Marketing teams use BlueConic to manage customer data privacy and consent compliance worldwide. You can use BlueConic to manage privacy and consent across multiple legislation zones, including GDPR and CCPA/CPRA.
Note: BlueConic is not a consulting or law firm. This document does not constitute legal advice. We recommend you consult your organization’s legal and/or privacy experts to determine what is required for your specific organization.
Use BlueConic privacy settings for CCPA/CPRA compliance
From the BlueConic navigation menu, navigate to BlueConic settings > Privacy.
On the Privacy page, select US - California (CCPA/CPRA).
Note: If you already have consent management for GDPR set up, leave that box checked. (If it is currently in use in an Objective, it cannot be unchecked.)If desired, check the box next to "Clean up profile" to clean up or remove profile properties when visitors withdraw consent for a certain objective.
Save your changes.
Note: From the Privacy page, each legislation zone can be designated as Opt-in or Opt-out when applied to an objective:
For customers within an Opt-in legislation zone, data will only be collected if the customer gives explicit consent.
For customers within an Opt-out legislation zone, data will always be collected unless the customer explicitly refuses consent.
For more information, review the article Privacy Settings.
Create marketing objectives to manage consent for CCPA/CPRA
In BlueConic, objectives outline your reasons for collecting marketing data for your visitors and customers. Privacy legislations such as CCPA/CPRA and GDPR require that you tell customers why you are collecting data and how they can opt out or in. In BlueConic, you use Objectives to manage and communicate these reasons to customers.
Choose More > Objectives from the BlueConic navigation menu.
On the Objectives page, click Add Objective.
Provide a name that describes your marketing objective inside BlueConic (e.g., Create personalized browsing experience).
Your visitors and customers will not see this name.Next to "Require consent," click the checkbox for US - California (CCPA/CPRA) and any other applicable privacy legislation zones.
Enter a Consent title that explains your marketing purpose to your visitors and customers (e.g., Track website browsing behavior to receive a personalized browsing experience).
Your customers will see this title when you ask for their marketing consent.(Optional) Add description text with details about your purposes for the customer data.
In the Contained items section, select the BlueConic objects associated with this data collection, such as connections or listeners that gather the data.
Here's where you define where the data is coming from or going to, so BlueConic knows whether or not to store the data based on your customers' consent. In our example, we have an SFTP Connection, a Keyword Interest Ranking listener, and a Behavior listener that collect customer data.
Save your settings.
Keep in mind that the items contained within an objective—the transfer of customer data via an SFTP connection, or collecting customer interests via a BlueConic listener—are only executed when the customer meets the Opt-in or Opt-out criteria of their legislation zone.
Request consent from customers using BlueConic dialogues
Now that you've created objectives, next you request your customers' consent using BlueConic dialogues. BlueConic provides privacy consent dialogues you can customize for CCPA/CPRA consent management.
Open the Dialogues page and click Add dialogue.
Select the Lightbox dialogue from the Add dialogue window.
Give the lightbox dialogue a name, for example, CCPA consent.
In the dialogue's Who tab, select the condition for who sees this dialogue by selecting Condition > Objectives. Then select the consent objective you created earlier: Create personalized browsing experience.
On the What tab, click Place on this page to place the dialogue, and load examples in the right-hand panel Properties > Styling settings area, choose Load examples.
Select the Privacy consent via buttons example.
Click Edit to customize the default language that appears in the lightbox.
Hover over the template's buttons and click the Edit icon and click Edit. In the Privacy management - Manage consent window, open the Settings tab, where you can customize the button text and adjust styling and interaction settings.
In the Privacy management > Objectives pane, link this dialogue box with the CCPA privacy objective you created, Create personalized browsing experience.
Click Close and then Save your dialogue.
Now you're ready to ask for consent and see how this information is stored in visitors' profiles.
Employ CCPA/CPRA consent objectives in your marketing campaigns
As you activate your marketing campaigns, your consented objectives are stored as profile properties, which you can use for segmentation.
To see how Objectives are stored in customer profiles, choose Profiles from the BlueConic menu bar.
In the Privacy management tab, you can see objectives and privacy legislations related to this profile.
With privacy information stored in customer profiles, you can, for example, you create a segment of customers to send to your ESP who have all consented to your CCPA/CPRA objectives.Open the Segments page, and choose Add segment to create a segment composed of profiles that have consented to one or more of your CCPA/CPRA objectives.
With BlueConic objectives, you have a secure way to store and activate consent information for privacy and consent compliance for your customers and visitors -- under CCPA/CPRA, GDPR, or other privacy legislations. Contact your BlueConic customer success manager to learn more about how you can apply these lessons to your marketing data.
FAQs
What is CCPA/CPRA?
The California Consumer Privacy Act, or CCPA/CPRA, aims to bring more transparency and control to California consumers. As part of this new legislation, California residents will have the right to:
Know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information
Delete personal information held by businesses and by extension, a business’s service provider
Opt-out of the sale of personal information
Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.Nondiscrimination in terms of price or service when a consumer exercises a privacy right under CCPA/CPRA
Where can I learn more about CCPA/CPRA?
Teams charged with managing CCPA/CPRA compliance should read up on the privacy act. For this FAQ, we used documents provided by the office of the attorney general in California and the National Law Review. We also suggest consulting with your legal team to understand how your company is handling compliance.
Who does CCPA/CPRA apply to?
Businesses are subject to the CCPA/CPRA if one or more of the following are true:
Has gross annual revenues in excess of $25 million
Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
Derives 50 percent or more of annual revenues from selling consumers’ personal information
As proposed by the draft regulations, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
What is the difference between CCPA/CPRA and GDPR?
The California Consumer Privacy Act (CCPA/CPRA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements.
But a business that already complies with GDPR will likely have a leg up when it comes to complying with CCPA/CPRA. However, the two legislations differ from one another in specific ways.
For example, under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA/CPRA.
Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA/CPRA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.
For other specifics on how these two legislations differ and how your company is handling these legislations, consult your legal team.
How does CCPA/CPRA define personal information?
According to the National Law Review, the CCPA/CPRA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. Significantly, the CCPA/CPRA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).
The statute provides a non-exhaustive list of categories of personal information, including:
Identifiers including real name, alias, postal address, unique personal identifier (UUID), online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
Characteristics of protected classifications under California or federal law
Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
Biometric information
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
Geolocation data
Audio, electronic, visual, thermal, olfactory, or similar information
Professional or employment-related information
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)