Skip navigation
All Places > Certification Study Group > Blog > Author: Balkar Singh

CCPA vs GDPR. It’s different but similar.


There are certain principles on which GDPR is based, and those overlap with the intentions of CCPA as well. Still, both are different. You may be in compliance with GDPR, and still require steps to take for being CCPA compliant. Personal information has different definitions in CCPA, versus GDPR. The tactics (and the reasons) of verification, are different for CCPA versus GDPR. For example, Double Opt-In is a strong way to demonstrate GDPR compliance, but we're not sure if the same shall cover CCPA for all scenarios.


To explore and find areas which can speed up CCPA compliance, I had a discussion with my colleague, Saurabh Tyagi to share his perspective and summarize the key items below (though CCPA in itself, is much larger)


Areas CCPA revolves around


There's still time before we see a CCPA requirements checklist, however CCPA primarily revolves around rights to know, delete, opt-out (from selling information) and non-discrimination. We try to list a few steps below which can help to prepare for being CCPA compliant. 


Access to Consumers to know their data 


If you have defined how you collect information, how you use it, share or sell it, you should be good. There are certain time-frames required to be respected for requests regarding right to know and delete.


Besides, the information needs to be granular - e.g. if you say that you collected “Geographical Information” via a Form Fill - the fields you collect must be recorded as well. Although this is obvious, this is explicitly mentioned as of now. This is similar to "Right to Access" in GDPR and can be demonstrated by having procedures to follow up on such requests. For example, having a Form on Website or a Toll Free Number and having follow-up process.


Processing a request to delete data


Consumers need to be able to request you to delete their data from your records. GDPR has a similar requirement, with a process to respond to such requests within a Month.


GDPR Delete Data Right to Erase Forgotten


Though the the CCPA process is similar, the verification of Consumer is a mandatory requirement. In addition, the request to know or delete, needs to be acknowledged within 10 days, and information regarding how it shall process the request needs to be communicated. In this case, we need to make sure to follow up within 45 days.


CCPA Delete Data Verification Tactics

3rd party can provide a security process to verify the identity of the consumer who makes a request to business. However it's subject to more CCPA rules!


Deny, but comply as much as you can - In case the Consumer is not verified, but had made a request to Delete their Data, at least mark them as Marketing Suspended, or Opt-Out from other procedures to demonstrate compliance.


A consumer should be able to opt-out from you selling their information


Place a link on your website saying “Don’t sell my data”.  Develop procedures to follow up on such requests. (This is not applicable if you do not sell* data)


“One method which can help digital-verify the Consumer can be highlighted by the following - if the "Don't Sell My Data" link takes the consumer to a form, a simple email address should be fine, and the consumer can be verified by double opt-in via a single click in the confirmation email. However, it would be even better if we can take the consumer to a new form from the confirmation email, with a stress on the message, that their data shall be deleted - this could be a bit more affirmative online verification of the Consumer” - Saurabh Tyagi


CCPA doesn't yet clearly mentions if this is a suitable case to verify - per the current draft, the verification just needs to be reasonable. This is similar to Marketo asking a second time if we're okay to delete some # of records.


Provide notice to consumers


Before, or at the time you collect their data, similar to the check-box method below the form where you collect data, provide notices. Ensure that language used at such notices is plain, straightforward and avoids technical, or legal jargons! In addition to being straightforward, the notice must draw attention of a consumer.


CCPA Demonstrate Compliance Requirements Right to Know


Maintain record for “how you responded” 


This needs to be maintained for 24 Months - starting with whenever a request is made. One way to achieve this is by alerting a staff member, and then having an internal ticket log system to manage maintenance. This rule requires the business to make someone accountable.


Maintain record for 24 months CCPA


We need to log the way we responded, whenever such requests are made*. These could mean different ways, but a ticket log by an accountable member seems most simple. Or just having a spreadsheet updated based on the type of activities -  E.g. Received Request, Received Request Data, Acknowledged Request, Categorized Request, Processed Request and so on, with details attached.


CCPA Maintain Records for How You Responded for 24 Months


*A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations


Twitter took the approach to dedicate a Privacy Center as mentioned in one of the Tweets, hence exemplifying the evolving arena of privacy and more.


It’s so common to hear tech companies say: “Privacy is not a privilege; it is a fundamental right” that those words have become a cliche. People have become desensitized to hearing companies say, “we value your privacy,” and are worn out from being asked to accept privacy policies that they rarely, if ever, even read. Many companies make these declarations without even showing people what actions they are taking to protect their privacy. And let's be honest, we have room for improvement too - Twitter


Have you attempted some of the above work? What are your Anticipations for the regulation being applied for Privacy of world's 5th largest economy? CCPA is much more comprehensive than we can cover in one post, however looking for thoughts and ideas!

A typical lead scoring model usually means either of the following two approaches


  • A list/combination of triggered campaigns
  • A sequence of demographic/firmographic campaigns, and a group of behavior scoring campaigns

Scoring, as one of the prominent tactics of modern marketing, keeps evolving, forever. So does the database size. When leads start to accumulate, the pressure on these sequence campaigns increase. We don’t need to wait long enough to start seeing campaign queues and delays.



Multiple triggers, redundant processing, and more evolving factors, compliment the challenge. Certain steps can help address the limitations of this climate, and we try to list a few below -


Split campaign-sequence dimension-wise

Instead of requesting all campaigns one after another, design the campaign sequence to only react to people, who it requires to react for.


Use Fields (instead of smart lists (and nested smart lists(and very nested smart lists)))



A combination of multiple filters is not incorrect, however when we use too many filters (e.g. 9 filters in the snapshot above) - with addition of heavy nested smart lists and a fairly complicated criteria, the processing takes time.

If we can tag a field with a value, whenever the criteria data points change to make the records qualified, we can reference one field, instead of complicated combinations of filters.


Centralize triggers


A single trigger (say, person is created) may be used in multiple campaigns. We often see that it’s used to trigger scoring in one program, update lifecycle stages in other, and trigger governance in another. This is also one of the reasons of processing issues. The same trigger used multiple times, maybe causing some redundancy.

It's better to centralize these into one entry-campaign.

Simplify smart campaign settings


A lot of behavior scoring campaigns are usually set to run every time. Even "visits webpage" runs every time in many instances today. We could also have this run once every hour, and set a minimum limit for the activity. A thumb rule some of us use is to avoid "run every time" as much as possible.


Consider Segmentation


If there's a criteria you need to apply to a significant count of records in database and would be used very frequently, do not use a smart list for the same. Consider segmentations - these are faster for processing versus smart lists with the same filters. E.g. Marketing Eligible Segmentation, or say, to accommodate privacy compliance, e.g. GDPR, CASL etc


A smart list with the following rule-set is slower to process, versus the same rule-set within a segmentation.



Measurement mechanism ideas


  • Append a field with date-time when processing of a program starts, and another when it ends
  • A while later, an export of records which have gone through the model, would have these two stamps, and we can calculate the average time taken, per XXX records.
  • Post implementing the changes, we can compare the time duration of processing for the same # of records.


The following report let’s you monitor for how your smart campaigns are performing

Campaign Activity Report - Marketo Docs - Product Documentation 



If there are any good approaches you have tried which helped in processing speed, please share! Also, do refer Load Balancing in Marketo and Marketing Automation - Marketing Rockstar Guides  if you have've yet.