Navigating Global Compliance and Consumer Privacy
By Rob Rokoff, SVP, Business & Corporate Development and Director UK + EU Expansion at Jornaya
The alphabet soup of international consumer privacy and data protection continues to evolve at a pace that is hard to keep up with. Yet, just keeping up is often not good enough for regulators. When reviewing current privacy legislation within the US and overseas I am often met with the feeling that the acronyms are a twisted form of ‘alphabet sudoku.’
I’d venture to guess that if you’re reading this piece, you already know that consumer data is sensitive, personal and should be protected at all times. Even so, knowing something and implementing it into practice throughout your business are not the same thing.
Marketing Technology News: MarTech Interview with Stefan Lederer, Chief Executive Officer and Co-Founder at Bitmovin
With nearly 60% of the world’s population using the internet, lawmakers around the globe have stepped in to ensure online consumer data is kept private. For businesses everywhere, complying with new privacy regulations has become a top priority.
A 2021 Privacy Governance Report, which shared results of a global survey conducted by the International Association of Privacy Professionals (IAPP), found privacy budgets have increased significantly since last year, with organizations spending an average of $873,000 on privacy efforts. Among those surveyed, six out of ten expect their budget to increase next year and almost none expect budget cuts.
Online privacy compliance is complex with rapidly changing regulations that require time and expertise to protect consumer data and keep organizations out of harm’s way. To comply with new and emerging legislation, companies must first understand the ever-changing privacy landscape.
The current view of global privacy laws
In May 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR), a sweeping data privacy and security law that many consider to be the world’s toughest. The GDPR imposes regulations on organizations worldwide that target or collect data related to people in the EU, with hefty fines for violators.
In July, GDPR regulators made headlines when Amazon was fined a staggering $887 million for violating personal data processing regulations.
The EU’s GDPR is one of many new privacy laws impacting businesses and marketers worldwide. Brazil and South Africa enacted legislation in 2021, and new or amended laws are imminent in Japan, Canada and Australia. Even the UK is developing its own version of GDPR to add to the pot of privacy regs post Brexit.
The most significant global impact, however, may come from China’s first comprehensive data privacy law, the Personal Information Protection Law (PIPL). Enacted on November 1, the law creates new protections for hundreds of millions of consumers by requiring companies conducting business in China to enhance secure storage of user data. The law regulates how companies collect personal data, obtain an individual’s consent, and how data can be used when transferred outside of the country. The law also requires companies conducting business in China to hire a data protection officer.
Here in the United States, there is mounting pressure for comprehensive federal laws to protect consumer privacy and replace inconsistent state laws currently protecting Americans’ data privacy rights. California, Virginia, and Colorado have comprehensive privacy laws that protect people living in those states, with the California Consumer Privacy Act (CCPA) enacted in 2020 currently the most comprehensive state legislation on the books in the US
In an era when as many as half of consumers have stopped buying from a company over privacy concerns, according to Pew Research, now more than ever, organizations must prioritize consumer privacy to build long-lasting relationships and customer trust.
How businesses can meet evolving privacy requirements
When I was 16 and had just received my Massachusetts driver’s license, I was soon pulled over by a police officer on my way to school. “Son, do you know how fast you were going just now?” I answered that I was unaware of my speed and I guessed at the actual speed limit; I was wrong on both counts. “Young man, ignorance of the law is not immunity from it.” Approaching a 30-year anniversary from that brush with the law I cannot help but to recall that story when asked about the current evolving state of consumer privacy and compliance across the US and globally.
What’s the local speed limit? Navigating these far-reaching and often broad regulations can be challenging for compliance teams, marketing teams and technology teams, particularly in businesses that have limited resources. How the data is received, stored, processed, accessed, retained and purged are just some of the pieces required for a comprehensive and compliant strategy. Does your in-house team have a firm grasp of both current and forth-coming policies and laws at the state, federal and international level?
How fast are we driving? For marketers, privacy laws often center around securing consent to contact customers or prospects and securely managing personally identifiable information, which is any information that can be used to distinguish or trace an individual’s identity. In recent years, definitions have expanded beyond PII as simply name, phone, email and address.
Marketing Technology News: MarTech Interview with Rick Kelly, CPO at Fuel Cycle
Communicating with customers through calls, texts and social media platforms is a vital component of a marketer’s communication strategy and the consumer experience. In the US, outreach to third-party generated leads must comply with the Telephone Consumer Protection Act (TCPA) and the Do-Not-Call Registry. TCPA requires express written consent from consumers before calling or texting mobile phones using automated dialers. The law is enforced by the FCC as well as individual states.
TCPA is one of the most heavily litigated consumer protection statutes in the US, with more than 3,000 lawsuits filed in 2019 alone. To avoid fines or complaints, businesses must know with certainty when a customer has consented for this type of activity and when they haven’t.
Innovative marketers are turning to companies like Jornaya that specialize in consumer consent and compliance to help reduce risk and ensure privacy standards are met, while building trust among prospects and customers with a consent-first approach.
The IAPP survey found three in four privacy teams rely on some sort of automated technologies for tasks such as demand signal repositories (DSRs), data mapping, cookie consent/website scanning and other privacy-related responsibilities. Given the ubiquitous use of automated technologies, data protection and compliance are increasingly imperative!
Jornaya recently partnered with UK-based lead certification platform Contact State to offer businesses increased insights into buyer journeys while expanding consumer consent marketing solutions across the UK and EU. Through this acquisition by parent company Verisk, Jornaya and Contact State help accelerate trust, transparency, and performance in the marketing ecosystem.
What organizations can do to stay compliant
Consumer privacy, often thought of as a compliance initiative, is now table stakes for all firms in the US, Western Europe, the UK, China and beyond. It does not live solely in a Legal or Compliance silo but must be an integrated approach across marketing, technology and compliance. By complying with regulations, organizations avoid fines, risks to brand reputation, costly lawsuits and most important, losing customer trust. The following steps can help ensure your organization is honoring consumer privacy:
- Follow the ‘Golden Rule of Data’. Treat any handling of data as we would want our own personal data handled. That includes partnering only with companies that follow the same standards transparently. We are all consumers.
- Respect consumer privacy. Know when and what a customer has consented to — and what they haven’t — and invest in a solution to document proof of those consents. Pro Tip: If you aren’t familiar with vicarious liability or you still believe your contracts can indemnify you, now is a good time to speak to outside counsel and check recent case law. Here in the US, it is continually very hard to convince the court and regulators that you can contractually indemnify your firm from consumer privacy violations.
- Hash personal identification and passwords. Within the customer journey, there should never be identifiable consumer information (name, email addresses, phone numbers, etc.). Hashing algorithms (which conceal an individual’s identity) are one example of how to stay compliant with most consumer privacy laws and keep consumers and your business compliant and protected. Many of the largest data leaks of the past 5 years would have been less painful for the brand, and the consumers affected, if those firms had made the investment to move their data collection and storage to a hashed methodology.
- Better to Ask for Permission, Not Forgiveness. It is crucial to stay ahead of state, federal and international regulations. It’s critical to follow changing legislation to ensure the safety of customers — and your business. Always remember, ignorance is not immunity to the laws of the land. As it has been said, a clever person solves a problem. A wise person avoids it.
The most responsible companies collect the information they need to make their customers’ experiences better and commit to securely managing their personal data to meet compliance standards. Honoring consumer privacy and understanding consumer preferences are equally the two most critical components of providing an exceptional customer experience.
Marketing Technology News: MarTech Interview with Christy Marble, Chief Marketing Officer at Pantheon