Shifting data protection regulations show why businesses must put privacy at their core
Like it or not, data protection will be one of the biggest issues organizations face in 2024. Knowing where to focus compliance efforts will be tricky, with more and more state-level privacy laws becoming effective in the US, creating a patchwork of differing regulations across the country.
Dealing with different frameworks in multiple jurisdictions isn’t the only problem that companies face. Consumers are increasingly aware of how their data is used and are demanding that organizations respect their privacy. This means businesses with poor privacy practices aren’t just risking legal trouble, but a loss of reputation and consumer trust as well.
Navigating the complex privacy landscape in the US
With four US states – California, Virginia, Colorado and Connecticut – now having enforceable privacy laws, the situation in the US is especially complex. There is a lot of overlap in each of these states’ laws, but the requirements aren’t the same.
Several other states – including Utah, Montana, Oregon, Texas, and Delaware – will have legislation coming into effect in the foreseeable future.
It may be tempting for organizations to wait and see how regulations develop or hold on for federal-level legislation; the American Data Privacy Protection Act (ADPPA) has been introduced to Congress, although it will take a while to see if it has a chance of coming through the legislative process and being passed into law.
Privacy notices are one area where organizations must pay close attention: the information they provide to consumers and the point at which that information is provided are the most important factors. Opt-out rights are also critical: there are variations between California’s legislation and that of Connecticut, Colorado and Virginia, meaning organizations must decide whether to adopt two different processes or create a single process that meets the strictest rules and satisfies all requirements.
Dealing with customers in the EU and learning from Europe
For organizations with customers in both the US and Europe, there’s recently been some good news: the EU has decided that “the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies.” In principle, this means user data from Europe can flow freely to the US without additional data protection safeguards.
(But this particular headache hasn’t completely gone away yet, as European privacy campaigners are planning to challenge the agreement in the European Courts of Justice. It’s certainly one to watch for US companies with EU customers.)
It isn’t just legislators pressuring businesses to take their data privacy responsibilities seriously. Public awareness of how data is collected, utilized and shared is on the rise, affecting consumer behavior accordingly.
Publicity around the EU General Data Protection Regulation (GDPR) played a very important role in educating consumers in the UK about data privacy, with 79% of UK consumers saying that transparency about how their data is collected and used is important to them. But they also recognize the value of their data, with 61% of UK consumers viewing their personal information as an asset that can be used to negotiate better prices and offers with companies.
And there is growing evidence that US consumers are increasingly privacy aware. According to DataGrail’s Privacy Trends 2023 report, DSRs – privacy requests submitted by data subjects to access or modify the data a company holds on them – grew by 72% year-on-year between 2021 and 2022. Of these requests, 52% came from people living in states without enacted privacy laws. In these cases, consumers are the ones pushing for better practices – not regulators.
Best practices for putting privacy at the heart of your organization
Organizations must ask themselves whether their processes are fit for purpose in an increasingly fragmented privacy landscape. Adapting business practices to comply with customer expectations and regulations needn’t come at the expense of performance. In fact, putting privacy first can drive innovation and creativity, giving organizations a competitive edge.
There are some key principles that can help businesses bake privacy into all their processes in a way that will satisfy legislators and customers:
Transparency is the critical factor. Organizations must be clear about why they are collecting data and what they plan to do with it. Consumers are aware of the worth of their data. If they see value in sharing this data, they will – if they are certain their wishes are respected.
Organizations must also stop collecting data for the sake of it. Businesses should only collect, store and use the data they are permitted to collect to create a great customer experience. Taking an innovative approach to utilizing data to add genuine value to customer relationships will be appreciated.
Finally, they must find ways of collaborating that don’t involve sharing customer data. Consumers that volunteer their data don’t want it to travel across dozens of other companies. Businesses must adopt a new approach to partnerships involving privacy enhancing technologies (PETs) such as data clean rooms, that ensure the value of customer data can be realized without ever putting privacy at risk.
Takeaway: Adopt a privacy-first approach now
While sharing customer data indiscriminately throughout the advertising ecosystem might have been acceptable in the past, legislative requirements and customer expectations have evolved.
Finding new methods of achieving business objectives in ways that fully respect consumer privacy – and that enable innovative collaborations without sharing data with third parties – will allow organizations to unlock new levels of performance and prevent them from being derailed by future legislative changes.