The debate around federal privacy laws and regulations has reached a fever pitch as consumers grow increasingly concerned about their privacy. States such as California are enacting strict and robust privacy laws on a local level.
As such, more thought is being placed into what a federal privacy law would look like and just how (and how much) it would protect consumers. A good source of inspiration for determining the appropriate approach to protecting your brand and your customers could be complying with the strictest policies. Not only is this a preemptive means of avoiding trouble but, more importantly, it will create the best and most trusted experience for your customers.
The top-down approach
It should come as no surprise that the General Data Protection Regulation (GDPR) is the strictest privacy regulation in force across the European Union. The fact that it covers such massive markets like the UK, Germany, France and the rest of the EU means that you can’t ignore it. The who in “who is covered” by the law is based on physical location: a French citizen residing in Los Angeles is not covered under GDPR; however, a Mexican expat living in Germany would be covered because they are a data subject in the EU.
That all sounds pretty straight forward, right? Not so fast. Imagine that both of these individuals have an @gmail.com address. How would you know where they are located or their national origin simply based on an email address with no geographical designation, as in an @Yahoo.fr top-level domain (TLD)?
Instead of focusing on playing a game of “Where in the World is Carmen Sandiego,” companies should focus on establishing policies that comply with the strictest privacy laws. Not out of fear of the heavy monetary burdens of non-compliance, but because it’s simply good for business. This is the new standard for how brands must handle and care for customer data. It also happens to be the law in a growing number of places around the world.
Let’s briefly review what consent means under GDPR: consent under GDPR has to be freely given, specific, informed and unambiguous. However, predating the GDPR, Europe had the 2002 e-Privacy Directive, which more directly dealt with electronic marketing and set the standard around consent. Double opt-in is a solid means of complying with the requirements of adequate consent and control for GDPR and the e-Privacy Directive. It’s important to note that a Directive does not apply directly to member states in Europe. Rather, an EU Directive is a requirement that every EU country enact laws at the member state level that implement the EU Directive. As a result, there are variations between member states, with some being stricter than others in how they implement the Directive. In the case of consent rules for electronic marketing, Germany tends to be the strictest by generally requiring a double opt-in. However, double opt-in is not the only requirement—things like pre-ticked boxes are anathema under GDPR — so you have to think through all of the ways that you are currently obtaining consent and if that consent passes muster with the various consent frameworks?
If this sounds like it’s too far afield for businesses outside of Europe, think again. Companies are willingly establishing double opt-in mechanisms for new subscribers. This approach ensures that wherever a customer resides, the consent is being obtained in a manner that is commensurate with global privacy laws.
But there’s another reason for this: uninformed consent is likely to breed higher complaint rates and certainly lower engagement. Recipients that don’t realize they have opted in to receive communications from a company that either purposefully or unwittingly obfuscates consent are far more likely to mark messages as spam. With inbox placement being such a user-driven, engagement-centric exercise, consent is at the heart of establishing and maintaining your email program.
Tangential to consent frameworks and privacy regulation, many companies are choosing to cull the oldest and lowest performing segments of their lists. This approach is a direct manifestation of the “less is more” approach to data management and email marketing. Being present in every inbox is not a recipe for success. Quite the opposite, actually — it creates risk that can affect your entire program.
The winds are shifting
States such as California are not waiting on the federal government to enact stricter privacy regulation. The FTC recently concluded its review of the 2003 CAN-SPAM law that controls the assault of non-solicited marketing. The conclusion of the 10-year review was that no changes were needed despite the massive evolution of the digital marketing space and the adoption of policies such as Canada’s Anti-Spam Law (CASL) and the GDPR in Europe. Essentially, the FTC concluded that the United States can remain an opt-out framework for email rather than moving toward an opt-in best practice.
During the 2018 election, Californians passed the California Consumer Privacy Act (CCPA) which brings California closer to a European framework than the FTC’s policies. The law is more focused on what happens to consumer data by controlling the sale of that data and giving consumers the option to prevent its sale and use.
Under CCPA, the responsibility of properly collecting, storing and handling consumer data now shifts to businesses that have significant data as part of or as a focus of their business. It allows Californians to determine what kind of data about them a business may possess, giving them access to that data and enabling them to opt-out of having their data sold. Businesses with revenues of $25 million or more will be forced to comply with CCPA, annually buy or receive for commercial purposes the PII of 50,000 or more persons or derive 50% or more of their annual revenue from selling consumer personal information. The law as it’s currently written is targeted at larger businesses where consumer PII is central to these businesses or represents a sizeable quantity of data.
But consent is only the tip of the iceberg when it comes to GDPR. How data is stored, handled, transferred and minimized are all major facets of GDPR. CCPA is similarly focused on the sharing and selling—and in some cases collection—of data of California residents, while broadly expanding consumer rights and access to their data. The short answer is that personal data and our ability to keep our data private are becoming increasingly more important. The right to privacy is a basic human right according to European law, which ideologically is different than how we think about privacy in the United States—but the world is changing, and that change is being driven in part by the seemingly unfettered collection of PII and the outcries against it.
Data has enabled the success of a myriad of businesses and spawned a vast array of technologies that inform us about everything from how our cars perform to how we sleep. However, it’s impossible to discuss the benefits of big data without mentioning data breaches, scandals and the vast ocean of personal data that are all driving significant changes in not only our marketplaces but in legislative houses around the world. Both India and Brazil recently created privacy frameworks of their own. These changes outside of first world countries are foretelling important milestones to take into account when considering the kind of compliance framework that will guide your opt-in practices, data handling and user access methods.
A prudent approach is to ask your legal counsel and seek specific privacy counsel and support to determine how your business might be affected by the coming changes. One thing is certain: this is not the world wide web of the 90s. We are in a new age, and the world is creating new laws to tackle challenging problems that have risen through the storing and analysis of huge data sets. The only question is: how will your business follow suit?