In the United States, there is no single national law regulating the ways in which businesses — or any organization — can collect, store and use consumers’ highly sensitive personal data in the digital space. Fortunately, that won’t be the case for long. Federal data privacy regulation is coming, and its arrival is exactly what the marketing industry must support.
We’ve all watched the General Data Protection Regulation (GDPR) play out in Europe, and we’ve subsequently seen the calls for a U.S. version — a consumer data protection regulation (CDPR) of our own.
To help clarify the scenario as it now stands, and to highlight how it’s likely to develop, let’s take a moment to break out key developments around the rise of CDPR in the U.S., with a focus on the implications for consumers and marketers.
CDPR: From Europe To California And Beyond
The enforcement of GDPR began in May 2018 and changed the consumer data privacy landscape in the European Union and European Economic Area. Now, organizations that fail to achieve GDPR compliance receive, at the minimum, written warnings and audits, while the maximum penalty carries a fine of up to €20 million or 4% global annual revenue, whichever is higher. On the first day that GDPR went into effect, Facebook and Google were hit with lawsuits totaling $8.8 billion. And more recently, Google was at the center of another instance involving the CNIL, which is France’s data protection authority.
The transition to GDPR in Europe has prompted the discussion of consumer data privacy regulation in the U.S. First moves came in the form of the California Consumer Privacy Act (CCPA), formally adopted in June 2018, now set to become law throughout the state on January 1, 2020.
You can review the full Act here. But to paraphrase some of the main points of the CCPA, it will allow California residents:
• The right to know what personal information a business collects on them, where it came from and how it’s being used
• The right to opt out of letting a business sell their personal information to third parties or, for consumers under 16 years old, the right not to have their personal information sold without their opt-in or their parent’s consent
• The right to have a business remove their personal information, with some exceptions
• The right to equal pricing and service from a business, even if the consumer does choose to exercise their privacy rights with that business under the Act
The CCPA makes it easier for consumers to file lawsuits against companies in the event of a data breach and also empowers the California attorney general’s office to levy fines against companies that don’t follow the new stipulations. And because the CCPA is retroactive — in that companies must identify consumer data sold in the 12 months running up to January 1, 2020 — it’s imperative for organizations to make immediate preparations.
In other words, start identifying, cataloging and normalizing the data that is needed to comply with CCPA-related queries. And talk to your vendors. Make certain they too can provide the necessary details should an outside party check on them about the new rules. The goal is to be airtight and information-rich — ready to provide and confirmed as compliant before an inquiry sends your data and marketing teams scrambling.
It is also important, industry-wide, that we prepare for the precedent that the CCPA sets. We cannot let the critical, pro-consumer data protection landscape become a state-by-state phenomenon.
One Law Versus 50
While CDPR gives consumers a necessary advantage — ensuring their private information is kept under tighter controls — it also puts parameters on the ability for businesses to transact with consumers and hems in opportunities for certain technological developments. These limits are not necessarily a bad thing, but CDPR does require businesses to comply with measures they never had to deal with before.
And here’s what the industry needs to know about that scenario: When it comes to compliance, one federal law is what we need. For organizations transacting with consumers in the digital space, having to comply with 50 distinct data privacy laws would amount to a logistical nightmare, crippling efficient operational processes and causing the user experience to suffer.
Furthermore, any ecosystem composed of 50 different CDPR regulations implicitly means that only the richest players will prosper. The costs of compliance would unduly favor duopoly and triopoly systems, and these are the behemoth data sellers that raise our largest data concerns in the first place. Even in Europe, this effect on the smaller players has been cited in recent months, and the outsize advantage for giants such as Google and Facebook has been noted as well.
Our industry cannot allow important pro-consumer lawmaking to create yet another cudgel for behemoth companies to beat down the innovators and agile players that make for a better, fairer marketplace overall.
Data Privacy: Pro-Consumer And Pro-Business
The rise of CDPR is poised to change ad-tech and mar-tech, but CDPR on a federal level, as opposed to state-by-state parameters, should not pose a threat to business. The opposite is true, in fact. Data protection laws embrace users, making them feel safe in communicating their preferences and conducting online transactions with the companies they love.
In support of these goals, marketers need to work toward providing the technical infrastructure and guidelines that will allow customers to easily participate in their ecosystem. And we must communicate to lawmakers the scale and scope that will make CDPR work best — federal legislation that creates an even playing field for all marketplace stakeholders.