Your new year's resolution: Get serious about your consumer data privacy strategy

It’s been said that data is the new oil of the digital economy. In fact, the value of this fuel has risen so dramatically that the very rules governing its usage are now changing almost as rapidly.

Look no further than the coming tsunami of data privacy legislation. For the longest time, businesses could sell, interpret, or use data for profit without consulting the end user or communicating where the data was going. In many instances, this still happens today despite new laws and protections in place. Now, this deluge of data has increased consumers’ interest in understanding how businesses leverage their data, sparking regulators to take a closer look at ensuring the right protections are in place.

The significant piece of legislation addressing these concerns in recent years was of course the EU's GDPR, which took effect in May 2018 and had stringent compliance requirements. Many organizations today are still struggling to close their GDPR compliance gaps. And while the GDPR technically only provided rights to EU citizens’ data, it affected a large number of organizations here in the USA, as many American business also serve European-based customers.

Up next … CCPA

While there hasn’t been a federal law addressing data privacy, the new California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Considering that California would rank as the fifth largest economy in the world if it were a country, only the most hyper-local businesses in the U.S. are spared from CCPA penalties—effectively making it a national law. It guarantees Californian citizens, among other rights, the ability to:

• Access the personal information your business has collected.
• Know whether that info will be sold (and to which businesses).
• Say no to the sale of that information.
• Request the deletion of their personal information.

Since California's consumer privacy legislation passed into  law on June 28th of 2018, hopefully organizations are now far down the road to achieving CCPA compliance. But while California was first out of the gate to move forward with a U.S. privacy act of this kind, it’s only a matter of time before more states pass their own data privacy regulations. In fact, Nevada and New York are among a number of other states already working on their versions of CCPA.

Adapting and scaling to new laws and regulations

As state governments introduce these new laws, businesses are tasked with adjusting their data privacy approaches and adapting to changing regulations. This will require taking a deeper look at the technology systems already in place and evaluating whether it complies, or if new connected systems and processes are required. This is a lot easier said than done—customer data could be siloed across any number of disparate systems. Most data privacy laws require businesses to comply with customer requests to see their data in a short time period or risk stiff penalties. This makes it critical to have a unified technology strategy that can produce the information when a customer requests it, orchestrate deletion, maintain audit trails, and much more. Businesses must find strategies that are scalable and will streamline operations to comply with the CCPA guidelines, as well as the ability to flex with the permutations of future legislations that will follow.

The problem: There really is no form of “off-the-shelf” or "one-size-fits-all approach, as nearly every business’ data infrastructure, defined compliance process, and every interpretation of compliance, is ultimately different. Simply put, this requires not a system, but a system to manage your systems. This approach can help orchestrate the compliance processes while also being able to adapt to the evolving regulation landscape. Technologies such as case management, process management, automation, and audit capabilities should be key considerations to ensure a streamlined approach that gets customers the data they want while reducing the operational burden on the company.

Dealing with the data

There’s no telling whether consumers will allow businesses to continue using data as they have been—they hold all the cards now. That means organizations must consider different strategies for handling the data they have already collected, such as:

• Opting out of selling customer data altogether and delete any extraneous data that is not being used for their own records.
• Waiting to see which customers will exercise their data privacy rights; some consumers may consent to the business using their personal data so long as it enables targeted marketing.
• Anonymizing customers’ data to be compliant with CCPA, in addition to forthcoming regulations.

Regardless of how an organization chooses to manage consumer data, the CIO and the company’s data council plays an important role in determining the proper steps to take and best solution that addresses CCPA requirements and customer obligations while maximizing business performance.

Doing right by the customer AND the business

Failing to meet CCPA compliance will not only leave customers disappointed but could deeply impact your bottom line. The new regulation has strict rules, noting that if a business does not comply with consumer requests within 45 days, it can be fined as much as $7,500 per customer per violation. With each consumer eligible to exercise these rights twice a year, businesses stand to lose a lot of money if they don’t comply.

But the biggest blow to businesses might not be the fines but the loss of the data itself. If lots of customers opt to have their personal data erased, it can deeply impact marketing strategies and AI-based personalized engagement. After all, personal data is the fuel marketers need to personalize the customer experience. And with less data to work with, this could mean lower levels of personal customer service, which gives customers yet another reason to consider defecting to a competitor.

The key? Get it right. If you have your customers’ data, don’t waste their time with irrelevant marketing and messages. Focus on what is important to them, not just your business. And have strategies in place to hold back anything that does not meet this threshold. 

Stay one step ahead

Many businesses have set apart budget, time, and resources to address CCPA requirements and positioned themselves to be better prepared for additional state-specific regulations. But the true test will be your organization’s ability to put in place the bedrock of your “system to manage the systems” for this, and all future legislations. How an organization responds to the new regulation and also future-proofs itself against additional laws will dictate how well it will perform for years to come.