FROM GDPR TO CCPA: AN FYI TO MARKETERS ON PERSONAL DATA PROTECTION
Published on May 26, 2020
From the pictures we post online to the websites we choose to visit, the most seemingly insignificant online activities now comprise a holistic repository of insights that marketers can use to better understand our wants, needs, and preferences. With the rise of social platforms that capitalise on a culture of (over)sharing, users have freely disclosed data points without a thought to privacy implications.
But amid ever increasing rates of data breaches or uncannily accurate marketing messages, consumer preferences are quickly changing. In fact, 80 percent of social media users are concerned that advertisers and marketers are accessing the data they post on social platforms. Regulators, in turn, have taken note, with some of the world’s most stringent data privacy frameworks emerging in the past five years following wide-scale data breaches involving social platforms.
In a bid to hold businesses accountable and to protect citizens online, the European Union’s General Data Protection Regulation and California’s Consumer Protection Act have catalysed a widespread revision of existing data collection, management, and analysis processes across every industry. Compliance may be key but marketers will need to balance regulatory demands while simultaneously delivering the same brand experiences that consumers have come to expect—one underscored by personalisation and relevance.
Contextualising data privacy frameworks
When read in full, legislation can feel overwhelming, intimidating even, in their breadth and depth. At times, it’s hard to even imagine how they actually translate to your marketing activity. While some rights stipulated will be more relevant to marketers than others, we can clearly see that each one directly corresponds to specific phases in the brand-consumer relationship. From the very first moment you engage a consumer to the moment that relationship ends, the most robust of data privacy frameworks aim to capture the full scope of that timeline.
In light of that, we’ve created a handy guide that unpacks specific areas of data privacy frameworks that we believe that marketers should really hone in on irrespective of where you might be.
A Matter of Consent
Most data privacy frameworks first begin with the issue of consent. For example, the GDPR requires that consent must be “freely given” in a “specific, unambiguous way” through “clear affirmative action”. On the other hand, frameworks such as Singapore’s Personal Data Protection Act (PDPA) are open to a broader definition of what constitutes consent—under the PDPA, businesses can use personal consumer data if they’ve obtained “deemed consent”. This means that if the individual—without actually giving consent—voluntarily provides the personal data to the organisation for that purpose and it is “reasonable” that the individual would voluntarily provide that data, this can be interpreted as consent.
Other distinctions across frameworks pertain to the difference between opting-in and opting-out. The CCPA specifies that consumers have the right to opt-out which means they can request businesses to refrain from selling their data to third-parties. However, the framework operates with the general assumption that any individual over the age of 16 has automatically opted in unless they request otherwise. In contrast, the GDPR forbids businesses from selling personal data by default unless consumers have opted-in through informed consent which can be withdrawn at any time.
Solidify Your Security
Security, security, security. We can’t mention it enough. As technology continues to increase in sophistication, so does the sophistication of cybersecurity threats and hacks. Brands can certainly apply best practises to maximise security efforts by practising data minimisation—collecting only what’s actually needed rather than what might be nice to have. Nevertheless, when it comes to the mechanics of security, most, if not all, privacy frameworks will stipulate that security arrangements should, as explained in Singapore’s PDPA, “prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”.
How this ought to be done tends to vary across the board. The GDPR specifies clear data security requirements whereby personal data must be pseudonymised and encrypted and that data controllers and processors have the responsibility to ensure the “ongoing confidentiality, integrity, availability, and resilience” of processing systems. The CCPA and the PDPA, on the other hand, make no mention of explicit data security requirements in relation to privacy laws.
Any marketer would know that identity management is key to targeting, personalisation, and attribution. In light of that, CMOs need to be involved in decisions surrounding security policies. Selecting an infrastructure for your CDP that prioritises privacy-by-design is one way to ensure that your tech stack is optimised to comply with privacy frameworks. Aqilliz’s federated identity management platform, for example, leverages differential privacy to ensure that before consumer data is appropriately masked and cryptographically encrypted so that it cannot be reverse-engineered to reveal its raw state. Rather than accessing individual data points, marketers will only be able to see aggregated identities and audience profiles—providing a view of the forest rather than the individual trees.
While regulations may not always be clear about expected data security processes, security is definitely not an area to cut corners.
Automation vs. Autonomy
According to a 2019 report from the UK’s Information Commissioner's Office, real-time bidding remains contentious, shedding a light on systemic issues across the programmatic supply chain as it relates to insufficient consent. With data profiles that are “extremely detailed and repeatedly shared without the individual’s consent” on an automated basis, the general consensus is that RTB is incompatible with GDPR.
Why? Because of the GDPR’s clause on profiling and automated decision making.
Largely absent from other frameworks including the CCPA, as well as regulations in Singapore, India (unless in the case of children), and Hong Kong, this clause is definitely one to watch as it points to the grey areas of targeted marketing. Depending on the type of data collected, the rationale behind its collection, and the extent to which profiling activities can be construed as “intrusive”, advertisers and marketers may need to justify these “profiling” activities and make specific requests for consent from consumers in order to remain compliant.
Yet, with the amount of automation inherent to the programmatic landscape today, to what extent is it realistic to prevent consumers from being subjected to a decision based on “automated processes”? Unfortunately, there’s no easy answer to that question. While the GDPR specifies that this is applicable in cases where “legal” or “similarly significant” effects impact a consumer, these effects are not defined in detail.
However, marketers shouldn’t be remiss and take this as a loophole. To ensure the industry’s long-term future, the entire digital marketing ecosystem will need to foster ongoing relationships with regulators in order to promote a progressive balance where brands continue to engage with consumers meaningfully while stamping out areas of industry-specific ambiguity.
The cost of (non)compliance
The regulatory playing field is far from level with different jurisdictions taking different approaches to their data privacy legislation. Some countries place greater precedence on commercial benefits derived from the free movement of user data while others take on a more conservative approach with the goal of preserving individual freedoms and the right to privacy. Similarly, the ramifications for non-compliance also differ across the board. For example, GDPR caps its fines at up to €20 million or 4 percent of a company’s global turnover (whichever is greater) while the CCPA distinguishes between unintentional and intentional violations, with civil penalties ranging from US$2,500 to US$7,500.
With inconsistent priorities in mind, marketers will need to make an important decision when it comes to tailoring their practices based on where their target consumers are located and the geographical remit of relevant frameworks. Admittedly, the cost of compliance—depending on the current state of your tech stack—varies. According to a pre-GDPR survey of executives, 92 percent of those working at companies with over 1,000 employees expected this cost to climb to US$50,000. The resulting push and pull of dialogue between consumer interests, commercial goals, and regulatory protection has shown that data privacy frameworks are not a one-size-fits-all solution and cannot be taken as such.
As an industry, we need to work together to tackle regulatory ambiguities while establishing best practices of our own based on the most stringent of frameworks. Simply put, as we operate in a virtual landscape that evidently transcends political and national borders, localising strategies may not always be feasible. Instead, with the principles of privacy-by-design and conspicuous consent in mind, we can hope to develop far more robust infrastructures designed to adapt to regulations as they evolve. But for now, with GDPR as the de facto gold standard of privacy legislation, we’d say stick to that—it’s best to be safe than sorry.