GDPR and California Privacy Act; What You Need to Know
Last July, the state of California passed extensive legislation relating to consumer data privacy. Any company involved in the use of private and personal data needs to take note, and see how this new law can impact their business practices. As noted in the Harvard Business Review, “The law’s passage comes on the heels of a few days of intense negotiation among privacy advocates, technology startups, network providers, Silicon Valley internet companies, and others. Those discussions have resulted in what many are describing as a landmark policy constituting the most stringent data protection regime in the United States.” With scandals all over the news of how Facebook has been using psychometric data to influence people’s emotions, Congress has passed laws allowing companies to sell your user data for profit, and a general trend of political radicalization through targeted online campaigns spreads like wildfire, it is important for companies to understand where they fit into the pattern, and how they will be impacted by this new regulation.
Under the new law California residents have a whole new array of protections including the right to know what kinds of data are being collected, and the reason for the collection. Furthermore, customers have the right to request the removal of personal data, to opt out of their information being sold, and to access their information in a “readily useable format”, ready to be shared with others whenever need be.
The law is also groundbreaking in its expansion of the sorts of data which are protected, as well as demanding an improvement of the standards and safety which are used to protect consumer data. The kinds of protected data include personal identifying information, biometric data, psychometric data, and even inferences made by companies on the basis of this information. This law therefore will have a huge impact on the sorts of marketing and sales techniques used by many companies, which rely on integrating much of this data to create sales plans, from widespread, public marketing campaigns to more individualized and personalized sales approaches.
This law would have a great impact on the current marketing practices, for example, of Facebook, Amazon, Netflix, and Google, as they use targeted ads to promote products and services. Allowing California residents to delete their data from these stores will require imagination on the parts of these advertisers, to figure out other strategies of sales in such large markets. This will be the case especially if other states follow California’s lead and enact similarly extensive consumer data rights legislation. These restrictions could also potentially impact marketing techniques of companies such as AT&T and Verizon, which generate customer data profiles based off usage statistics. Having such wide reaching implications in how, from the bottom up, companies are allowed to use people’s data is what makes thorough knowledge of this legislation key for any business moving forward with a digital marketing strategy.
The most important aspect of this laws reach, however, comes from how companies will choose to respond to it. There are two main options which exist:
- A total reworking of their current digital marketing strategy and data collection methods to comply generally with California law or
- A patchwork system meant to apply to only their California customers.
This second option is far more expensive than the first, and could result in consumer backlash as non-California residents feel resentment over dealing with different standards for their own protections and rights. The law is set to come into effect in 2020, so companies need to act fast to reorganize their strategies around marketing in this new regulatory landscape if they wish to continue their profits and outreach.
The integration of the Internet all over the world is what makes such regulation so powerful. Questions about the safety of Americans’ data in the hands of giant corporations became a much more pressing issue in light of Mark Zuckerberg’s testimony before Congress in April of 2018, concerning how Facebook would respond to a law passed in the European Union, the General Data Protection Regulation, with similarly groundbreaking impact as the law passed in California.
The General Data Protection Regulation (GDPR) was adopted in the European Union in April of 2016, in an effort to update an older data protection regulation from 1995. The law requires businesses to protect data and transactions of European citizens and residents of the EU. This regulation standardizes practices among European countries, and sets the bar high to ensure maximal consumer protection. This will require a large investment from companies in current infrastructure and strategy to comply with the new regulations.
The law has a far greater range of protection than the California Privacy Act, protecting Health and Biometric Data, racial and ethnic information, political opinions and data on sexual orientation, as well as standard private and personal data. Companies operating within Europe, or processing European data, employing more than 250 people, must have begun to comply with this regulation as of May 25, 2018.
GDPR has also described certain roles, namely a data processor, data controller, and data protection officer (DPO), who will be responsible for preventing and responding to breaches in the system and other violation of the regulation. Data controllers own the data, and data processors use and manage the data The controller is also responsible for ensuring that outside contractors are in compliance with the laws, which will cause companies to enforce the regulation among one another to avoid fines and penalties.
Under GDPR, much like the California Privacy Act, requires companies to keep their customers informed on how their data is being used and inform them of their rights and protections. Companies will need to invest in improving current infrastructure to meet the demands of this new regulation. Companies also face a much more intensive ultimatum than those companies dealing with the California Privacy Act, having to choose between completely different services between the European Union and the United States or Japan, requiring them to maintain the GDPR regulations across the board to prevent backlash from a worldwide consumer base. The cost of this is clear from the aforementioned testimony by Zuckerberg before Congress last year. After equivocating on how his company would apply these new European regulations across the board, at first stating clearly that they would and then later obfuscating what they intended to do with consumer data outside the EU, Zuckerberg faced sever criticism in the media.
In order to avoid these fines and penalties resulting from violating these new regulations, as well as loss of public trust as widespread support for greater privacy protections intensifies, companies must invest heavily in updating their practices to prevent data breaches, and have a clear and concise system to respond to such breaches in a timely and effective manner. This includes notifying customers of a breach as soon as possible and laying out explicitly the plan proposed to fix the current breach and prevent ones like it in the future.
As the landscape of regulations changes rapidly it is important for companies to keep up to data, and keep the company practices within regulation to avoid breaking regulations and, even worse, violating public trust with their data.