Data privacy has become the hottest topic for every senior leadership team thanks to Europe’s General Data Protection Regulation (GDPR), which has been in force for over a year, and the California Consumer Privacy Act (CCPA), which takes effect in January 2020.
But if that is all you’re talking about, then you are missing the point. It is much bigger than you might imagine. Laws that regulate how companies can share data and personal information are under review in over 60 other countries, along with 25 U.S. states and Puerto Rico (Congress is consideringseveral federal standards as well). With different jurisdictions in the U.S. and a growing number of other countries jumping into the fray, the prospects of quickly managing this become a logistical nightmare.
Perhaps with GDPR, you decided to stop operations in Europe? Believe it or not, that’s precisely what many companies did. Or, if you are in the U.S. you’re thinking: I’ll reconsider my operations in California. If you do that, then be prepared to dump a market that is the world’s 5th largest economy just because your strategy is to put your head in the sand. We all need to pull our heads out of the sand and evaluate how we manage this properly, or it could lead to significant business interruptions—or worse—loss of revenue.
Marketers and advertising leaders need to wake up, do the homework and prepare their people and infrastructure for sweeping changes. Companies must upgrade internal compliance departments and toss out legacy systems while reexamining (or ending) their relationships with third-party data providers that pose technical and legal risks.
Remember, the consumer has made it clear that they are ready for these regulations.
Business success comes from a consumer-first approach, so pay attention and respect what your customers are asking for, not to mention it is the right thing to do. The only option is a more transparent and compliant ecosystem because both consumers and marketers will benefit.
The Logistical Nightmare of Data Privacy
Every state and nation working to pass data privacy legislation has a slightly different set of guidelines and requirements within their proposed laws with varying degrees of enforcement. That drops business owners into pure chaos. Rather than focusing on just one or two standards like GDPR or CCPA now, the prospects for implementation include dozens of unique requirements.
While we all have a responsibility to protect consumers, this quickly becomes a logistical burden. Companies are now facing the risk of breaking laws they didn’t know even exist. Many companies operate within multiple state and international jurisdictions, and so may run afoul of state or country standards if they’re not careful.
Given most executives don’t have the bandwidth to become data privacy experts themselves and their P&Ls won’t support large legal teams to wade through this web of regulation and enforcement. Companies need the right people, technology, and partners to ensure they’re mitigating risks.
Compliance Is Key—Yet Full of Complications
Workers in internal compliance departments must quickly adapt to the moving target across states and countries. Good luck with that!
The compliance role is already a big enough challenge with the gray areas around GDPR and CCPA. Compliance and Privacy Officers are still holding their breath on how case law will shake out as it relates to the courts interpreting the law.
Remember, those significant fines are just starting to come in for GDPR, so the actual risk is still unknown?
Of course, finding the right tools will be necessary to address the logistical confusion efficiently. Advertising is an enormous $628 billion industry that’s entirely dependent on data, but that information is often stored on legacy or outdated servers that aren’t backed up and thus are highly vulnerable to attack. As such, they almost certainly don’t comply with new standards. Not to mention, most of those data sources are not proactively acquiring consumer consent, which is the backbone of most pending regulations.
You can’t afford to keep these old systems around, because GDPR and CCPA (along with the many privacy bills in the pipeline) will hold violators accountable. I’m guessing that nobody wants to give away up to 10M Euros or 2% of worldwide revenue because they refused to take their head out of the sand! Advertisers may think they’ve anonymized their data banks, but if they make one wrong move in the modern data-driven marketing ecosystem, they could face a hefty fine or even jail time.
Not all the news is so grim. These privacy laws also present a massive, overdue opportunity to abandon old servers, rewrite applications, upgrade systems across the enterprise, and align with partners that are proactively solving for a consumer-first data strategy. Some marketers will panic when they see the bill for the upfront costs and resources associated with this work. But if these new regulations convince industry leaders to incorporate modern, advanced technology into their infrastructure, that’s a silver lining in the short term and a massive win in the long-term. And, let’s not forget that to win in marketing the consumer must come first. At the heart of all the pending regulations is a return to a focus on the consumer as it relates to data.
Third Parties Will Go the Way of the Dodo
Nobody will argue with data being the dominant force within the ad-tech ecosystem. In large part that has been driven by the low-cost, high volume third-party data providers. The problem with this model is that consumers are completely removed from the conversation. Third-party data providers do not have the infrastructure, protocols or business models to gather compliant data where the consumer is providing consent. This means they will not be compliant with these new laws and the astronomical costs to right that ship means they will soon go the way of the dodo—completely gone.
Remember, it is the consumer’s personal identity that is fueling the revenue for these third-parties. At a very basic level, all 60 countries and 25 U.S. states have put the consumer firmly at the core of their pending legislation. These regulations are forcing the industry toward greater transparency and greater inclusion of the consumer around data.
The Regulatory Landscape is Complicated but The Next Steps are Simple
Advertisers have two options: 1) bring data collection and management resources entirely in-house for a zero-party data approach or (2) find new partners that can deliver first- or zero-party data. Maintaining relationships with third-party vendors becomes a risky proposition.
Yes, modern data privacy is a logistical nightmare, but with the right partners and internal preparation, I see more opportunity than risk as the industry moves toward a completely new operational standard with consumer data.
I continue to be surprised at the large number of business leaders who are just ignoring the risks that are right in front of their nose. As I see it, the next steps are pretty simple: take privacy seriously, listen to the customer, find partners that can build contingencies and new opportunities for growth. There is a proven history of businesses growing when they take advantage of the chaos around them. But, I assure you that the opportunity vanishes if you keep your head in the sand.