On January 1, 2020 the California Consumer Protection Act (CCPA) went into effect. While it doesn’t actually apply to most small businesses, data privacy has become a huge issue so we’re predicting this is just the first of many privacy laws that will sweep through the nation. {Want to understand more? Read this post.}If you decide to take our recommendation and getting ahead of privacy compliance, you may be wondering how it relates to the third party tools and apps you’re using. While this list isn’t exhaustive, it’s designed to give you an idea of how to handle different elements.
Google Analytics & CCPA
If you’re using Google Analytics on your website (and you should be!) this is probably where most requests will focus. In fact, if your site gets a lot of traffic (upwards of 50,000 unique visitors each month) than the law does actually apply to you, so this one is important.
Google is considered your service provider here as they are the ones that store the data. That means your job is simply facilitating the request. To do so, you’ll need the user to track down their Google ID. Here’s how:
- Ask the user to find their cookies in their browser.
- They should see one called _ga, with a string that looks something like: 2-2.318596131.1556642125.
- You’ll use this string of numbers to identify the ClientID. In this case 1556642125
- If the user finds multiple _ga cookies in their browser, they should send you all of them.
Once you have their ClientID, you can use Google’s User Explorer Report to pull any data.
At the bottom of the report there should be a button that says “Delete User,” which you can use to clear the users data. Google says 72 hours after pressing this button, the data is removed from the report, but it could take a full two months to be totally deleted from their servers.
Nitty, gritty details:
- The law says consumers have the right to request to see the data you hold, but an information request does not necessarily mean you have to delete the data. At Social Light, we created a form that separates simple information request from data deletion.
- The law says you have to provide information you’ve stored over the last 12 months, but doesn’t say it can’t be collected in the future. This sounds like it’s being sneaky, but in fact it’s fairly practical when it comes to website cookies. Browsers tend to apply cookies automatically, so if you clear the user’s data in good faith, but then a week later they come back to your site and a cookie tracks them again, that’s okay. It would be onerous for you to constantly clear data for certain individuals, but you may want to suggest they install the Google Analytics opt-out to their browsers to opt out permanently.
Facebook Pixel
If you’re running ads on Facebook and have a pixel installed on your site to track them, you’re totally okay. A pixel is different from a cookie because it doesn’t actually store data on your server, it sends info somewhere else.
In this case, when someone visits your site from Facebook, and then clicks on a certain button, the pixel sends the button click back to Facebook. That’s how they determine if there was a conversion. Despite the fact that the data comes from your site, it is stored in Facebook, so you’re off the hook.
That said, it’s good manners to note the use of pixels in your privacy policy.
Advertising Pixels
Whether you use pixels from different ad platforms like LinkedIn, Twitter, or Tabbola, the same thing applies to these sites as Facebook: note it in your privacy policy, otherwise you’re in the clear.
Using Emails for Look-Alike Audiences
Here’s where it gets a little tricky around advertising. A number of platforms, like Facebook, give you the ability to build “look-alike” audiences from a list of email addresses.
The idea is you give Facebook a list of your customers, and they find new people with interests and habits similar to your existing customers.
You’re not actually selling the data, you’re using it for your own business purposes. That’s okay under the law. But if someone requests a record of what you’ve done with their information, you need to be able to:
- Tell them where and when their email was uploaded, and the reason. For example:
On August 1, 2019 we uploaded a list of our customers email addresses to Facebook in order to build create a look-alike audience for our back to school advertising campaign. Your email was included in this customer list. - Give them the option of opting out of any future inclusion.
Email Clients: MailChimp, Constant Contact, InfusionSoft
If you’ve worked hard to build up your email list, and have more than 50,000 email addresses, then it’s a good idea to be prepared to handle CCPA requests around email.
First and foremost, the law is meant to make it easy to opt-out. You should already be following rules from the CAN-SPAM Act by having an option to unsubscribe on every email campaign, so that should cover you in regards to CCPA.
If a consumer has requested information on how you’re using their email address, your email client should have information stored of when they opted in, and through what method (i.e. did you import them, or did they opt-in in order to download an ebook).
MailChimp actually makes it easy to export a full record of activity around an email. I expect that’s going above and beyond the requirements of the law, but it’s a nice feature to have!
CRMs: SalesForce, HubSpot, Insightly
CRMs come in all shapes and sizes. You might simply use a tool like Insightly as a digital phone book, or you might have a more sophisticated system that keeps track of a user’s activity on different channels (i.e. website activity, social media engagements and in-store purchases).
When it comes to the CCPA, you need to be able to tell a user what you’re tracking and how you’re using the information. My sense* is that you don’t need to reveal to a user you have an automated email set up to try to re-engagement them 45 days after a purchase. Rather you could say something like:
We store your email in our customer database and contact you occasionally with information or offers to get the most out of our services.
*To be clear, we are not lawyers at Social Light, and this should not be construed as legal advice. This post is meant to offer tips for small businesses to honor any data requests, even if they don’t meet the requirements of the law. If your business does meet the size requirements laid out by the CCPA, we’d highly recommend consulting with a privacy lawyer.
Have more questions, or need help figuring out how to handle data requests? Give us a shout, we’ll do our best to help!