A growing patchwork of domestic and international data privacy bills are being rapidly bolstered and enacted
Recent data privacy scandals have sharply focused the attention and regulators and lawmakers on big data, ad tech and direct marketing. In response, a growing patchwork of domestic and international data privacy bills are being rapidly bolstered and enacted.
Digital marketing, by its very nature, involves the collection, use and dissemination of personal information, in one form or another. The recent onslaught of data privacy legislation has left marketers scratching their collective heads as to what "personal information" means nowadays and how they can comply. Interestingly, very similar considerations have the Federal Trade Commission calling on Congress to enact federal privacy legislation that balances consumers' concerns with business' need for clear rules of the road.
How has all of the legislative activity actually impacted digital marketers? How is it likely to do so moving ahead?
To begin with, as digital marketing has become more sophisticated, regulatory scrutiny has increased. The misuse and abuse of consumer data has resulted in countless investigations and enforcement actions initiated by state attorneys general and the Federal Trade Commission. The Facebook - Cambridge Analytica data breach scandal has certainly been a contributing factor.
Generally speaking, from lead generation to telemarketing, regulatory agencies have and shall continue to aggressively pursue the activities of digital marketers that do not live up to security and privacy promises, collect consumers' information without clearly disclosing how such information will be used, and use consumers' information in ways that are not consented to or reasonably anticipated.
Governments worldwide have now stepped-up legislative efforts in a big way.
EU’s General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR) received virtually all the attention in 2018 in terms of privacy and data security legislation. It is now the primary law regulating how companies – including digital marketers - protect the personal data of EU residents.
GDPR affects businesses located both inside and outside of Europe and comes with hefty fines for non-compliance regulation (up to 20 million euros or 4% of global annual revenue, whichever is greater). Covered entities must know the consumer data that it possesses, ensure that proper consent is obtained and vet service providers. GDPR’s impact on data-driven business cannot be denied. However, many believe – or have no choice but to believe - that the regulation is actually a positive development.
Whatever your perspective, GDPR has changed US-based advertising. Due to the extraterritorial scope of the law, digital marketers in the United States are compelled to comprehend the key component of the GDPR if they collect, retain or use European consumer data. Additionally, GDPR is dissimilar from traditional data protection regulations in the US and, as a result, many marketers continue to struggle with how to comply.
Infographic by Digital Guardian
As with any responsible data inventory and mapping process, marketers should know what personal consumer data they have, the manner in which it was collected and whether that data pertains to European consumers. The latter now requires additional care and attention. Importantly, marketers must also realize that GDPR protects a broad range of data about individuals, whether identifiable or anonymous.
For example, marketers that collect EU consumer data are not able to collect and use cookie data, impression data or de-identified personal data without express consent [Note: the Federal Trade Commission regards data, including some persistent identifiers, as "personally identifiable" when it can be reasonably linked to a particular person, computer or device]. Under GDPR, consumers are required to affirmatively consent to the collection of their data and each intended use.
Marketers who use EU consumer-data and continue to reply on the opt-out regime in the U.S. are asking for trouble. As are marketers who fail to provide consumers with meaningful control over their own data, do not vet marketing service providers' data privacy practices or collect more information that is reasonably necessary. Digital marketers should consult with an experienced data privacy legal professional to understand the nuances of how GDPR (and other applicable legislation) applies to specific business models.
European data protection authorities have already started investigating and imposing fines for GDPR violations. For example, the UK Information Commissioner's Office recently charged a Canadian company of misusing personal data of UK individuals for targeted advertising purposes. In France, La Commission Nationale de L’Informatique et des Libertes determined that a mobile ad network unlawfully obtained the bundled consent of tens of millions of people. In Germany, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg issued a fine of €20,000 following a data breach at a social media company.
State Data Privacy Legislation Developments
While the European Union’s GDPR has had the data privacy spotlight for the past year, digital marketers should be paying close attention to what is going on in the United States. To some extent, the increase in domestic data privacy legislative activity is the result of myriad consumer data scandals, consumer advocacy groups’ cries for increased transparency into big data, GDPR and the European Parliament’s criticism of domestic efforts to provide an adequate level of protection for the international transfer of personal data
Colorado Cybersecurity Legislation
In May 2018, Colorado enacted far-reaching privacy and cybersecurity legislation. In short, the Colorado law requires covered entities to design and implement reasonable security procedures that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
Covered entities are also required to implement vendor management programs, dispose of documents containing confidential information properly and ensure that confidential information is reasonably safeguarded when transferred to third-parties. In terms of data breach incident response plans, Colorado’s new data breach notification timeframe is now the shortest in the US.
Massachusetts Written Information Security Programs
Of course, Colorado is not the first state to require the implementation of written information security programs (WISP). Massachusetts’ data security regulations require every company that owns or licenses "personal information" about Massachusetts residents to develop, implement and maintain a WISP. The WISP must contain certain minimum administrative, technical and physical safeguards to protect such "personal information."
Vermont Data Broker Law
Not to be overlooked and of particular importance to lead generators, Vermont recently enacted a data broker privacy law. The Vermont legislation aims to regulate businesses that collect, aggregate and sell data about consumers with whom the business does not have a relationship.
While the legislation is one of a number of an expanding array of state laws regulating data privacy and security, the Vermont law is the first of its kind in the United States. It became effective on January 1st, 2019 and was passed, in part, due to the Equifax data breach.
The law defines a data broker as a business that "knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship." A "consumer" is defined as an individual residing in Vermont. Presumably, the law applies any time a data broker collects data about Vermont residents, regardless of where the business is located.
Brokered "personal information" includes any of the following data, if computerized and organized/categorized for dissemination to third parties: name, address, date of birth, place of birth, mother's maiden name, unique biometric data, name or address of an immediate family member, SSN or other government-issued ID number, and any other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify an individual with reasonable certainty.
Digital marketers must understand the scope of Vermont’s data broker law, whether it applies to their business operations, and the obligations and restrictions that the law imposes, including opt-out mechanisms, comprehensive data security programs, annual registration requirements and penalties for non-compliance.
California’s Controversial Consumer Privacy Act of 2018
California has long been a national leader when it comes to data privacy. In June 2018, the California legislature passed the strictest privacy bill in the country, the California Consumer Privacy Act of 2018. The legislation is heralded by consumer protection advocates as a historic step toward greater control for California consumers over their personal data.
The California Consumer Privacy Act takes effect on January 1st, 2020. It has a GDPR-light approach and will significantly impact digital marketing business operations. Consider this, the Act expansively defines "personal information" to include browsing and search history, as well as inferences drawn from certain data.
As enacted, it provides consumers with the ability to request a record of what types of data a business maintains about them and how this data is being used by the business and third-parties. Covered businesses must disclose to whom they sell data and adult consumers will have the right to opt-out of such dissemination. Consumers under 16 years of age have the right to not have their personal information sold absent proper opt-in consent. Consumers will also have a right to erasure.
If that is not enough, covered website operators will be required to post conspicuous "Do Not Sell My Personal Information" button on their websites. The California law will be enforced by the California Attorney General, however, it also creates a private right of action for data breaches. Statutory fines for non-compliance are significant under California’s new privacy legislation, as well.
Since the bill was enacted, it has faced attack by privacy professionals as being overly broad and poorly drafted. While California legislators have made a number of amendments to the Act, many believe that major changes are urgently required.
Concerns range from the law’s application to affected stakeholders that did not provide input and substantial compliance costs to small businesses, to inconsistencies with GDPR and overbroad definitions. With respect to the latter, a number of definitions are imprecise and already causing substantial confusion and compliance hardships, including, without limitation, an expansive definition of "personal information" that reaches data about other people.
The current scope of the new California privacy law is causing uncertainty and, potentially, wasted expenditures. While it requires substantial changes before it becomes a law, compliance requires careful preparation even though additional revisions and formal regulations are on the horizon. Marketers should already be assessing sources of personal data, how data is used and how data is shared.
Privacy Legislation Proposed in New York
Following the enactment of the California Consumer Privacy Act, it appears that New York has now proposed privacy legislation - the New York Senate Bill 224. While not as extensive as the California bill, as proposed, the New York legislation would require a business that retains a customer’s personal information to make available, free of charge, access to, or copies of, all of the customer’s personal information that it retains.
The proposed legislation would also require businesses that disseminate personal information to third-parties to provide various disclosures to consumers regarding what data is shared and who it is shared with. It also calls for enhanced privacy notices and a private right of action.
Recently enacted privacy legislation is profoundly impacting the way that digital marketers operate. Government regulators across the globe expect digital marketers to prioritize consumer privacy and data security. Without limitation, compliance necessarily entails deliberate data mapping, data inventory, personnel training, updated privacy notices and vendor contracts, and conspicuous notice and choice mechanisms.
The time for digital marketers to make modifications to data storage and processing protocols is now.
*Attorney Advertising. Informational purposes only. Not legal advice.