DNS links are not only present and prominent on sites, but also set up to automatically signal downstream to tech vendors so they can put user preferences into instant action. Details of how and why personal data is collected, and who it’s shared with — especially when it comes to advertising — should also be easy to find and understand. For a more in-depth guide, see the Interactive Advertising Bureau’s (IAB) purpose-built CCPA Compliance Framework for Publishers and Technology Companies.

2. Comprehensive oversight:

As obvious as it sounds, publishers can’t provide greater user control and a more open view into data processes until they understand what happens to the information they gather. In other words, they need a sharp data strategy. Focusing first on better oversight, publishers should consider adopting a holistic data storage system that brings their consumer insight together in one place. This will make it simpler to track what data they have and apply robust security measures — not to mention streamlining responses to data access or deletion requests.

With the CCPA’s firm emphasis on data sales, monitoring external information flow is also a major priority. Defined as the exchange of information for financial gain “or other valuable consideration”, data sales covers many bases, including ad targeting. Publishers must keep close tabs on all the third-parties they share data with; making use of industry specifications such as sellers.json or ads.txt to obtain a clear view of data handlers down the supply chain.

3. Data minimalism:

Finally, there is the importance of maximizing data efficiency. After they have taken stock of data stores, publishers will be in a stronger position to decide which data is essential to deliver the engaging content experiences consumers love, and which isn’t; meaning they can keep data use minimal and further demonstrate their commitment to safeguarding user privacy.

For example, when it comes to digital ads, this could mean moving away from data sources that remain a grey area under the CCPA — such as inferred data — and leveraging their own contextual insight to serve natively targeted ads that boost relevance without personal data.

As the window for publishers to avoid the penalties of non-compliance closes, the opportunity to reap the rewards of higher consumer trust and lifetime value is fading too. By regulating data collection, processing and sharing, the CCPA gives publishers a chance to build closer ties with their audiences through enhanced transparency and security efforts that prove their dedication to protecting user privacy. Those who embrace the law and move to implement a stronger data governance will therefore be the ones that benefit from more positive audience perception and sustainable success. And the sooner they do so, the better.