Data privacy regulations are designed to give consumers more transparency into and control over how their data is collected, shared and used, especially as more consumers grow concerned about how their data is accessed and used by big data companies.
As more data privacy regulations go into effect, companies will face pressure to ensure they are collecting, using and sharing individuals’ information responsibly, while remaining compliant with constantly changing regulations and still being able to efficiently reach customers and prospects for sales and marketing purposes.
To be successful, companies need to evaluate their data and their technology stacks to determine the processes and tools they need to leverage for this. But first, it’s important to understand the privacy regulation landscape.
The current state of privacy regulations
In the United States, there isn’t a comprehensive federal data privacy law that dictates how personal information should be handled; it’s an overlapping web of individual state laws and regulations. This makes for a confusing and challenging environment to navigate.
Some of the federal data privacy laws are sector-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector or the financial sector’s Gramm-Leach-Bliley Act (GLBA). Others are at the state level, like the California Consumer Privacy Act (CCPA) or the California Privacy Rights Enforcement Act (CPRA).
California is one of three states that has comprehensive privacy laws, joined by Colorado and Virginia. Across the country, other states are looking to pass comprehensive privacy legislation or creating task forces that are looking into privacy legislation. With more states paying attention to data privacy, it’s very likely that more state-wide laws will pass this year.
For companies that have a national presence, this means that they must have a clear understanding of how they need to address consumer privacy requirements and requests – both federally and in each state they operate and/or collect personal data – and the applicable exceptions. For example, the Colorado Privacy Act applies to nonprofit entities that meet specific requirements, but the CCPA, CPRA and the Virginia Consumer Data Protection Act exempt nonprofit organizations.
While there have been bills or drafts of legislation on the federal lever, there hasn’t been much progress on a federal privacy law. Federal lawmakers understand that there is a need for legislation for online data privacy protection for consumers and their data, but due to complications related to the mid-term election and the ongoing COVID-19 pandemic, it is unlikely a federal bill will pass in 2022.
With all of this in mind, it can be easy for companies to feel intimidated by the overwhelming amount of data privacy information and what it all means in practice. However, these privacy regulations present an opportunity to connect with consumers and prospects better than ever before.
New processes to incorporate in the age of data privacy regulations
For most businesses, whether they realize it or not, handling personal information is a critical part of their day-to-day operations. To ensure they’re collecting and using data responsibly, they may need to re-think how they develop products and handle personal information. They can do so by:
- Incorporating privacy by design: By using Privacy Impact Assessments (which address collection, handling, processing, security measures and storage of personal information for new products and projects) companies will have a better understanding of what privacy risks they may be facing. This allows them to put the proper controls in place to manage those risks, and systematically builds data privacy into products, which includes proper data handling and security controls.
- Mapping data to the laws that impact the organization: As mentioned above, some state laws apply to certain businesses while others are exempt. By knowing what types of personal information are collected, stored or processed, companies can have a better understanding of what laws apply to their organization and how to properly handle and protect personal information inside their business.
With the proper privacy processes and security tools incorporated into your business, companies will still be able to effectively prospect to attract the right audiences.
Digital targeting, especially targeting based on behavioral and online tracking, may be more difficult going forward, but there remain opportunities for companies to enrich customer and prospecting data and build relationships based on data sets (which can include both professional and consumer data) that may be publicly available or collected with the proper permissions. When done correctly, this data remains usable if companies and their partners and vendors have the proper privacy controls in place to make sure that this data has been collected and is being used and handled in a compliant manner.
Re-thinking the data and technology stack
Privacy regulations will continue to evolve in the coming years, and it will be critical for brands to have the proper tools to ensure they are not only collecting data according to privacy laws and regulations, but using that data appropriately and with the proper security controls in place to continue to do business in a meaningful way, which will include the ability to continue to create real, warm leads of current customers and prospects.
Companies should evaluate data and technology partners to make sure they comply with the current and rapidly changing privacy provisions and if they share information with partners, that such partners store any personal information in their environment with proper security controls in place.
In addition, if a company handles personal information, it is especially important to create a sustainable cybersecurity and privacy program. It is almost a business necessity for such companies to evaluate partners that can help them to attain a compliance and/or security certification, such as Service Organization Control 2 (SOC2) or ISO27001, or if the company handles protected health information (PHI) or payment card data, to use one of the platforms or tools that can help to become HIPAA or PCI DSS (Payment Card Industry Data Security Standard) compliant. This way, companies will still be able to personalize how they engage with customers, prospects and consumers and build better relationships, all while remaining compliant with data privacy and data protection regulations.
Data privacy laws present companies an opportunity to get more honest and creative in how they reach their target audience. By understanding which privacy regulations impact business, incorporating new privacy and security processes into operations, and leveraging tools that correctly handle data collection, data protection and a consumer’s access to its personal information, companies can rest assured that they’ll continue winning over customers and prospects in a compliant manner.