This past year has seen the acceleration of enforcement and fines levied against organizations for violations of privacy regulations across the globe. In August 2020 alone there were 21 GDPR-related fines levied by European Data Protection Authorities totaling close to half a million euros – this is just from public DPA enforcement. On the private action front, a 10 billion Euro class-action lawsuit was brought against Oracle and Salesforce! News of these fines and the resulting increase in public understanding about the data collection practices of organizations is causing organizations across the globe to sit up and start putting privacy-focused practices in place.
The landscape though can be confusing. Tags, cookies, data collection, data transfer, user consent – core definitions of these different items can vary from one law to the next and one country to another. As a result, it’s important to simplify the requirements and look at the actions necessary from a more practical point of view. By considering the primary global privacy regulations (GDPR, CCPA, ePrivacy) we can distill the requirements into some universal core principles relevant for marketing, analytics, and media professionals.
Principle 1 – Privacy by Design
This is the principle that underpins all other aspects of the regulations. The hope of any privacy legislation is that organizations will be more focused on the privacy rights of users when designing any of their practices. It’s time for the interests of the people to be held to a higher level of importance than the interests of the business.
What this means for you is that you need to have a good understanding of both the letter and spirit of relevant laws and regulations in the countries where you do business. The privacy interests of your users should be a central concern when conceiving of the data architecture and initiatives involving user information.
Ask yourself – if the user fully understood all the information collected about them, how it is used, and the result – would they support the practice without hesitation? This question should go into all strategic planning of analytics and marketing activities. To support this principle of privacy by design, the other core principles follow to provide explicit requirements organizations must follow.
Principle 2 – Transparency and Disclosure
Requirements for transparency and disclosure of data collection, processing, storage, etc. vary from regulation to regulation. However, each contains the need for users to be made aware of the practices of the collecting organization with respect to the user’s data. Users need to be notified both at the point of collection and then have further information available in an easy-to-access privacy notice.
To make sure that your organization is meeting relevant requirements you will need to:
- Identify the relevant privacy regulations based on the locations of your users
- Determine the requirements of those regulations (for a quick guide to requirements as outlined in the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) – check out our guide on Tag Inspector)
- Audit the data collection landscape to document all data collection and processing happening to determine what needs to be disclosed
- Take the action and put the transparency and disclosure notices live
Principle 3 – Access Rights
In addition to the need to let users know what data you are processing and how it is being used, users are required to have access to the personal information that you have about them. The specific requirements vary between CCPA, GDPR, and others but the core requirement is consistent: users have a right to request, and obtain, all personal information you (and your partners) have about them in an easily understood format.
What this means for your organization is that you must know where all of the personal information you are collecting from users is stored AND be able to access and provide that information to the users upon request.
In the analytics and marketing area of the business, this can be very difficult. Personal data is often collected and shared with multiple third-party platforms with whom an organization is working with to accomplish their business goals. It is imperative for your business to be able to map this flow of data and ensure that technical mechanisms are in place to retrieve the information and organize it to provide back to the user upon request.
Principle 4 – Refusal and Objection to Processing
This is likely the area that drives the most confusion within organizations. The requirements for the limitations of processing are quite different from law to law, ranging from a user’s right to opt-out of the sale of personal information (CCPA) to the requirement for a user to explicitly consent to the placement or accessing of cookies on a device (ePrivacy). Making matters more difficult, user choice extends to different definitions – “personal information” (CCPA), “personal data” (GDPR), any information stored or accessed from a user’s device (ePrivacy) – depending upon the law in scope!
- We’ll get into the nitty details of each in a future discussion, for now, understand that you will need to know:
- Any data falling into the scope of protected information that users have a right to either refuse the processing of or must grant consent before processing can take place
- Understand what platforms are collecting that data
- Identify technical mechanisms to provide and record user choice
- Identify technical mechanisms to allow for user choice to be respected
- Ensure that limitations on processing as indicated by the user are actually being respected
The intent of each privacy regulation across the globe is to grant users more control over their personal information and empower them in the determination of what/how it is used. Users must have an understanding of what data is collected and used (transparency and disclosure), the ability to view and transfer their information (access rights), and have a say in what gets collected and used (refusal and objection to processing). By adhering to these three requirements, and more broadly putting privacy as a crucial topic in all strategic discussions (privacy by design), an organization can ensure they are meeting both customer and regulatory expectations.
As always, please don’t hesitate to contact us
for help in this process. The team at Tag Inspector and our partners help global organizations daily with all of their Tag Governance needs. If you’re interested in taking the first step in your journey, start with a Tag Audit