Data privacy, once mainly discussed in circles that place extreme importance on hat color, has now become a near-daily topic of conversation. Tech moguls regularly testify before government panels, news of data breaches breaks constantly, and global brands face highly publicized challenges keeping data secure and private. As a marketer, it can be hard to know where to start addressing these concerns — from both legal and practical perspectives.
The European Union’s GDPR has gotten the most press among privacy legislation, but similar laws are pending or already in effect in many jurisdictions outside the EU. Let’s take a look at the current landscape and some ways you can prepare for what’s next.
The Global Data Protection Regulation, which took effect May 1, 2018, is designed to protect the privacy of EU citizens, specifically regarding their personal data. Its requirements focus on three key areas: consent for data collection and processing, disclosure of what data an organization holds regarding a data subject, and the right of a subject to request full deletion of their data. GDPR more broadly addresses data collection and use without targeting email, SMS, or other specific messaging channels. However, marketers must obtain permission to use the recipient’s data (including email address) for marketing purposes. As a result, clear consent is required to send any marketing messaging, and consent to those messages must be separate from any other consent (such as signing up for an account on a website). Alongside its consent provisions, GDPR also requires organizations to send out a notification immediately when a data breach occurs.
Severe financial penalties are possible for any violations of the regulations, up to 2% of an organization’s gross annual revenue or $10 million euros. Just last month, British Airways was hit with the largest GDPR fine to date, being ordered to pay £20 million for a data breach that occurred in 2018. The regulation allowed for a much larger fine, but the ICO decided to lessen the penalty because BA’s failure to properly secure the data was mostly unintentional in their opinion.
GDPR applies to organizations with a physical presence in the EU, or who collect or store data for subjects located in the EU. Even if your organization is outside the EU, you are still subject to GDPR if you collect or store data pertaining to an EU resident.
The California Consumer Privacy Act became effective January 1, 2020, and shares some basic principles with GDPR. Primarily, CCPA allows for California residents to know what data is being collected about them and why, to know whether their data is being sold to third parties, and ensures the right to opt out of both data collection and sale. Data subjects can request to see all personal data about them an organization holds, and they must not face discrimination for exercising any of the rights afforded by the CCPA.
CCPA requires that organizations employ reasonable security procedures to protect personal data, although specifics around that security are not provided. Unique to CCPA is the requirement that a “Do Not Sell my information” link be available on the organization’s homepage, allowing subjects to prohibit the sale of their personal data.
Penalties for allowing personal data to be stolen or otherwise breached range from $100 to $750 per California resident, or actual damages if those are greater. Fines of up to $7,500 are afforded for each intentional violation and $2,500 for each unintentional violation. The Attorney General also has the option to file criminal charges against the organization in lieu of allowing civil lawsuits.
Organizations based in California are subject to CCPA, but they’re not the only ones. CCPA also applies to any entity that does business in California and meets at least one of these criteria:
- Annual gross revenue in excess of $25 million
- More than half of annual revenue is earned from selling personal data
- Buys, sells, or receives data from at least 50,000 California residents
While the first two criteria are fairly restrictive, there’s a better chance your organization interacts with data from at least 50,000 California residents over time — meaning you’re likely subject to CCPA’s provisions.
Brazil, China, and the U.S.
Many other jurisdictions are at various stages of implementing their own data privacy laws. Brazil’s LGPD became effective recently with full penalties delayed to 2021; a draft of China’s Personal Data Protection Law was released for review in October. In the U.S., Nevada and Maine already have privacy laws on the books, while nine other states have laws pending in their legislatures.
Making Privacy a Priority
Even if you don’t believe GDPR or CCPA apply to you (yet), it’s time to start paying attention. The number of data privacy laws is only going to increase, and you’ll soon be subject to one or more of them if you collect or maintain any type of consumer information. Now is the time to start adjusting your practices to ensure compliance — even if you’re not technically subject to these laws, you’ll want to have procedures that pass muster for the day when you become liable. It’s great if you’ve already started preparations, but it’s not too late if you haven’t. Here are some quick tips to help you get and stay compliant:
- Determine what data you actually need and how you will use it. Many organizations collect as much data as possible, even if they have no specific use for the data at that time. If this is you, it’s time to review your collection practices. Revamp your forms to ask only for data you currently use, and be able to concisely explain how you’re using it.
- Review your existing dataset for extraneous information. If you’ve previously followed the “ALL THE DATA” mindset, you likely have a lot of your customers’ personal information you’re not using. If you don’t have a good use for the data now, it may be time to get rid of it.
- Examine how you store and transfer your data. Most data privacy laws require you to provide a copy of a subject’s data on demand, as well as providing the ability to delete their data upon request. Does your marketing platform and/or database structure provide this capability? Most laws also impose penalties for security lapses that lead to breaches. How have your secured your data? Are you passing it off to a marketing platform, and are there security or privacy risks associated with doing so?
No matter your jurisdiction or annual revenue, every organization has the potential to make privacy a priority. We hope our ideas help you get started, but keep in mind that we’re not lawyers. We recommend consulting your preferred legal counsel to ensure your procedures and infrastructure are up to the standards imposed by current and future regulations.