Less than a year after the go-live date of the California Consumer Privacy Act (CCPA), companies in the technology, media, and telecom (TMT) sector are navigating between heightened consumer expectations for personalization, provisions in the new law and its accompanying regulations, and a pending second round of legislation that will continue to make personalization more difficult.
In a world of connected devices, streaming content, and increased automation, consumers are demanding highly personalized experiences and 24/7, real-time digital access through their personal devices. CCPA has complicated TMT companies’ path to meeting these expectations by introducing to 12% of the US population new rights to notice and opt-outs of this data-intensive ecosystem.
How are TMT firms approaching this challenge?
To find out, PwC recently analyzed the websites of the 500 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to CCPA.
What did we discover?
First of all, the TMT sector is represented by 62 of these 600 companies. Many of these operate in California and face a deluge of consumer requests to access and delete their data under the CCPA’s new rights. Second, the sector is a tale of two CCPA experiences, with the media and telecom segments setting the pace and the more diverse technology industry varying in key ways.
One of these ways is whether companies offer an online, self-service, privacy-rights portal to customers. These portals can require a substantial investment, and show an executive-level commitment to improving the consumer privacy experience.
Among the sub-sectors within TMT, telecom companies lead the pack on this capability. Perhaps their strategic decision to focus on the consumer experience across devices and platforms has driven alignment with CCPA implementation plans. Because of their large consumer footprints, these organizations also likely face untenable costs associated with handling privacy requests via email. The sub-sector breakdowns reflect a wide variance:
We also analyzed how large companies are addressing complex challenges around whether to extend CCPA rights to all consumers. While the law applies only to California residents, offering CCPA rights to all consumers could provide the most desirable customer experience. TMT firms in the media and telecom sub-sectors offer these rights to all US consumers, according to our study. It is possible that certain TMT companies are waiting to extend these rights to all US consumers once they are confident their processes work for California. The sub-sector breakdowns on this parameter also show a wide variance:
We also looked at how many firms offer a “Do Not Sell My Personal Information” link on their main landing page. Among all sectors, TMT tied consumer markets, with 29% of their companies providing such a link. This tells us that TMT companies evaluated their own data-sharing practices, and many concluded that they had exchanges that did constitute a ‘‘sale’’ of personal data according to CCPA regulations. However, companies navigating the changing adtech environment—including new frameworks and tools from the NAI, IAB, and DAA, and third-party party cookie bans—may decide that they require additional investments, and possibly a re-evaluation of instances of sale.
The sub-sector breakdowns on this question also vary greatly, indicating a high degree of diversity in data-supply chains:
Why did the tech sub-sector come in last place on all three variables? A higher portion of these companies operate business-to-business models and do not have as many direct connections to their products’ end consumers. This lack of connection may have resulted in less of a perceived need for the aforementioned approaches. This may change in the run-up to January 2022 -- or January 2023 if the California Privacy Rights Act (CPRA) is voted into law -- however, when employee data and business-client information, which these companies process in larger volumes, falls within scope of the CCPA.
As a final measure, we looked at actual reported volumes of CCPA consumer requests. Privacy professionals working for companies within the scope of this study reported a range of volumes of consumer CCPA requests since January 1:
What do these results mean for TMT companies and the future of privacy capabilities for this sector? Consider the following actions and questions: