GDPR and CCPA: The Precursors to More Data Regulation

A growing number of marketers today see data as a product. Companies that use it effectively maintain a sustainable advantage over competitors. For years, we as users willingly share some of our personal data in exchange for goods and services. These days, however, with the ever-increasing tension between data and customer privacy, more customers are becoming better informed (or at least more curious) about how their personal data is collected and used. All of this impacts how we as marketers will reach them in the future.

With the General Data Protection Regulation (GDPR), Europe has taken the lead on protecting users’ data privacy. In contrast, the U.S. has only enacted a patchwork of specific laws to protect consumer data. One thing’s clear: broader regulation will come. As it does, marketers need to focus on data compliance in addition to thinking through how to reach those audiences.

Saving Private Data

Years in the making, the GDPR represents the first broad legislative attempt at protecting user privacy in May 2018. Those of you who work at multinational companies, or for companies that do business in European Union countries, have probably spent time and resources working toward GDPR compliance. We’re starting to see GDPR fines levied against companies like Google, Marriott and British Airways. For those who want to keep a closer look, here’s a site that maintains a running list of GDPR-related fines.

But what if you’re a marketer for a small business or even a larger company that only does business in the U.S.? Why should any of this matter? Because here in the U.S., even though we don’t have broad legislation in place like GDPR, the FTC recently fined Facebook $5 billion for privacy violations related to its involvement with Cambridge Analytica—the largest fine ever for the federal agency.

There’s also activity at the state level. Vermont recently enacted a law requiring data brokers (companies who license or sell Vermont resident customer data to third parties) to register officially. Beyond registering, the law also requires these companies to clarify whether consumers can opt out of data collections, whether it lets consumers restrict who can buy their data, and whether they’ve had any data breaches in the past year.

What can marketers do to prepare for increased regulation?

Understand your organization’s GDPR and CCPA compliance status

Both the GDPR and CCPA require companies to provide clarity on how it collects, stores, shares and uses data. It also required companies to provide clarity on what opting in for marketing materials entails, and that starts with getting user consent. Even if GDPR doesn’t directly impact your current marketing efforts, the California Consumer Privacy Act (CCPA), probably will. That’s why understanding how your company accesses first-party (data your company collects directly from a customer), second-party (customer data from social media sites, for example), or third-party data (from sources that don’t have a direct relationship with customers, like data brokers) will serve you well.

Dedicate time to consolidate data repositories

Once you have a better grasp of the scope of the aggregate customer data, it’s time to think about a Customer Data Platform. It allows collection of anonymous visitor data and can be used to augment Customer Relationship Management (CRM) data about known and potential customers.

Emphasize first-party data over third-party data

Increased regulation means marketers will need to do more with less data. I agree with Decoded Founder and CEO Matt Rednor here. Even before regulations like GDPR take effect here in the U.S., this is the time to spend cycles re-architecting and perfecting how your company collects, stores and uses first- and second-party data. Whatever form increased regulation takes, it’s time to prepare for compliance. Facebook’s already changing itself. More social networks and other companies are making changes for compliance as well. 

How’s your company preparing for GDPR and CCPA? Here are some resources to consider:

• The European Commission’s official GDPR site: This site offers the most comprehensive overview of GDPR and related information such as a list of data protection authorities by country and a data protection infographic.
• IBM’s GDPR Framework page: This is a good resource for corporate enterprises that still have more GDPR compliance work to do. Their structured, five-phase self-assessment can give you a sense of where you are. The IBM Data Responsibility and the GDPR video provides an excellent overview.
• Gartner’s Are You Ready for GDPR?: Good resource for large enterprises working to go beyond compliance in preparation for regulation that’s coming to the U.S.
• HubSpot’s GDPR Compliance page: This has lots of general information about GDPR. I really like the Important Components of the GDPR section at the bottom of the page. Also, if you’re just starting to dig into GDPR, start with their GDPR Glossary.
• Fast Company’s list of data brokers: Besides providing a pretty extensive list of data brokers that buy and sell your personal data, it includes details on various ways to opt out or how to file a complaint with the FTC.
• Vermont’s Act 171: This is a state law aimed at making data brokers more transparent.
• CCPA: This is the bill that was passed last year slated to go into effect on January 1, 2020.

Photo by Glen Carrie on Unsplash