After the one-year anniversary of GDPR, its is estimated that half of U.S. businesses are still failing to follow the data privacy rules. Furthermore, with California’s CCPA just around the corner, and several other U.S. states looking to follow California’s lead, it’s now even more important for businesses to be vigilant about data governance.
To assess what businesses need to do to maintain trust and to meet compliance expectations, Adam Corey, CMO of Tealium looks at areas of improvement that marketers in particular should be prioritizing.
Digital Journal: One year after GDPR, what should businesses be focusing on?
Adam Corey: One year after GDPR, businesses should reevaluate how they’re maintaining compliance and managing sensitive customer data. While market leaders have adopted a unified approach to data governance to improve marketing relevance and timeliness, several companies are still stuck managing data inside departmental or technological silos that create risk and uneven experiences. In fact, we recently released a report in partnership with Forrester and found compliance is a top priority for half (49 percent) of organizations in 2019, yet nearly 60 percent say their current data integration strategy isn’t able to support this priority.
To address this, it’s critical for businesses to first have a solid data governance plan in place. This requires them to build a strong council of data stewards from all departments that touch data. The purpose of this council is to establish a clear set of policies and procedures for collecting, managing and processing data, and ensuring alignment and proper execution across the entire organization.
A unified data management strategy sits at the core of every successful data governance plan, but businesses should also look to integrate technology that helps maintain GDPR compliance and build consumer trust. They should consider tools that provide them visibility into the collection and usage of customer data, while also allowing consumers to manage their data preferences. This allows businesses to better see and manage their usage of data to improve performance and mitigate risk.
Another thing businesses should focus on shifting their mindset on is why they are taking a serious approach to GDPR compliance and data governance. Of course, both are critical from a monetary perspective. Major infractions, like not getting explicit consent from an EU citizen to collect and transfer their data, may result in a fine of up to €20 million or four percent of global turnover (whichever is greater). But another penalty businesses should be more tuned into is the loss of consumer trust. Today, establishing brand trust is almost as important as getting the consumer to buy. Compliance isn’t just about avoiding financial repercussions, but also avoiding the arguably costlier impact of diminishing consumers’ trust and lifetime values with the brand.
DJ: What are the main differences between Europe’s GDPR and the United States’ California Consumer Privacy Act?
Corey: Although the California Consumer Privacy Act (CCPA) is modeled after GDPR, there are three main differences between the two laws:
The types of businesses that must comply: GDPR applies to all businesses that process data of EU citizens, regardless of their size or location. The CCPA only applies to California-based businesses with revenue above $25 million USD or those whose primary business is the sale of personal information.
Financial penalties: GDPR penalties can reach up to €20 million or four percent of the company’s global turnover. CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation). The violation is only considered at the point of breach, whereas GDPR can apply a sanction to a company that appears to be at risk of a breach or not behaving responsibly. In addition, CCPA allows for the consumer to sue the business for violation.
Consumers’ rights: GDPR entails all data related to the EU consumer, but CCPA considers both the consumer and household as identifiable entities. In some cases, it only considers data provided by the consumer as opposed to data sourced or purchased from third parties.
DJ: Do you think most U.S. consumers are aware of how their data is being collected and used?
Corey: Between GDPR, CCPA and highly publicized data breaches by big-name companies, U.S. consumers are aware of the data privacy landscape more than ever before. In fact, 71 percent of consumers say they are concerned about how marketers collect and utilize their personal data. This highlights that businesses must make the data-value exchange clearer to provide more transparency and build consumer trust about how that data is being used.
DJ: Do you anticipate that other U.S. states will create their own privacy legislation in the near future?
Corey: While California was the first U.S. state to pass data privacy legislation, there are currently 10 other states looking to follow suit. Of the ten states, six follow the full model established in the CCPA, and two pertain to only certain issues addressed by the CCPA. Washington is still debating a privacy bill modeled after the GDPR, and the tenth state bill, New Jersey, has not moved out of committee. And with data privacy a hot topic for the 2020 presidential election, we can expect to see more conversations happen around the topic in the coming months.