In 2018, the European Union passed a digital privacy regulation called the General Data Protection Regulation (GDPR).  The goal of this regulation was to give control to EU consumers over the collection and use of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU Economic Area (EEA).  

GDPR has serious teeth as fines levied to companies for non-compliance have been swift and significant: see Marriott’s $85MM fine and British Airways $230MM fine as two examples. 

But the GDPR only applies to EU-related entities and brands doing business in the EEA. It was the beginning of what is becoming a bigger challenge for marketers advertising in digital today: disparate data privacy regulations and laws. The most impactful U.S. laws currently on the books will affect all brand marketers running campaigns in California and will go into effect January 1, 2020.  

On that date, the California Consumer Privacy Act or CCPA takes effect. A more specific privacy law than the GDPR, the CCPA applies to any business that collects consumer personal data online while doing business in California that also satisfies at least ONE of the three following criteria:

  • Annual revenues in excess of $25 million
  • Possesses personal information of 50,000 or more consumers, households or devices
  • Earns 50%+ of its annual revenue from selling consumer’s personal data

The CCPA is not solely a “marketing” issue.  That said, the law does cause headaches for marketers who run digital campaigns across the U.S. They have a responsibility to address multi-jurisdictional compliance demanded by the CCPA and similar laws that are or will be in effect in New York, Iowa, Maine, Ohio, Texas, Washington, Virginia, New Jersey, Alabama, Mississippi, South Carolina and Vermont.  Each of these states have passed data breach laws or amendments that are either active already or will be in 2020.

So how can a brand marketer navigate all of this?  Rethink your approach to data handling and privacy while staying informed of the latest legal developments.  The following are a few recommendations: 

  • Investigate and confirm what personal information your company is collecting and how it’s being used for marketing purposes
  • Eliminate any consumer data that is not being utilized  
  • Review your agreements with all third party partners who touch your consumer data
  • Run an independent audit on the service providers who have access to your consumer data to ensure they are in compliance
  • Prepare for the worst: install procedures and operations to handle a data breach and the output needed to provide regulators 
  • Update your brand’s privacy policy to comply with disclosure requirements and send out the updated notice to consumers
  • Develop a process to handle consumer requests for access or deletion of their personal data that is being sold or shared.
  • Stay up to date with the latest news and industry point of view related to responsible data collection through the non-profit Network Advertising Initiative (NAI).

There is no silver bullet solution here.  In today’s political climate, it is not likely that a divided U.S. Congress will push through data privacy legislation to set the standard by which all ad tech and marketing data processors and controllers would need to operate under.   Marketers and their business leaders should take action now internally to protect their business from the CCPA and other pending data breach and privacy laws that will be enacted in 2020.

Author: Sean Sweeney, Vice President of Client Development