The following is a guest post from Angela Sultana, SVP and data policy officer at travel data company Adara. Opinions are the author's own.
For many online businesses and publishers, the last 12 months have required a steep privacy learning curve: First, to comply with the General Data Protection Regulation (GDPR) laws in Europe, and soon, to uphold the nuanced differences of requirements in the California Consumer Privacy Act (CCPA) — not to mention a mounting number of new data protection legislations passed in other U.S. states.
Aside from data privacy and legal experts, not many employees at any given online business could easily define the difference between something like the GDPR and the CCPA. A lack of education on the subject could be a more pressing problem since those two laws aren't the only ones due for consideration.
Nevada recently passed its own privacy law, which is markedly different from the CCPA, and other states are in the process of designing their own. This follows previous post-GDPR data protection legislation in Vermont and Colorado introduced last year. Site owners are only going to deal with increased privacy complexity, but there are best practices for managing the issue effectively.
Clarity helps create a path forward
Paradoxically, the GDPR and CCPA require businesses to use clear, plain language to explain their data collection policies. Unfortunately, the laws themselves are less clear for the companies subject to managing them. It's likely that many marketers reading this article still need clear language about how to adhere to these two laws correctly in their own environment.
GDPR in Europe requires transparency around notice and collecting of consent (opt-in). This specific requirement means many website owners must engage with visitors as soon as they reach their website. The most important elements of GDPR require that site owners gain consent:
- Before data is collected
- Consent must be freely given, specific, informed and unambiguous
- Affirmative action is required
The new California law, CCPA, offers a nuanced difference where consent is based on a transaction. CCPA requires transparency around notice and the ability to opt out. The key points for site owners to consider are:
- At or before the point of collection, notice must be given
- An opt-out button or link on each page where data is collected
- An easy mechanism that directs businesses to stop selling their information
New Nevada law shows more states will follow suit
At the end of May, Nevada quietly passed an amendment to its privacy law requiring website owners to notify site visitors that they can opt out of allowing their data to be bought and sold. Inside Privacy notes, "The act does not amend existing Nevada law defining a 'consumer' to be a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from an operator's Internet website or online service."
This is a less general definition of the term "consumer" than in California, where it means nearly any resident of the state — yet another nuance that must be incorporated into the flow of website or marketing campaigns.
These differences are not just for a company's legal counsel to understand, yet many companies don't have structures in place to quickly educate their marketers. Marketers need a better path to compliance as they utilize customer data for their own insights and campaigns, work with partners or sell goods.
Be ready for more to come
The differences between data privacy laws demands different responses from marketers who want to be complaint. While GDPR compliance can usually be managed with a notice as soon as someone visits a website, CCPA will require notice on any page where data collection occurs. This forces a company to understand a user's location and serve the correct experiences accordingly, or subject people to redundant messages — potentially acquiring more opt-outs in the process. Nevada only requires this for a subset of people that count under CCPA.
There are good ways to use the practices of one law to get a head start with another. The data mapping requirements under GDPR can be utilized and expanded to determine the categories of personal information collected; sources from which that information is collected; the data collection's purpose and types of third parties that will see the data and consumers' personal information.
Similar notices required under U.S. law should already be provided under GDPR, including purpose and legal basis for data processing, recipients of the personal information, intention to transfer data to a third country and the data's storage period. Once complete, the same data mapping can be used to update privacy policies with the information needed for CCPA compliance.
Additionally, consent management platforms (CMPs) could be used to provide notice on data sale for CCPA, which reviews a visitor's location and serves the appropriate notifications and data collection. EMarketer noted that interest in CPMs has surged in the wake of laws like the GDPR — good news for marketers with resources to implement the tools.
All marketers must still have a plan, regardless of their ability to use technology to help them.