“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Ines Henrich, VP of sales planning and media strategy at Aki Technologies, an Inmar Intelligence company.
When it comes to privacy legislation, denial often comes before compliance.
When GDPR went into effect back in 2018, some companies in the US simply ignored it, opting to shut down or limit operations in the EU instead of adjusting their data privacy practices.
But with privacy legislation in California (CPRA), Colorado (CPA) and Virginia (VCDPA) set to go into effect 2023, American businesses will have no choice but to accept and act.
How exactly does this trio build on the precedents that GDPR and CCPA have set? And what do companies need to do now to ensure compliance in 2023?
These laws will usher in an era of classification-based compliance, privacy assessments and restrictions to data sharing. Here’s how to prepare.
Understand the distinction between controller and processor
The EU’s GDPR identified two classes of businesses dealing with customer data: controllers and processors. Controllers determine the purpose of processing data; processors process data on behalf of the controller but do not determine the purpose for processing.
Virginia’s and Colorado’s laws borrow the controller-processor distinction from the GDPR, forcing US businesses that operate in those states to reckon with that taxonomy.
Most retailers and brands are considered controllers – and being a data controller under new legislation will come with new responsibilities.
One new hurdle to navigate? Data subject access requests. These requests are consumers’ way of invoking their rights to find out what data a company has collected from them and to delete or correct inaccuracies in that data.
Prepare for privacy impact assessments
The Colorado and Virginia laws introduce a requirement for data controllers known as a privacy impact assessment or data protection assessment. Conducting a PIA entails assessing the benefits of sensitive data processing for targeted advertising, customer profiling or other use cases relative to the risk data collection and usage pose to the consumer.
Not sure if you’ll have to conduct PIAs? Data mapping holds the answer. Data mapping is the practice of detailing how data moves throughout an organization. It helps businesses ensure they know exactly what data they are storing, how they are storing it and where it is going in order to limit risk, provide transparency to end users and comply with regulatory requests.
If it sounds daunting, fear not. Mapping can be automated, taking some of the burden off of businesses.
Adjust to data sharing restrictions
CCPA forced businesses to give consumers the right to opt out of sales of their data to third parties. But there was a lack of clarity about whether data sharing to facilitate targeted online ads constituted a sale and therefore required an opt-out opportunity.
But with CPRA, there’s no gray area.
The law explicitly defines “sharing” to include “cross-textual behavioral advertising” (or targeted advertising based on user behavior). This means the many brands that share data with ad tech providers to facilitate advertising will now need to develop opt-out capabilities for customers.
Brands will need to clearly state what data they are sharing and give consumers the right to opt out of sharing with third parties. This shift could present a major challenge not only in operationalization and compliance, but also in its potential impact on marketing. Marketers will also want to make the best possible case to consumers for necessary data processing and sharing, explaining the value exchange customer data makes possible.
Complying with new privacy laws will require some legwork, but if companies get it right, they can transform privacy challenges into opportunities. Eliminating regulatory liabilities is a big win, but shoring up consumer trust will be the most important victory.