Marketers are currently facing what might be called the Layer Cake Era of consumer privacy.
A little more than a year ago, the European Union’s General Data Protection Regulation (GDPR) began implementation, sending waves of data wariness through brands and vendors who collect and use data from European consumers.
Then California passed the California Consumer Privacy Act (CCPA), hurried through the legislature to head off a pending referendum. It set up its own data privacy requirements for larger California companies.
Some other U.S. states have also passed data privacy laws, including Maine and Nevada, as have some other countries, including Brazil and South Africa. State bills are currently in the works in Pennsylvania, Texas, Hawaii, Illinois, and others.
And there are at least 13 federal-level data privacy bills pending in Congress.
If all these privacy regulations actually created a layer cake, it would be the most lopsided and badly aligned layer cake ever.
Comply with strictest regulations
What happens if one or more federal privacy laws are enacted—and what about other states and countries?
One strategy is to pay more attention to strength.
“None of the federal bills are as strong as California’s,” digital policy consultant Kristina Podnar told RampUp. If a federal law comes into being, she predicted, it will most likely be less stringent than California’s.
Privacy attorney Gary Kibel pointed out that most larger companies and many smaller ones are covered by the California legislation even if they aren’t based in the state, because of California’s very large user base and interconnecting relationships with the state’s large number of tech companies.
He added that “companies often comply with the strictest standard that applies to them.” That strategy would likely mean complying first with CCPA, unless federal law–or a new privacy law in another influential state like New York–turned out to be stricter.
That still leaves GDPR, which applies to companies that collect data on European citizens, wherever they are. Kibel noted that GDPR covers more issues–including internal data security–than CCPA, which is focused on consumer data.
There is some overlap, he said, but, at the moment, there is no direct conflict between GDPR and CCPA. It remains to be seen if there will be conflicts with any federal law.
With so many legal requirements from many jurisdictions, and so many others coming, Podnar advised that companies should focus on covering their bases by addressing the data privacy/security issues that should be best practices. By addressing these basics, she said, companies can cover most of the issues governed by the various privacy regulations, with tailored implementation to address any particular requirements.
She defined eight priority areas for data privacy, shown here with a few of the many questions that need to be resolved for each category:
Accountability and governance:
- Review the applicability and risk to the organization from data privacy issues and consider alternatives, including insurance, in case you are fined
- Mandate that data privacy become part of the policy program, including staff training, measurement, and compliance reporting
- Clearly document roles, responsibilities, and reporting lines to embed privacy compliance into your standard procedures
Consent and processing:
- Review that the data being collected and used is necessary and for the benefit of completing a desired action by the user
- Identify sensitive data and ensure it is treated as such through the use of special encryption or by validating vendor storage practices for sensitive data
- Confirm that user consent for data collection is clearly captured and documented and that user data can be modified or erased
Notification and data rights:
- Write user notices clearly so they can be easily understood—properly targeted to children where relevant—and are reflective of specific data collection and usage purposes
- Create and test processes to correct and delete all user data if needed
- Develop a solution to give users their data in a portable electronic format
Privacy by design:
- Create or update practices to embed privacy into all technology and digital projects, including those outsourced to vendors and partners
Data breach notification:
- Create a (or review and update an existing) data breach policy and response plan to reflect detection, notification, and action to mitigate loss
- Consider and obtain insurance for a possible data breach and regulatory penalties that the organization may face but not be able to handle on its own
- Incorporate data breach terms and requirements into all vendor and third-party contracts
- Identify and update cross-border data flows from the country where the data is collected and review data exports for on-premise and cloud solutions
Children’s online privacy:
- Define which data is collected from children, whether as a business practice or through efforts like “take your child to work day”
- Ensure user notifications and online privacy statements are written in a way that a child could understand them, with a statement that parental consent is required where necessary
- Validate a process for obtaining parental consent
Contracting and procurement:
- Review and ensure that all vendor, customer, and third-party agreements reflect data regulatory requirements
- Define procurement processes such that privacy is integrated into all products and services the organization buys, covering data minimization, the visibility of onward data flows, and data ownership
- Validate that third parties are continually complying with the terms you have defined and that you are updating third parties as your privacy requirements change
Podnar suggested companies that address the above and related questions for each of the eight priority areas will be in fairly good shape for GDPR and CCPA compliance, as well as for others. She pointed out that Brazil’s regulation, for instance, is modeled on GDPR and CCPA.
They all boil down to two basic principles for marketers to follow, she said. “Don’t be creepy” and “do the right thing”–although there are many nuances unique to each regulation.
The development of privacy regulations resembles the evolution of other movements in the history of user experience and intellectual property, including accessibility standards and copyright laws. Those informational policies also began with different laws for different geographies, Podnar noted, but eventually evolved into international standards, defined jurisdictions and cooperation agreements.
That process may have already started. The National Institute of Standards and Technology (NIST) in the U.S., for instance, is one organization that is already starting the discussion for a generalized framework that could help organize these layers.
But don’t hold your breath. Podnar expects there won’t be general standards for at least a decade—maybe longer.
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.