Nothing sucks the fun out a room quite like the topic of data privacy.
At a recent industry conference, I asked a room full of (previously) jovial marketing professionals how they were preparing for GDPR and CCPA. The ensuing facial expressions ranged from confused to concerned, and the consensus from the strained conversation that followed was that “I think our legal is dealing with it.”
That mindset, however, is no longer an option. If the creation of GDPR, CCPA, and the many other data laws have made anything clear, it’s this: Data privacy regulation is here to stay. More, in my view, companies can’t just accept this reality — they have to embrace it. That means treating data privacy compliance like the asset that it is.
Understanding these laws and maintaining a robust privacy law compliance program leads to better business practices, mitigated liability, and long-term sustainability for any organization that’s in the business of collecting, sending, receiving, or otherwise handling data–here’s why.
Data Regulation is the New Normal
For many Americans, the implementation of GDPR in May 2018 was their first introduction to the concept of data privacy regulation. Now, with the implementation of CCPA, comprehensive data privacy regulation is coming home.
To be clear, CCPA only pertains to interactions with California residents. However, for many American businesses, California represents a fundamentally important market, since alone it represents roughly 14% of U.S. GDP. While it is possible to comply with CCPA only with regard to interactions with California residents, California’s legislators knew that, in enacting CCPA, they would be starting a nationwide conversation about how government should regulate data. And that’s exactly what’s happened. Several other states, such as Nevada and Vermont have enacted similar laws, while others (including New York) appear likely to do so in the near term.
While comprehensive federal privacy legislation is but a pipe dream in the current fragmented political climate, one has to believe that the need for a singular American data privacy law will push Congress to act, much in the way that the European Union enacted GDPR in furtherance of consistency across its member states in data privacy regulation. The rest of the world has also taken note, and Brazil, China, and other countries around the world are in the process of implementing comprehensive, GDPR-like privacy regulations. In other words, there’s no doubt that we’re firmly in a new era of data regulation.
Taking a Values-Based Approach to Data Privacy Compliance
But there is good news. While each of these laws has distinctions, some of which are extremely formalistic (CCPA’s “Do Not Sell My Data” button requirement, for example), each of these new data privacy laws has several fundamental pillars in common—security, transparency, and accountability.
At Button, our privacy law compliance program starts with a values-based approach derived from these principles. We employ industry-leading security standards to ensure that our customers’ data is kept safe. We clearly explain to our customers and their users how Button processes their data, for how long, and for what purposes. And Button is accountable to our customers and their end users, with the ability to send users their data or delete it upon request.
Button educates its employees on these principles, and helps our customers optimize their own data privacy compliance programs. Adherence to these principles gets us most of the way there, since there are still local requirements which need to be assessed on a jurisdictional basis (and we highly recommend consulting with local counsel to ensure full compliance). But fundamentally, each data privacy law is built on the same idea: Consumers are entitled to understand what companies are doing with their data, and companies are responsible to act with care as custodians of such data.
Here are some of the best practices we’ve employed:
- Carefully assessing which vendors we use to help provide our services and ensure that they are GDPR/CCPA compliant.
- Mapping our data flow to educate our customers as to how data moves through our platform.
- Assessing and minimizing the scope of the data which we collect and the time for which it is stored so that our platform only holds on to the data that it needs for the time for which it is needed.
- Working with our customers to ensure that our partnership is compliant with relevant privacy laws by providing deep insight into our security and privacy practices.
- Training each of our employees in all areas of the business in data privacy and information security principles and best practices on an annual basis.
- Drafting privacy notices which clearly describe the scope of the data which we collect and the purposes for which we use it, in plain English.
Data Privacy Compliance is an Asset, Not an Obligation
As we enter a new decade, businesses continue to depend more and more on data. Consumers, becoming more conscious of how businesses guard the privacy of their data, and for what they use it, are demanding more transparency and accountability, and governments are responding by enacting comprehensive data privacy laws such as GDPR and CCPA.
Treating data privacy compliance like an asset, not a box to check, will ensure long-term sustainability for companies who depend on data. And the best way to do that is to build a global data privacy compliance program that’s primarily on values, not acronyms. By doing this, complying with those individual laws becomes a much easier task, and a much more fulfilling one.