As if the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) weren’t complex enough, both laws are moving targets.
CCPA’s specific regulations are only proposed, with final ones being issued by the state’s attorney general sometime in the next few months. But brands and vendors can still be liable for fines and lawsuits going back to when the law went into effect on January 1, 2020.
GDPR’s complex regulations are interpreted and enforced by separate regulatory bodies in each of the EU countries, a potential Rashomon of legal interpretation. Plus, a separate ePrivacy Regulation is still undergoing revisions and is not yet finally approved. While some observers say the regulation won’t affect the ways brands and vendors have to comply with GDPR, it’s difficult to see how it won’t once the ink is dry.
In this whirlwind of laws-that-aren’t-yet-stable, how the heck are companies supposed to comply?
One word: strategy.
Setting the bar
As companies cannot obey the literal text of these laws—since the texts are still very much in flux, either in actual text or in interpretation—the only practical response is to figure out an approach for compliance and adaptation.
First step: try to determine which law is the more stable target.
Shane Wiley, Chief Privacy Officer at location data firm Cuebiq, considers GDPR more settled than CCPA.The reasoning: its text is fixed, the general ideas are known, and, while the nation-by-nation interpretation or the impact of the ePrivacy Regulation may alter some things, those alterations will likely stay within a certain range.
In five years, Wiley told RampUp, “everyone will say GDPR set the bar, [and that] the revolution was GDPR,” with its enforcement driven by the maximum fine of 4% of global revenue.
Contextual computer vision firm GumGum is taking the approach that GDPR is the “more stringent” set of rules, Director of Global Compliance and Legal Affairs TJ Albert told RampUp, so meeting that target should cover most of the less-strict regulations from states and other countries.
She noted that GumGum maintains a matrix to track individual requirements for each law. For instance, GDPR has a 30-day response time for responding to a subject’s request for personal data, while CCPA’s is 45.
“So, we adopted 30,” Albert said.
Apply stricter laws across states and regions
But, even if a company centers its compliance strategy on GDPR’s tougher requirements, there’s the question of whether the compliance should be for every market, just for the EU, or just for EU citizens who are geo-located by, say, registration or IP address. Technically, compliance is required for companies dealing with EU citizens, wherever they are.
Cuebiq is applying the EU rules worldwide, Wiley told RampUp, with local tweaking as needed. It makes version control less of an issue.
The same question, of course, applies to CCPA. Does the law apply just for California markets or everywhere California residents are? Technically, the law is for California companies of a certain size that address California residents, but that could mean a firm has to create other versions of itself for other U.S. states.
Wiley said that, like most companies, Cuebiq is applying CCPA across the U.S.. To his knowledge, he added, the only ones that are geo-locating CCPA compliance to California are brick-and-mortar firms that have most of their customers in the state.
Adopt a ‘risk-acceptance’ approach
The additional complexity with CCPA, of course, is that the regulations are not yet final. Until the state’s attorney general makes them final, how can a company reasonably comply?
Wiley said the proposed regulations give an idea about the direction, so a brand or vendor could undertake a “risk-acceptance” approach.
In other words, make the foundational and organizational changes that are clear, such as establishing structures and controls to track and readily deliver or delete any personal data on request, and then make any other, nonstructural changes—such as how opt outs are handled—with the idea that they could quickly change.
Check your contracts
Another strategic move: make sure your contracts are tight and up-to-date.
Albert noted that, as a “processor” under GDPR terminology, GumGum doesn’t acquire user consent directly, since the “controller” or publisher is responsible for obtaining consent.
Her company tracks consent choices via the Interactive Advertising Bureau’s Privacy String, which is passed to GumGum from the publisher. That means GumGum’s contracts with publishers and other processors need to be up-to-date and comprehensive, because the controllers are actually collecting the consent and passing it on—yet GumGum shares some of the liability.
Then there are strategic decisions to emphasize certain kinds of data over others.
For Tim McCormack, VP at marketing agency Big Eye Agency in Orlando, the best overall strategy is a stronger emphasis on first-party data and on using data providers that specialize in consumer-consented data.
Since third-party cookies and third-party data are the weakest points in the privacy universe, McCormack feels it’s best to emphasize data from brands’ own visitors and customers over third-party providers.
Digital ad platform Jivox similarly focuses on using consumer data obtained from a brand, like Priceline, which has acquired users’ consent.
“If there is no indication of consent,” founder and CEO Diaz Nesamoney said, “we don’t take the data.” As with GumGum, this means a key strategy for Jivox is making sure its contract with controllers like Priceline clearly lays out the terms and conditions.
Another change resulting from GDPR and CCPA in Jivox’s approach to data: the company has gone from “an opt-out model to an opt-in model for emails.”
The most important compliance strategy
But the biggest change in a company’s strategy, GumGum’s Albert said, is to “operationalize these laws” by changing your mindset, where your company is fully engaged in “privacy by design” in every project.
In this approach, managing user privacy becomes as fundamental to every aspect of the company as ROI or computer security, and as standard in every new effort as the choice of software tools.
For companies like Jivox, that change in attitude toward privacy and consent is a positive development.
“Personally and as a company,” Nesamoney said, “GDPR and CCPA are the best things [that have happened] to the industry,” because it legitimizes user data.
With users now part of the deal that releases the data, he said, it’s “much cleaner and more precise.”
The upshot: the quality of the data is going up, and this means the pain of creating robust strategies in this age of transitional regulations can generate a major benefit in return.