Is Your Organization Ready to Comply with Privacy Protections?
Issue 84, December 1, 2022
A wise man once told us when thinking about a significant life event, “We can be prepared, but we’ll never be ready.” So, it may be a stretch to connect mortality with privacy laws, but we would argue that most organizations are neither prepared nor ready to deal with the privacy changes at the state level in the United States and countrywide in many countries around the globe.
And here we are, several weeks away from the California Privacy Rights Act (CPRA), a follow-on to the California Privacy Protection Act of 2018, parts of the Colorado Privacy Protection Act, Virginia Privacy Law and others taking effect January 1, 2023. If you are a globally focused organization, what many describe as international, the Digital Services Act (entering into force February 2023) and the Digital Markets Act (parts in force November 2022 and fully by May 2023) covering the entire European Union are going to significantly impact your organization.
Additionally, other countries like the UAE, Saudi Arabia, United Kingdom and Australia have or will soon have individual digital privacy protection laws modeled after the European Union. Each is a landmark shift in how any organization connects with its stakeholders online and collects their data.
We raised several red flags last summer (2022) encouraging introspection, analysis and consideration of changes in strategy and tactics by revealing what inference data is and how it is defined by the new laws, calling attention for being forewarned and forearmed in how data management and collection is going to change, and over two issues ( Privacy Regulation Update: The Doors Are Locking on User Data and Breaking News: New Privacy Updates), discussing the legislative updates in detail.
If you haven’t yet mastered the knowledge and awareness you need, now is the time. At this time of year, we tend to get distracted by the holidays and often become nostalgic looking backwards on the year that has nearly passed. We would caution looking backwards or being distracted will come with unintended consequences impacting what you and your organization seek to achieve in 2023.
Data is the Holy Grail of Customer Insight
If data is the holy grail of customer insights, today and for the future, every organization will need new tools to wean us off purchased third-party data, new strategies to support zero and first-party customer data capture capabilities, and continued improvement in the delivery of value to customers and stakeholders ensuring they understand how their data will be used. Key to this is to assure them that their permission to collect and curate their data will enable you to deliver customizes, personalized value.
Simply stated, you will need a network and ecosystem rich with first-party and zero-party data.
Why Should Every Organization Comply?
We would suggest the above isn’t a sound business strategy, but sadly some organizations we have talked with over the past year have taken that position. A head scratcher? It is to us. Like most decisions organizations face, a path or direction is not always so black and white.
Here’s a quick recap and what’s in store.
There is urgency at this point to plan for the impact of the new laws and regulations. There are five states with new comprehensive consumer privacy laws taking effect in 2023: California, Virginia, Colorado, Utah, and Connecticut. If an organization does business in any of these five states, unless exempted by the law, it must adhere to the new regulations. A technical summary is provided by legal firm ArentFox Schiff:
- The California Privacy Rights Act (CPRA) – Effective January 1, 2023. The CPRA applies to for-profit businesses that do business in California and meet any of the following: have a gross annual revenue of over $25 million; buy, receive, or sell the personal data of 100,000 or more California residents or households; or derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.
- Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023 The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that: During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.
- Colorado Privacy Act (CPA) – Effective July 1, 2023. The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds: control or process the personal data of 100,000 Colorado residents or more during a calendar year, or derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023 The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds: during a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.
- Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023. The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25 million or more, and meets one of the following thresholds: during a calendar year, controls or processes personal data of 100,000 or more Utah residents, or derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.
Revisit our previous updates to better understand the EU’s Digital Services Act (DSA) and Digital Markets Act (DMA).
Reuters reports that based on the laws, organizations will need to flow deletion and opt-out requests down to service providers, contractors, and third parties to whom the organization has sold or shared personal information. And it cascades: Service providers and contractors likewise must notify their own service providers, contractors, or third parties of such requests.
Consider the complexity of the interdependent networks organizations often build without recognizing the necessity for change and adaption. It’s complicated. Consider the changes in how and what data is collected and by whom. Then, who shares it, and who is dependent upon that data. And then, how it is measured or how to use measurements based on only a portion of data that an organization once had. All this requires a thoughtful plan that addresses the strategic challenge, necessity for change and the tactics required to bring those changes to implementation.
Reuters also reports the new regulations now specify that the “purposes for which personal information is collected or processed shall be consistent with the reasonable expectations of the consumer, based on several factors:
- The relationship between the consumer and the business.
- The type, nature and amount of personal information collected or processed by the business.
- The source of the personal information and the business’s method for collecting or processing it.
- The specificity, explicitness, and prominence of disclosures to the consumer about the purpose of collection or disclosure.
- The degree to which the involvement of service providers, contractors, third parties or other entities in the collection and processing of personal information is apparent to consumers.”
Let us consider here how the above relates to:
- Inference data that is generated by users by their actions and activities (or lack thereof).
- How each state and country/region define inference data.
- What data is able to be collected in order to provide a service or conduct a transaction (necessary data).
- What an organization can no longer collect without permission/consent.
- What data simply cannot be shared with any other organization or person.
Marketing and Data Collection
Permission-based, first-party data is the new world order. The regulations define the purposes for which organizations may collect, use, and disclose sensitive personal information without needing to offer consumers a right to limit such collection, use and disclosure, according to Sarah Holbrook, tech analyst. She adds, “If an organization hopes to gain deeper engagement, unmediated by another party and voluntarily shared by its customers, high-quality content will be the key. Creative marketing innovation offers an opportunity to differentiate and incentivize engagement. Customized affinity activities targeted to different consumer cohorts, brand-based newsletters appealing to different target audiences, games, events, or other activities can all be elements included in an innovative zero-data marketing stack.”
- Apple’s privacy protocol ATT (App Tracking Transparency) dammed up the consumer data stream. As Apple states, “Starting with iOS 14.5 and iPadOS 14.5, apps are required to ask your permission when they want to track you across apps and websites owned by other companies. You can change your preference for any app or prevent apps from asking for permission entirely in Settings.”
- First-party data accumulates in the background as customer activity unfolds on a proprietary site. This is a major advantage for organizations where the customer journey progresses from search to conversion; in retail, think: Amazon, Target, Walmart, etc.
- Zero-party data is one step closer to the customer. It is data freely shared by a customer through loyalty programs, contests, promotions, surveys, and other incentives that require engagement. The hurdle to accessing zero-party data is higher. Ad-tech platforms are developing formats to capture and organize this data, but the aim of truly understanding customers requires creativity.
- Where things get interesting is in the mix. First-party data, (SMS chats, purchase patterns, email click-throughs, browsing behaviors), combined with shared zero-party data offer organizations an opportunity to get things right.
The Journey to Privacy Compliance
Organizations should be reviewing and planning privacy programs. They should also ensure that their workforce clearly understands the new policies and how they are relevant to the organization’s operations.
Gartner cautions that “the risks to a multi-country business strategy drive a new approach to the design and acquisition of cloud across all service models, as security & risk management leaders face an uneven regulatory landscape with different regions requiring different localization strategies. As a result, data localization planning will shift to a top priority in the design and acquisition of cloud services.”
Further, Gartner advises that “the increasing complexity of analytics engines and architectures mandates that vendors incorporate a by-design privacy capability. The pervasiveness of AI models and the necessity to train them is only the latest addition to privacy concern Unlike common data-at-rest security controls, privacy-enhancing computation (PEC) protects data in use and by 2025, 60% of large organizations will use at least one PEC technique in analytics, business intelligence and/or cloud computing.”
What’s more, “Once AI regulation becomes more established, it will be nearly impossible to untangle toxic data ingested in the absence of an AI governance program. IT leaders will be left having to rip out systems wholesale, at great expense to their organizations and to their standing.”
The user experience presents its own challenges. According to Gartner, “Forward-thinking organizations understand the advantage of bringing together all aspects of the privacy UX — notices, cookies, consent management and subject rights requests (SRR) handling — into one self-service portal.” By 2023, Gartner predicts that 30% of consumer-facing organizations will offer a self-service transparency portal to provide for preference and consent management.
And finally, with the institutionalization of hybrid and remote work, both the opportunity and desire for increased tracking, monitoring and other personal data processing activities rise, and privacy risk becomes paramount, states Gartner. They recommend that organizations take a “human-centric approach to privacy, and monitoring data should be used minimally and with clear purpose, such as improving employee experience by removing unnecessary friction or mitigating burnout risk by flagging well-being risks.”
And the privacy process is a journey. According to ArentFox Schiff, organizations need to be prepared for future updates that are in the pipeline. The list includes:
- Making updates to privacy policies.
- Implementing data subject request procedures.
- How your business is handling AdTech, marketing, and cookies,
- Reviewing and updating data processing agreements,
- Reviewing data security standards, and
- Providing training for employees.
By year-end 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations.
Gartner also predicts that large organizations’ average annual budget for privacy will exceed $2.5 million by 2024.
Social media platforms, particularly in the European Union, are going to be very challenged with the new laws and the necessity to align to the social media charters that set forth what they can do and how they will do it to be compliant with a government’s requirements.
Changes in what data can be collected combined with a growing desire across society to limit a user’s exposure to “fake-news,” combined with concerns about participating in platforms that run counter to one’s belief and values, are rattling online revenue models based on data and advertising.
We already see Twitter losing 1/3 of its advertisers. We see bipartisan groups pressuring Facebook and Twitter to change how they manage user data and where it is stored. Oddly, there is a black box for Twitter, as the government wants to ensure access to Twitter’s data for research purposes remains available and permitted by Musk.
We’re facing a challenging time that requires urgency to understand how the laws directly or indirectly will impact your organization. Procrastination is not a friend. But fear not. Our team at 2040 can help you wade through all the fine details and ensure that you are protected and compliant. We’re here to help you, and we are experts at helping organizations of all sizes deal with privacy … and more!
Get “The Truth about Transformation”
The 2040 construct to change and transformation. What’s the biggest reason organizations fail? They don’t honor, respect, and acknowledge the human factor. We have compiled a playbook for organizations of all sizes to consider all the elements that comprise change and we have included some provocative case studies that illustrate how transformation can quickly derail.