Data Regulations in the Digital Age

Multiple security cameras record and collect data from two female consumers

In today’s digital age, customer data is arguably the most valuable resource to any business wishing to market to consumers. While these mass amounts of data give advertisers access to more information than ever before, the old adage still stands – with great power comes great responsibility.

It’s no secret consumers are becoming wise to the endless data collection methods used by big advertising platforms, and with this knowledge comes a cry for greater transparency and security. Perhaps you’ve heard acronyms like, “GDPR,” “CCPA,” and, “ePD” being thrown around lately, and maybe these make you a little nervous – for good reason. Considering the hefty fines that come with being in violation of any one of these, they can strike fear into the heart of any business owner.

What does this mean for you as a business advertising in the digital age? What are the differences between each piece of legislation? And do you need to be compliant with all of them? We’re here to demystify the world of data governance.

Relevant Data Privacy Regulations

You may ask yourself, “What data regulations do I need to worry about?” This is a valid question that all advertisers and business owners should be asking themselves, and the answer will vary for every business. Below we highlight need-to-know info for each of the current data privacy regulations.

General data privacy regulation

General Data Protection Regulation (GDPR)

What is it?
According to the GDPR Information Portal, GDPR “was designed…to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” (Source) In other words, GDPR sets out to clearly define what qualifies as personal data, address how data is collected and stored, and provide greater transparency to consumers.

When does it take effect?
GDPR laws have been actively enforced since May 2016.

Does it apply to my business?
Any company that does business with or markets to consumers in any member state of the EU is absolutely expected to be GDPR compliant. Still unsure? Consider a couple scenarios. Do you have forms on your website? Is there a possibility that an EU resident could fill out that form? Or perhaps you use cookies, pixels, or tags to collect consumer data on your site. Is there any chance an EU citizen could have their information gathered by that technology? If you nodded your head at any of these, then GDPR applies to you.

What do I need to know?
First of all, it’s important to understand what GDPR defines as “personal data.” Under GDPR, personal data is defined as, “any information that can be used to directly or indirectly identify the identity of a natural person.” This means even data collected under an alias could qualify as personal data if there’s a chance it could be linked to a real person.

Within GDPR legislation, there are six principles that must be adhered to when collecting and using personal data:

  1. Personal data should be collected for a specific and legitimate reason.
  2. Data collection should be limited to the data points that are absolutely necessary for the purpose of said data processing.
  3. Data should be processed in a legal and transparent manner.
  4. Data should be processed in a way that ensures proper security of personal data.
  5. Personal data shouldn’t be processed for longer than necessary for its designated purpose.
  6. All collected data should remain up-to-date and accurate at all times.

 

What does this mean for me?
Step one is identifying each platform on your site that’s collecting personal data (think Google Analytics, Tag Manager, third-party tracking pixels, CRM tags, etc.). Work through the following steps to determine if you’re in compliance with GDPR regulations:

  1. For each tracking technology on your site, ask yourself, “Is personal data being collected?”
  2. If the answer is yes, ask, “What is the legal basis being used for processing?”
    • If the basis is consent:
      • Is explicit consent given directly by users on my site?
      • Do I have record of this consent?
    • If the basis is legitimate interest:
      • What is the legitimate interest for processing this data?
      • Is data processing absolutely necessary for this interest?
      • Does the interest outweigh the risk to privacy?
      • Is all of this documented and accessible?

Once you have your legal basis figured out, you can ensure you have the necessary consent opt-ins and privacy policy verbiage on your website. It’s the law that data collection information be documented in your website’s privacy policy, and that this policy be readily available to consumers on your website (in other words, it can’t be a hidden page on your site). Privacy policy verbiage must be clear, intelligible, and in plain language.

Data being tracked on a desktop computer

California Consumer Privacy Act (CCPA)

What is it?
To date, CCPA is the most comprehensive privacy policy in the United States, and is arguably even stricter than its European counterpart. In its simplest form, it’s designed to give Californians more insight into and control over their personal data that’s being collected by companies.

When does it take effect?
CCPA will go into effect January 1, 2020.

Does it apply to my business?
If you do business in California, or if there’s a chance someone living in California might visit your website, then yes, this applies to you. A majority of businesses that have an online presence are going to need to be CCPA compliant, even if they aren’t located in California.

Businesses that are required to comply with CCPA as stated above must also meet one of the following thresholds:

  1. Annual gross revenues in excess of $25 million
  2. Annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information

If your business meets these requirements, the law will be enforced towards any business that engages in any of the following:

  • Collecting a consumer’s personal information
  • Collecting personal information about a consumer
  • Selling a consumer’s personal data
  • Selling personal information about a consumer to a third party

What do I need to know?
While GDPR and CCPA are similar, they’re not interchangeable and if both laws apply to you, then you need to be compliant under both. The most notable difference between the two is the way personal data is defined. Under CCPA, personal data is defined as, “anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This is further broken down into the following categories:

  • Identifiers such as real name, alias(es), postal address, online identifier, IP address, email address, account name(s), social security number, driver’s license number, passport number, etc.
  • Internet activity information, including browsing history, search history, and any information regarding a consumer’s interaction with a website, application, or advertisement
  • Geolocation data
  • Inferences that can be made based on any information to create a profile about an actual person, including preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities, and aptitudes

What does this mean for me?
In simple terms, because the CCPA’s definition of personal information is so broad, almost any online marketing, advertising, or analytics platform implemented on your site will fall under the regulations of this new law. The primary thing you need to worry about is making sure you clearly state on your website what information is being collected, why you’re collecting it, and what you’re doing with the data. Last, but most importantly, you need to have a clear way for consumers to opt out of this data collection, as well as a means for consumers to request information that you’ve collected about them.

A woman browsing data on her smartphone

ePrivacy Directive (ePD)

What is it?
Before there was GDPR, there was the Privacy and Electronic Communications Directive, more fondly known as the ePrivacy Directive, or ePD. First implemented in 2002, the ePD is a directive enabled by the EU to tackle the issue of data protection and privacy in the digital age. The most important thing to note is the ePrivacy Directive is just that – a directive. It’s meant to be a guide for each member state of the EU by which they can create their own legislation.

When does it take effect?
The ePD has been in effect since 2002, with some major changes taking place in 2009 to keep it relevant.

Does it apply to my business?
While there are some subtle differences between the scope of the ePD and GDPR, generally, if the territorial scope of your website qualifies you for GDPR, then it does so as well for the ePD.

What do I need to know?
Again, there are many similarities between GDPR and the ePD, but the main differentiator between the two is the ePD’s specific verbiage about cookie consent. Interestingly enough, GDPR only mentions cookie regulations once in its 88 pages. In contrast, the ePD has explicit language regarding data collection via web cookies. Not only does it clearly define what can be considered a cookie, but it also stresses the need for clear disclosure to consumers regarding what information is being collected, as well as a specific method for consumers to opt out of collection.

As if these laws weren’t confusing enough, U.S.-based companies can fall under GDPR regulation, but not ePD regulation. Cookies are only one form of data collection (albeit a very popular and widely used method). There are methods other than cookies that can collect user data on a website. In short, if your website is collecting user data in a way that does not involve cookies, then you would need to be compliant under GDPR, but not the ePD. In most instances, websites are going to fall under both pieces of legislation because cookies are so widely used, but be aware that there are unique legal instances where your company could fall under one and not the other.

What does this mean for me?
This one is pretty simple – if you specifically use cookies to collect consumer data, your website needs to have the proper opt-in consent, privacy policy verbiage, and opt-out instructions.

What’s Next for Data Governance?

Of course, we wouldn’t be doing our due diligence if we weren’t looking towards the horizon at what lies ahead. Something to keep an eye on in Europe is the ePR (ePrivacy Regulation), which is the culmination of the metamorphosis the ePD has undergone in the last 15 years. Not only would it turn the ePD’s directives into concrete laws, but it’ll also update the laws to better incorporate the wide variety of technology we have available in this day and age (most notably in the realm of digital communications). Luckily, you have awhile to get your ducks in a row. ePR governance isn’t expected to take effect in the EU until sometime in 2021.

While the U.S. is lagging when it comes to privacy regulations, it’s only a matter of time before other states begin to fall in line with California, and it certainly isn’t out of the question to anticipate federal laws in the coming years. Either way, it’s more critical now than ever before for companies to be fully aware of what tracking methods are being used on their website, have proper documentation of what data each piece of technology is collecting, and have clear and concise language in their privacy policies regarding data collection and opt-out methods.

If all of this information is making your head swim, fear not. The team at iFocus is dedicated to staying on top of all these regulations and ensuring our clients are completely up-to-date with privacy law compliance. If you have questions or concerns regarding anything we mentioned here, don’t hesitate to reach out.

Sources:
LiveRamp
RampUp
Varonis
Mondaq
TagInspector