“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Guy-Thomas Barbier, country manager, North America, at zeotap.
The General Data Protection Regulation (GDPR) should be viewed as a positive change for the industry because it puts customers back at the center of marketing where they belong. But how is it working so far and what can the United States learn from the experience as CCPA looms on the horizon?
Although European authorities haven’t officially disclosed the number of fines levied under GDPR, it’s estimated that approximately 100 organizations have been fined, according to TechRepublic. In January, French authorities famously fined Google 50 million euros for collecting personal data without providing transparency on how it would be used to personalize ads on its platform. In July, the United Kingdom levied major fines against British Airways and Marriott International for data violations.
Giant companies aren’t the only ones at risk. A Swedish school board was fined 200,000 Krona – about $20,000 USD – for using facial recognition to track student attendance. In Spain, LaLiga was fined 250,000 euros after users discovered the football match app used smartphones’ microphones and GPS to identify pubs that were unofficially streaming games without paying for broadcasting rights. Truly, no organization is exempt.
What many companies still get wrong
A common GDPR breach is the cookie pop-up banner on a corporate website that doesn’t allow users to access content unless they accept the cookie policy. Other companies still make it difficult for users to opt out, delete or transfer their data because these options are presented in legal language that’s challenging to decipher.
Using plain language is required by GDPR. There’s no doubt many are still leaving themselves open to fines.
There also needs to be better customer support and more avenues for customers to opt out of data collection. Every organization must have the proper mechanisms in place so whenever users reach out via their social media accounts or website, someone – who is versed in GDPR – can help them get their consent revoked.
There also needs to be more education to help consumers better understand data as a whole and what part of the data is PII or GDPR-sensitive. It’s a lightning-rod topic with a lot of negative press around it, and consumers are starting to demand clarity.
When Facebook became more transparent about its lists that contain user information, people started to check out the “Your Ad Preferences” on the platform to see which companies use their data to advertise directly to them. This can be very enlightening to consumers, many of whom will ask for their data to be deleted.
While potentially disadvantageous to the platform, it’s necessary to stay compliant in an ever-tightening regulatory environment. However, once customers understand that no PII data is being used, sometimes they are less inclined to opt out. Transparency and education are key.
Enter CCPA
Absent a comprehensive federal privacy law, the California Consumer Protection Act (CCPA) is the most significant state legislative privacy development in the United States and will take effect on Jan. 1, 2020.
CCPA operates on the basis of “informing the user” vs. GDPR’s “asking for consent.” CCPA requires opt-out mechanisms for consumers to suspend data collection and usage, while GDPR requires users to opt in. And like GDPR, the CCPA’s impact is expected to be global, given California’s status as the fifth largest global economy.
While CCPA is not expected to be as strict as GDPR, it still represents significant progress in protecting consumers and their privacy. Of course, it will pose a challenge to American companies. Most significantly, although it only applies to California residents, it’s difficult for enterprises to segregate users and apply different data privacy procedures. Most likely, for simplicity, businesses will apply CCPA homogeneously across users regardless of their location.
Getting ready
When GDPR went live in 2018, many organizations opted to get GDPR certifications as a way to demonstrate strict adherence to the regulations. American businesses should determine what kind of external facing certifications or materials will satisfy stakeholders and ensure they’re implementing the right modifications to adhere to CCPA.
Companies must educate their employees on the new regulations as soon as possible if they haven’t already done so. There are many outside advisers that can offer training, such as IAPP, Future of Privacy Forum, TrustArc or OneTrust.
Stepping up customer support for consumer opt-out will also matter here. The teams or individuals that handle the CCPA transition must also inform their peers about the new or modified processes and how it will affect their day-to-day jobs.
There will be companies that will still make it hard for users to opt out or delete/transfer their data. As seen in Europe, some companies either hide this option or write in arcane legal language. Don’t make the same mistake, as it alienates users.
At the end of the day, it’s about regaining the trust of consumers. The more ethical – and now legal – way to gather data is by being transparent and straightforward with customers. Privacy regulations are proliferating, not going away.
Follow zeotap (@zeotap) and AdExchanger (@adexchanger) on Twitter.
