Confused By New Data Privacy Laws? Start Here

Over the past few years, the California Privacy Rights Act (CPRA) and other new laws have changed how businesses can use data to personalize interactions with consumers. Maintaining CPRA compliance — and keeping an eye on upcoming data laws — will help you better connect with customers in ways that respect data privacy.  

Policymakers are increasingly stringent toward the use of third-party data, which is information that a consumer did not specifically provide to a given business (such as cross-website tracking and data purchased from brokers). Instead, businesses are encouraged — and in some cases required — to use first-party data, which is data collected in a direct interaction between a company and consumer. 

As the debate over a U.S. federal privacy law continues, individual U.S. states continue to make their own versions. California, Colorado, Connecticut, Utah, and Virginia have all passed comprehensive privacy legislation in recent years, and many of the obligations stemming from those laws will become effective this year. 

This trend is expected to accelerate, as other state legislatures — such as Florida, Illinois, and Texas — continue to introduce new data privacy bills. 

Whether you’re a marketer trying to personalize content, a data scientist looking for insights about your customer base, or a chief information officer hoping to link information across your systems, it’s worth understanding some of the common themes among the new wave of state privacy laws. 

While you should always consult with your legal counsel to determine how these laws may apply to your organization, here are a few things to consider for CPRA compliance and the future.

1. Know the restrictions on targeted advertising and third-party data

Each of the U.S. state privacy laws directly regulates tracking consumers across various websites and mobile apps for targeted advertising. For example, the CPRA adds a new category for sharing data, which applies when a business transfers personal information to any third party that uses the data for targeted advertising. Also, the new regulations provide further details on how organizations must offer opt-outs, including Global Privacy Controls (GPCs). 

Other state laws simply refer to targeted advertising directly. In all cases, organizations that engage in targeted advertising are required to disclose this to consumers and allow consumers to opt out of having their data processed for this purpose.

What you can do right now: If your organization uses targeted advertising channels to reach consumers, consider creating (or updating) an inventory of marketing and advertising tech stacks. If your legal counsel determines that any activities qualify as sharing or selling data, work with internal stakeholders to implement opt outs, including GPCs. If you haven’t started already, consider phasing out third-party data in favor of first-party sources.

2. New privacy rules mean greater control for consumers

If your organization operates in Europe, you may be familiar with the rights that the General Data Protection Regulation (GDPR) grants individuals over their data. This includes the right to be forgotten (delete my data), access and portability (give me a copy of my data), and restriction of processing (stop further use of my data). 

A new accord between the U.S. and European Union gives further protection to Europeans by offering them a legal avenue to object if they feel American intelligence agencies improperly collected their personal information. That deal, called the E.U.-U.S. Data Privacy Framework, was of particular interest to tech companies that move data from Europe to the U.S.

The California Consumer Privacy Act (CCPA) introduced equivalent rights for California residents in 2018. CPRA and the other state privacy laws further expand the number of U.S. residents to whom these rights apply.  

What you can do right now: If you’ve implemented an intake and response process for GDPR data subject requests, expand that program to applicable U.S. consumers. Work with your legal counsel to ensure implementation is complete, accurate, and timely.

3. Data minimization means rethinking your whole process

Data minimization is another concept from GDPR and other global privacy laws that has made its way into U.S. state privacy laws. At its core, data minimization requires organizations to collect and use data only to the extent necessary. 

With larger organizations using an average of 1,061 applications to run their businesses, it may be time to rethink whether every data point in every system really serves a business need. While getting your CPRA compliance plan in place, this is a great time to streamline how much data you collect and how that data is used.

What you can do right now: As a concept, data minimization can be distilled into a few simple rules: 

1. Don’t collect data if you don’t need it
2. Use it for the purpose for which you collected it
3. Don’t keep it around for longer than you need it

You can help build these principles into your data processing operations through awareness (such as training for relevant stakeholders) and organizational tools (data classification, usage, and retention policies).

4. Be mindful of how you work with partners’ data

The U.S. state privacy laws also require organizations to carefully manage how unaffiliated companies process data on their behalf. This is consistent with GDPR and other global privacy laws. While some U.S. laws use the term “service provider” for such companies, rather than GDPR’s “processor,” the theme is to prioritize trust when partnering with outside organizations. 

What you can do right now: Understand which service providers your organization uses and what each service provider does, and ensure that your contracts are up to date. Beyond the technical requirements, choose service providers that maintain high standards of trust and value consumer privacy. 

Can upgrading your technology help with CPRA compliance (and more)?

If you’re operating on outdated tech stacks, relying on a mishmash of applications that don’t connect, you may not see all of your data privacy vulnerabilities.

Investing in unified data technology that runs on real-time and first-party data can help you get closer to your customers while keeping data privacy front-and-center. Currently, many organizations struggle to answer basic questions about how and where personal data is being collected across their various applications. Additionally, companies may be unable to spot areas where collection is redundant or not tied to a clear use case. 

You may even be relying on third-party data in one application when you have a higher quality first-party equivalent in another. With a unified view of your customers, you can ensure that you’re using the most relevant and timely information to provide a more personalized experience.

Unified data technology can also help you address privacy obligations. For example, siloed applications represent consumer consent preferences differently, increasing the time and complexity it takes to respond to basic tasks, like honoring a new type of opt out. 

Unified data services allow you to represent consent consistently across applications through a standardized data model. Once this “common language” is established, you can take action on consent preferences holistically, saving time and reducing the potential for error. 

Increasing regulation and market changes have diminished the value of third-party data. Investing in a solution that makes the most of first-party data is important, as states develop their own data privacy rules. Doing so can help you build trust with your customers and help your company be ready for whatever comes next.