Data regulation isn’t new, but many marketers are at risk because of incomplete and or inadequate processes to comply with consumer privacy regulations. This is despite much publicized notifications and warnings related to regulatory enforcement and the levying of fines for non-compliant activity.
Marketers have been tasked with collecting, utilizing and sharing consumer data more responsibly. This means providing consumers with the ability to understand whether data is being collected from them, what data is being captured and the purpose for which that data is being used. Further, marketers must provide consumers with the ability to request that their personal data be deleted and made unavailable for specific purposes.
The challenge has been that there is no omnibus global or federal law that covers all geographies, business sectors or data types. As a result, most marketers are focused on the two broadest-reaching, most comprehensive laws:
- General Data Protection Regulation (GDPR) – Adopted by the European Union which went into effect May 25, 2018.
- California Consumer Privacy Act (CCPA) – Went into effect January 1, 2020. Coverage expanded with the passage of the California Privacy Rights Act (CPRA), which went into effect January 1. 2023.
Regulation covers a myriad of personal information types including personal identifiers, commercial information, internet or other electronic network activity and other data such as geolocation, biometric, audio, visual, thermal, olfactory or similar information, professional or employment-related and educational information.
Failure to comply can be costly. CCPA infractions will cost marketers $2,500 per violation and $7,500 if the violation was deemed to be intentional. So, for marketers with consumer databases containing tens of millions or hundreds of millions of names, the risks are real. Consider the fines levied by the European Union for GDPR violations:
Top 5 GDPR Fines (Source: Enzuzo)
- Amazon – $780 million
- WhatsApp – $247 million
- Google (Ireland) – $99 million
- Google – $66 million
- Facebook $66 million
Note: Sephora was fined $1.2 million in November of 2022 for CCPA violations. This was the first CCPA settlement. Risks accelerate as the July 1, 2023 “Enforcement” data nears for the CPRA.
While many marketers have updated “Privacy” and “Data Collection” notices on owned websites, this is nothing more than table stakes in this privacy focused era. Marketers must create platforms, systems and processes that provide a full view of their data, where it’s stored, what it’s used for, where it was gathered from and whether the proper permission was secured. Understanding “Consumer Rights” under these laws is a good starting point for developing such protocols:
Consumer Rights Under the CCPA
- Know that personal data is being collected on them
- Know what personal data is being collected
- Know if their data is being shared or sold and to whom
- Ability to opt-out of their data being sold
- Personal access to their data
- Option to request that businesses delete their personal data
- Protection against discrimination for exercising their privacy rights
- Extra protections from data collection if they are minors
It should be noted that the regulations apply to all marketers, whether they’re focused on Business to Consumer (B2C) or Business to Business (B2B). At present, the CCPA broadly defines “consumer” to include “individuals acting as representatives of their employers.” While there are B2B exemptions that cover certain verbal or written communications with a consumer, the amendment (AB 1355) is highly nuanced and worthy of marketers securing legal guidance.
Beyond the notification of consumers and the provisioning of viewability and opt-out mechanisms, businesses will be tasked with protecting personal data in a safe and secure manner addressing threats to the confidentiality, integrity and access to the personal information in their databases. In addition, marketers will want to review and likely update agreements between their organizations and third-party data processors. These updates should include language requiring such suppliers to maintain data inventories, use due diligence questionnaires, provide records of processing actions, require the syncing of consumer response processes, allow for onsite assessments and audits, and require the mapping of any data elements shared with any party… including data that was sold.
While marketers await regulatory standardization within select markets, near-term it behooves marketers to understand that privacy requirements vary by geography and by sector and that a best practice would be to structure compliance programs to satisfy the strictest legislation, which should cast the broadest net when it comes to complying with other guidelines.
This article was written for informational purposes and not meant as legal guidance.