How are technology, media & telecom companies navigating the CCPA?

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Less than a year after the go-live date of the California Consumer Privacy Act (CCPA), companies in the technology, media, and telecom (TMT) sector are navigating between heightened consumer expectations for personalization, provisions in the new law and its accompanying regulations, and a pending second round of legislation that will continue to make personalization more difficult.

In a world of connected devices, streaming content, and increased automation, consumers are demanding highly personalized experiences and 24/7, real-time digital access through their personal devices. CCPA has complicated TMT companies’ path to meeting these expectations by introducing to 12% of the US population new rights to notice and opt-outs of this data-intensive ecosystem.

How are TMT firms approaching this challenge?

To find out, PwC recently analyzed the websites of the 500 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to CCPA.

What did we discover?

First of all, the TMT sector is represented by 62 of these 600 companies. Many of these operate in California and face a deluge of consumer requests to access and delete their data under the CCPA’s new rights. Second, the sector is a tale of two CCPA experiences, with the media and telecom segments setting the pace and the more diverse technology industry varying in key ways.

Telecom companies ahead of the curve with self-service portals

One of these ways is whether companies offer an online, self-service, privacy-rights portal to customers. These portals can require a substantial investment, and show an executive-level commitment to improving the consumer privacy experience.

Among the sub-sectors within TMT, telecom companies lead the pack on this capability. Perhaps their strategic decision to focus on the consumer experience across devices and platforms has driven alignment with CCPA implementation plans. Because of their large consumer footprints, these organizations also likely face untenable costs associated with handling privacy requests via email. The sub-sector breakdowns reflect a wide variance:

  • Telecom: 67%
  • Media: 50%
  • Technology: 37%

Media companies setting the bar with extending rights to all consumers

We also analyzed how large companies are addressing complex challenges around whether to extend CCPA rights to all consumers. While the law applies only to California residents, offering CCPA rights to all consumers could provide the most desirable customer experience. TMT firms in the media and telecom sub-sectors offer these rights to all US consumers, according to our study. It is possible that certain TMT companies are waiting to extend these rights to all US consumers once they are confident their processes work for California. The sub-sector breakdowns on this parameter also show a wide variance:

  • Media: 100%
  • Telecom: 67%
  • Technology: 39%

More than 25% of TMT and consumer companies provide “Do Not Sell” link

We also looked at how many firms offer a “Do Not Sell My Personal Information” link on their main landing page. Among all sectors, TMT tied consumer markets, with 29% of their companies providing such a link. This tells us that TMT companies evaluated their own data-sharing practices, and many concluded that they had exchanges that did constitute a ‘‘sale’’ of personal data according to CCPA regulations. However, companies navigating the changing adtech environment—including new frameworks and tools from the NAI, IAB, and DAA, and third-party party cookie bans—may decide that they require additional investments, and possibly a re-evaluation of instances of sale.

The sub-sector breakdowns on this question also vary greatly, indicating a high degree of diversity in data-supply chains:

  • Media: 50%
  • Telecom: 44%
  • Technology: 18%

Why did the tech sub-sector come in last place on all three variables? A higher portion of these companies operate business-to-business models and do not have as many direct connections to their products’ end consumers. This lack of connection may have resulted in less of a perceived need for the aforementioned approaches. This may change in the run-up to January 2022 -- or January 2023 if the California Privacy Rights Act (CPRA) is voted into law -- however, when employee data and business-client information, which these companies process in larger volumes, falls within scope of the CCPA.

As a final measure, we looked at actual reported volumes of CCPA consumer requests. Privacy professionals working for companies within the scope of this study reported a range of volumes of consumer CCPA requests since January 1:

  • Highest range of requests: ~200 to 500+
  • Moderate range of requests: 20 to 150
  • Smallest range of requests: None to 19

What should TMT companies do next?

What do these results mean for TMT companies and the future of privacy capabilities for this sector? Consider the following actions and questions:

  • Focus on the consumer privacy experience. Engage your digital and customer teams in human-centered design for privacy. Does your organization’s customer experience have a compliance-driven feel or is it designed with consumers’ expectations and interactions in mind? Does it enhance trust through transparency and controls, or raise more questions than it answers? What kind of feedback would you receive from a consumer focus group?
  • Invest in the future, now. While volumes of requests are lower than expected, investments in procedure and automation may increase the chances of successfully scaling efforts as volumes surge and fall, and more states pass new privacy legislation. Were appropriate investments made in the sustainability of your privacy program? Is it designed to evolve and adapt at a rate matching the pace of change of the business? Or are your personal information and third-party inventory and dataflows growing more stale with each passing day?
  • Get ready for CPRA! Companies that got their CCPA capabilities in shape for January 2020 generally needed every spare moment they had to meet the deadline. With CPRA on the ballot for November 2020 in California, polling suggests strong support for the ballot initiative. With new requirements coming due if the initiative passes -- and other state privacy bills potentially hitting shortly thereafter, investments in these capabilities will turn out to be forward-looking, cost-saving strategies.

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Sean  Joyce

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Follow us