In the wake of numerous high-profile data scandals, and the 2018 passage of the General Data Protection Regulation (GDPR), the strictest set of data privacy laws in internet history; consumers now have rights when it comes to their online data. But that doesn’t mean they know what those rights are or that US companies are ready to disclose and protect them.
Data privacy is set to dominate headlines again in the coming months with the California Consumer Privacy Act (CCPA) going into effect in January 2020. Like GDPR, CCPA aims to protect users’ personal data by regulating its collection and use. It’s not only California that aims to implement new U.S. data privacy laws — New York, Vermont, Maryland, Washington and multiple other states in the U.S. currently have or are deliberating data protection laws of their own.
All this legislation presents significant challenges for marketers and has left many of them anxious about how they can continue to market to American consumers without running afoul of state by state myriad privacy laws. Maneuvering this ever-shifting landscape will be difficult, but we can take what we’ve learned from more than a year of operating under GDPR and use it to prepare ourselves for CCPA — and whatever legislation lies beyond it.
GDPR has been a sobering lesson for the digital marketing industry, with many companies learning the hard way they were woefully unprepared to comply with the data regulations. More than 59,000 data violations have been reported across the EU since GDPR went into effect.
And, numerous companies withdrew or closed business operations in Europe, as they found themselves unable to meet the stringent privacy requirements.
GDPR taught us that it’s best to be proactive when it comes to complying with new data laws, and that’s especially true for the implementation of CCPA. Don’t put your fate in the hands of lawmakers who may not understand the inner workings of data protection and may also not be clearly articulating how companies must specifically act under CCPA. GDPR provides US companies an initial roadmap.
Leaders in those companies affected by CCPA must take the time now to understand their current processes and programs, identify potential risks, and create a plan to fix them well before the deadline.
We surveyed 287,000 consumers in the U.S. and Europe earlier this year and the results led us to creating “The Reality Report”. Although most companies believe they are educating their customers, we learned that only 8% of consumers understand how their mobile data is being used. That’s a huge issue, but one that companies can easily resolve through transparency.
Companies must become comfortable with complete, transparent consumer-facing disclosure about what data your company collects from your consumers, how it uses it, how long it stores it, etc. Today’s consent notices are still too inaccessible for consumers; 78% of the consumers we surveyed don’t read them in full.
Consumers don’t read the notices in full, as consent forms and terms of services are often too long, overly complicated and filled with ambiguous, inscrutable legal jargon. Consent forms should be clear, explicit and plainspoken. Speak the same language as your users and it is more likely they will read and understand it.
Be as Scrupulous with Your Data Partners as You Are About Your Own Business
One of the biggest difficulties with CCPA will be conducting tough oversight over your business’ data partners. CCPA requires a company only work with technology companies that are completely CCPA compliant and holds marketers liable if one of their vendors violates the law.
In other words, your technology partners need to be as clear and transparent with consumer privacy practices, disclosure and practices as you are.
You may be compliant, but can you trust that all of your partners are? Here are ten questions you should ask your partners:
- Are you CCPA compliant?
- What is your CCPA compliance strategy?
- How is your company currently generating data?
- How does your company define “personal information?”
- How does your company inform your consumers if their data is being sold?
- What percentage of your users have explicitly consented to share their data with you?
- How do you capture and retain that consent?
- How will you continue to ensure your compliance?
- How will you continue to notify us of any changes to your policies?
- Who is in charge of your compliance now and in the future?
The future of data privacy in the U.S.
Compliance will likely get much harder before it gets easier for businesses. Without regulations at the federal level, U.S.-based businesses are forced to comply with multiple, and sometimes contradictory, laws about data protection. Without national, centralized and streamlined enforcement; it’s no surprise companies are worried about their ability to ensure CCPA compliance.
And things are only bound to get more complex with legal issues becoming top of mind. A proposed privacy act in New York will enable residents to file a personal lawsuit against companies that misuse their data. A separate proposed New York City law would ban cellphone companies and mobile applications from sharing location data with another company.
As more state governments pass distinct privacy laws, we will likely experience a direct increase in noncompliance incidents and fines. Subsequently, companies will likely advocate a federal data privacy bill in the U.S., in an effort to reconcile the contradictions, simplify compliance, and reduce risk and increased costs.
No matter what the future holds, it is clear that we are in a new world of business, one where companies will be held accountable for adhering to consumer privacy practices. Companies must proactively adopt a culture of transparent and complete compliance when it comes to data protection. While the particulars around data regulation will continue to change and evolve; consumer-centric philosophies and practices will ensure your company will be able to navigate them.
Companies must also care deeply about their own brand safety for inventory as it relates to data compliance. The more companies engage with their consumers and place an emphasis on gathering consent from the ground up, the more they can boost overall consumer trust in the brand itself, while also improving its marketing and branding abilities. Adapting this consent-first attitude also helps businesses boost their long-term growth and fuel the companies winning capabilities from end to end. Now more than ever before is the time for companies to adapt new practices and work alongside consumers to build authentic, consent-led relationships.