Securiti Launches Industry’s First Solution To Automate Compliance


The Impact of CCPA on Marketing: 2024 Survival Guide

Published June 3, 2021 / Updated December 13, 2023

Listen to the content

We have stepped into an era where everything is digital. From the clothes that we buy to the image we put up of ourselves, our qualifications and even the food that we eat, everything has gone digital. According to a study by HootSuite and We Are Social, people spend an average of 6 hours and 42 minutes on the internet every day. To put this in perspective of marketing, you have your customers sit right in front of you for 6 hours every day, ready to take up any information you offer them. This is where marketing departments have to gear up and utilize the maximum potential via digital marketing. We can see it in action as currently, $384.96 billion are being spent on digital marketing globally, and this number is expected to go up by 15% at the end of 2023.

All this spending is done due to the data being extracted from the consumers and then using that data to make educated marketing decisions. Data-driven marketing can help marketers reach the right people through the right channels while easily monitoring performance.

It all seems like happy days for digital marketers with the abundance of data they have on the consumer because of the digital era, but there are some things marketers need to be careful of. With the recent rise in data privacy regulations, consent and cookie management has started to play a huge role in marketing activities. Marketers have to ask for consent before using a consumer's information for marketing decisions which has given more control to the consumer. Marketers can tackle this barrier with ease with a proper cookie and consent management system, making data processing a legal exercise and avoiding fines. Let’s talk about cookies, consent, and how a management system can help organizations streamline this process.

We have all heard of cookies and these small pieces of data that are used to identify and track a user's web browsing. Once this data is collected, it can be analyzed by advertisers or marketers to personalize the customer's experience. Up until the last 20 years, organizations had free reign and could collect any and all consumer data without any checks and balances. It wasn't until privacy regulations such as the CCPA and GDPR came into play that organizations were being held accountable for the data they collected. Under most global privacy regulations such as the GDPR, an organization must obtain freely-given consent from consumers before the use of their personal information.  The CCPA, on the other hand, does not require organizations to collect consent from consumers before the collection and use of their personal information.

While opt-in consent is not required, the CCPA still requires businesses to inform users of the use of cookies and their purposes and provide them the option to opt-out of the sale of their personal data. The CCPA has set a guideline of what needs to be included in their cookie policy as well as what a cookie notice must have in order to stay compliant.

A CCPA compliant cookie notice must include the following:
Information about the use of cookies and their purposes:

Under the CCPA, organizations that collect personal information from users must inform users at or before the point of collection, about the categories of personal information collected and the purpose for which the personal information will be used.

Notice of the right to opt-out of the sale of personal information:

Under the CCPA, organizations must allow users to opt-out of the sale of their personal information by displaying a clear message and prominent link titled “Do Not Sell My Personal Information” enabling users to opt-out of the sale of their information.

A link to the organization’s privacy policy:

Under the CCPA, organizations must display a link to the organization’s privacy policy, or in the case of offline notices, a link to an online notice at the point of collection of personal information.

Opt-in consent for the sale of personal information belonging to minors:

Where an organization has actual knowledge that the consumer or a website user is less than 16 years of age, it must rely on explicit opt-in consent for the sale of their personal information. Organizations must collect affirmative consent from users aged 13 to 16 and obtain parental or guardian consent for users under 13.

The CCPA requires organizations to have the following points included in their cookie policy within their Privacy Policy:

  • Definition and generic function of cookies,
  • Categories of any sensitive personal information collected via cookies and their purposes,
  • Cookie categories with the following information for each cookie category:
    • Processing purposes
    • Expiration date
    • The length of time the business intends to retain each cookie category, if not possible, the criteria used to determine such period,
    • The categories of sources which the cookies were collected from,
    • The parties engaged in the processing and transfer of cookies
  • Categories of third parties to whom cookies are sold and disclosed along with the purpose of such sale and disclosure (list of data processors),
  • Information on consumer’s right to opt-out,
  • Information on minor consumers’ right to opt-in and right to opt-out once they have opted-in.

Adding a cookie notice along with the cookie policy is a way to stay compliant with privacy regulations as well as building trust amongst the customers.

CCPA Cookie Compliance Cheatsheet

With the need for data protection in mind, our experts at Securiti have compiled 8 privacy tips for marketers to successfully collect personal data for marketing purposes in a privacy complaint and conscious manner. These tips will enable website publishers, ad-tech companies, independent advertisers and marketers to advertise their products without compromising an individual’s privacy and avoid any potential legal consequences.

Collect, monitor, and track consumers’ consent

Identify all consumer touchpoints to effectively capture and track consumer consent and revocation of consent for respective data processing activities. It is important to have visibility of consent activity across your organization and business units to adequately monitor and honor consumer preferences for marketing purposes.

Locate your consumers’ personal data

In order to streamline the process of consent management, organizations must first gain knowledge of where the consumers’ data is stored. Without knowing where consumer data is stored, it would be difficult to honor consumer consent preferences across various first and third-party systems.

Only track users once they have been adequately notified

In today’s privacy-conscious world, most jurisdictions have either opt-in or opt-out consent regimes, where the former requires organizations to obtain explicit prior consent from consumers before the collection of personal data and the latter requires organizations to only allow consumers to opt-out of the collection of personal data. In either case, an organization must not drop any non-essential cookies or other tracking technologies that it intends to process without displaying adequate notice to the consumer.

Orchestrate and honor consent revocations across the marketing tech stack

Consents are often stored in siloed databases. It’s important to build scalable workflows to ensure consent is synced across various systems, so a consumer’s latest, up-to-date consent is honored.

Provide a way for consumers to grant or withdraw consent at any time

For consent to remain valid, organizations must allow consumers to change their preferences, such as opting-out of the sale and sharing of personal data, and withdraw consent at any time and without any detriment. For this purpose, consent preference centers must be easily accessible and available to consumers at all times. In addition, organizations should give equal prominence to the options of “accept” and “reject” cookies via cookie consent banners allowing consumers to withdraw consent to the use of cookies as easily as giving consent.

Use data only for specific processing purposes

Organizations must obtain explicit consumer consent even in an opt-out consent regime where the purpose of data processing is different from what was previously disclosed to the consumer. Without allowing consumers to provide specific consent for specific processing purposes, organizations would not be able to ensure granularity.

Do not rely on ambiguous and unclear ways to capture consumers’ consent

Organizations must not rely on the use of any deceptive consent collection method, such as pre-ticked boxes, cookie walls, and unclear consent banners. Such misleading consent mechanisms allow organizations to transfer consumers’ data without obtaining their valid consent, which is not only in violation of applicable legal requirements but also against ethical privacy practices.

Organizations must maintain comprehensive consent records containing identities of consumers, categories of consented personal data including processing purposes, consent status, consent date, location code, third parties, the information provided to consumers at the time of obtaining their consent, and information of the session in which consent was expressed. Maintaining such updated and comprehensive consent records enable organizations to demonstrate compliance with the applicable consent requirements.

How Securiti can help?

Securiti Universal Consent Management Solution captures consent and automates revocation fulfillment in a manner that enables marketers to adequately advertise their products as well as protect the privacy of a consumer.

Securiti’s  Cookie Consent Management Solution enables organizations to build cookie consent notices in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features.

Ask for a demo today to understand how Securiti can help marketers to comply with the applicable legal requirements and a whole host of global data privacy laws such as GDPR and CCPA, with ease.

Frequently Asked Questions (FAQs)

The CCPA for marketers involves compliance with California Consumer Privacy Act (CCPA)  when collecting and using the personal information of California residents for marketing purposes.

The CCPA affects marketing by requiring businesses to disclose data collection practices to consumers, provide opt-out options, and refrain from discriminating against consumers who exercise their CCPA rights.

Yes, CCPA applies to direct marketing, including email marketing and other forms of marketing that involve the collection and use of personal information of California consumers.

CCPA covers various forms of marketing, including email marketing, online advertising, and direct mail, along with the data brokers when the personal information of California residents is involved.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You