Understanding Your Consumer Data Privacy Obligations
As part of the 2022 “Privacy to Market” symposium with the CDP Institute, James Riseman, Director of Product Marketing at Treasure Data, discussed the upcoming data privacy changes specific to the United States.
While the CCPA (California Consumer Privacy Act) was the first data privacy law established in the U.S., it’s not just about California anymore. Virginia was the second state to enact privacy legislation; the Virginia CDPA (Consumer Data Protection Act) was signed into law in March, 2021. Shortly thereafter, in July, 2021, the state of Colorado enacted the Colorado Privacy Act. Utah became the fourth state to follow suit, when its governor signed the Utah Consumer Privacy Act into law in March, 2022. Other states are also introducing privacy legislation (see Figure 1).
Figure 1. U.S. State Privacy Legislation Tracker from IAPP.
With this in mind, it’s important to start now to prepare your business for each new privacy law. Many of these privacy changes are happening in 2023. Virginia’s changes start January 1, 2023 and Colorado’s and California’s start on July 1, 2023. In California, the new regulations are due to the amending and replacing of CCPA by the CPRA (California Privacy Rights Act), which was passed in 2020. Riseman noted that the CPRA modified the definition of “personal information” to encompass publicly available consumer information found through social media such as Facebook or Twitter. Sensitive personal information also includes financial data, precise geolocation, biometric information, and more.
So, how are these new laws going to affect your business’ consumer data privacy policies? First and foremost, you will have to meet certain obligations to ensure your customers’ personal data remains secure. For example, the CPRA requires two opt-outs on the home page. The first opt-out is for not selling or sharing personal information and the second one is for limiting the use of sensitive personal information. The data privacy regulations in Utah, Virginia, and Colorado are similar to California, except for some terminology. These states require an opt-in before you are allowed to use sensitive data or personal information, unlike California’s opt-out.
In addition, your business will have an obligation to fulfill user data requests, so you’ll have to develop mechanisms to receive these requests. According to Riseman, “This enables users to understand their data, to know what a company has been collecting about data, and to the right to be forgotten.”
Consent management is also going to be key, especially when it comes to data used about minors. This will limit targeted advertising based on behavior. “If you’re looking at advertising based on what a minor’s done on your site or what they’ve done elsewhere, you need to have that consent to be able to continue,” said Riseman.
Five Steps to Comply With Consumer Data Privacy Regulations
- Start by focusing on respectful communication. “You really get to the core of the issue and you’re going to earn the trust of your consumers as well,” Riseman says.
- Ensure data is highly usable and ties across profiles. If you have data silos, and have different consent to use data based on the platform, you need a way to unify this customer information. This helps you understand users’ privacy and consent preferences.
- Make data quickly accessible with compliance and respect. Executing a marketing campaign while in compliance with data privacy regulations is easier when data is quickly accessible.
- Support the Data Subject Access Request (DSAR) effectively. Consumers have the right to make requests to know the data available about them and the right to be forgotten. Be sure you are able to support these requests.
- Think about global scale. With different regulations around the world (such as the General Data Protection Regulation), Riseman reminds businesses to “think about how you can run campaigns globally and what tools and infrastructure you will need to make that happen.”
Having privacy policies in place is crucial because you don’t want to be caught unprepared. As mentioned, the consequences for non-compliance or a data breach can add up quickly. You could face penalties of $2,500 per violation and $7,500 per intentional violation or violation including a minor.
How Can a CDP Help With Consumer Data Privacy Compliance?
While consumer engagement is strengthened by the use of data, your brand reputation is at risk if you can’t comply with data privacy laws to keep users’ data secure. As Riseman reminds us, “This all started because companies were not really respecting the privacy rights in their consumer data.” Consumer protection laws are a key reason many businesses are now leveraging a Customer Data Platform (CDP). Rather than dedicating significant internal resources to managing and updating custom-built proprietary systems that will need to continually adapt to new regulations, businesses can leverage the built-in capabilities of a CDP to manage many functions related to data privacy including data lineage, global governance, and respectful segmentation.
As the dates for data privacy regulations come closer, navigating this complicated web of laws can be easily managed with the right CDP. This is why Riseman recommends Treasure Data CDP as your CDP of choice, especially with the launch of Treasure Data’s Trusted Foundation. Treasure Data Trusted Foundation is a robust suite of features that enables you to manage cross-platform data privacy and consent preferences while breaking down data silos. It offers a unified approach to data collection, data protection, governance, security, and consumer data privacy. Riseman notes, “Trusted Foundation enables you to manage your reputation, and manage [consumer] privacy and consent requests.”