There are data security and privacy regulations at the state, federal, and international levels that impact marketing departments. There are regulations that impact the email, digital advertising, and texting practices that marketers rely on (like CAN-SPAM, TCPA, CASL that we always need to consider). The two big comprehensive ones we will address here are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). What do you need to know about them?
General Data Protection Regulation (GDPR)
GDPR is the EU’s landmark privacy legislation. GDPR created regulatory guidelines for any businesses, organizations, or non-profits that interacts with an EU resident’s personal information in the course of providing goods or services to them.
One of the major highlights of GDPR is its definition of an individual’s rights over their personal data. GDPR gives EU residents significant controls over their information, including:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
GDPR also defines special categories of sensitive data, which includes:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation
In short, these rights key EU residents in on how their personal data is being collected, stored, and used by companies. It gives them the right to consent, object, and delete their information.
Looking for more insight on GDPR compliance? Look no further.
California Consumer Protection Act (CCPA)
There are no current comprehensive federal laws regulating data security and privacy like GDPR, but rather a patchwork system of laws. However, CCPA has taken the stage as the law for states to emulate. CCPA is the largest state-level privacy regulation in the United States. It’s newer than the GDPR, having just recently become enforceable in July of 2020, but it’s been a compliance target for businesses since it was first announced in 2018.
Unlike GDPR, CCPA only applies to California residents. More specifically, you need to keep CCPA compliance top-of-mind if you are:
- You’re a for-profit business that:
- Collects and controls California residents’ personal information AND
- Does business in California AND
- Has one of the following:
- Annual gross revenues in excess of $25 million
- Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
- Derives 50% or more of your annual revenue from selling California residents’ personal information
Under CCPA, consumers have a defined set of individual rights. These include:
- The right to notice
- The right to access personal data and information
- The right to know if their personal data is being shared (and with whom)
- The right to deletion
- The right to know whether their data is being sold and the option to opt-out of the sale
- The right to equal rights and services
Take a closer look at individual rights here.
In the CCPA universe, your team has to be ready to uphold these individual rights through addressing consumer requests. You’ve got to meet deadlines for responses and appropriately verify their information. And, critically, your privacy notices need to be up-to-date.
Fines and fees are part of CCPA, as is the potential for legal action either via the state attorney general or from individual lawsuits.
Learn more about CCPA and where it might be going.