Marketers have been trying to tackle the challenge of customer data and privacy for years now. But just when they think they've caught up, yet another regulation is added to the mix. Consumer privacy legislation is being enacted on a state-by-state and country-by-country basis, and in some cases, businesses that fail to comply are being slapped with fines. How can brands stay ahead of the wave of ongoing legislation, new rules and compliance requirements?

In the News

Just this week, Google was in the news again for collecting customer data from users operating in incognito mode and Apple is under fire in France for not properly collecting consent. Earlier this month, Virginia passed its Consumer Data Protection Act (CDPA), granting consumers the rightto access, correct, delete and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data or profiling of the consumer.It's not slowing down and it's not going away. Marketers need to build a plan to mitigate risk and keep their organizations compliant.

Consumer Privacy Protection Legislation Origins

The consumer privacy laws that are in place today have their origin in telecom regulations. The government recognized that telephone companies, and telephone operators, had access to vast amounts of personal information. Rules such as The Telephone Consumer Protection Act and Data Transparency and Privacy Act were put into place to regulate telephone operator behavior, customer confidentiality and record keeping.

Once the internet rose to prominence, consumer privacy regulations had to be reconsidered due to the vast amount of data that was being collected by websites as part of the technological and analytical process of ecommerce. Personal information is regularly collected, used and shared between businesses. Much of this results as a result of ecommerce, while at other times, data is collected to provide customers with a more personalized, relevant experience.

"Consumer privacy protection laws and regulations are intended to protect the consumer, when corporate privacy measures fail to protect their personal information," said Rohinee Mohindroo, head of technology solutions at Genpact. "It has taken on exponential importance since the internet explosion in the 2000s, as awareness increased of the volume of information gathered by government and corporate entities."

Related Article: What Marketers Need to Know About Virginia's Consumer Data Protection Act

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is one of the strictest data privacy regulations on record. The European regulation, first passed in 2016 and enacted in May 2018, applies to all businesses that collect and process the personal data of EU citizens or residents. Businesses that do not comply with the GDPR can be fined up to €20 million (approximately $23 million) or 4% of their global revenue.

The GDPR states that before collecting data, businesses must document and store the consent from visitors to their website. This is generally not done, as it's impractical for brands to document consent from individual users who have not registered or logged into the website. To comply, most sites have implemented intrusive cookie consent/alert banners on their sites. The user then acknowledges the use of cookies, and has the opportunity to leave the site should they not consent. The GDPR, however, states that websites must allow access to users who refuse the cookies. Websites get by this by allowing visitors to use their web browser's settings to allow or deny the use of cookies, although denying the use of cookies may reduce the overall site functionality.

The GDPR also mandates that businesses must have at least one person fulfilling the role of a Data Protection Officer. It is this person's job to ensure compliance. Many marketers are using the GDPR as a general guideline for what they should be doing to cover compliance with all the other privacy regulations that are coming out. That might not be the best approach according to Kristina Podnar, a digital policy consultant, TEDx speaker, and author of "The Power of Digital Policy." In a recent CX Decoded podcast, Podnar said that marketers should focus on the core areas such as accountability and governance for data collection. By having consents and processing in place, they will be ahead of the game, she continued.

"So we understand what data we collected, what we're processing are, how we're doing it. Things like, you know, privacy by design, if we're starting a new campaign, and perhaps as a new website, and we're going to collect a new set of data, do we know where that data is going to go? Have we thought about privacy? Those are some of the fundamentals that we should be doing anyway. And they're common to the majority of laws and regulations out there," Podnar suggested.

In regards to compliance, Podnar said that brands should focus on 80% of the solution. "Because if we're 80% of the way there, we're far ahead of other organizations, and most regulators are going to be so happy to see that that chances are, we're going to get a warning, we're actually not going to get a fine. And that'll allow us time to get the last 20% of the way," she said.

Related Article: Why Incognito Browsing Data Is Not Really Incognito At All

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA) was passed in 2018, and enacted in 2020. It gives explicit rights to California consumers regarding the collection and use of their personal data, including the right to know about the personal information a business collects about them, how it is used and shared, the right to delete the personal information that has been collected from them, the right to opt-out of the sale of their personal information, and the right to not be discriminated against for exercising their CCPA rights.

California passed Proposition 24, also known as the California Privacy Rights Act (CPRA), on Nov. 4, 2020. The CPRA adds tighter regulations, restricting the usage of consumers' sensitive personal data, as well as giving consumers additional control over their data, such as the right to correct their personal information, to know how long their data will be retained and the right to opt-out of geolocation.

And California is not alone in passing privacy legislation, others will soon be joining them. "California, Nevada, and Maine are some of the states that have already enacted legislation," said Podnar. "There are more than 28 states that are set to do so I believe."

The Personal Information Protection and Electronic Documents Act (PIPEDA)

Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2015. Like the GDPA and CCPA, it provides Canadian consumers with more control over their personal data. Commercial businesses must obtain the consent of a consumer when they collect, use or disclose their personal information. Consumers have the right to access the personal data that has been collected by a business, and they have the right to challenge its accuracy. Additionally, their personal information can only be used for the purposes for which it was collected — if the business wants to use it for another purpose, they must obtain consent again. Finally, the consumer's personal information must be protected by appropriate safeguards.

With so many countries passing privacy information, it makes sense that the United States would pass federal data privacy legislation, especially as so many individual states are already doing so. "The US does seem to be one of the few major countries that doesn't have any kind of federal privacy regulations," said Podnar.

Learning Opportunities

The Stop Hacks and Improve Electronic Data (SHIELD) Security Act

New York governor Andrew Cuomo signed the SHIELD (Stop Hacks and Improve Electronic Data Security) Act into law in 2019. Civil penalties start at $5,000 and cap out at $250,000 for non-compliant businesses. Unlike other privacy regulations, the SHIELD Act also regulates the privacy of New York employees, meaning that businesses are required to ensure the security of their employees' private information, as well as that of their customers' private information.

The private information that is protected under the SHIELD includes Social Security numbers, driver's license numbers, credit or debit card numbers, financial account numbers, biometric information, and usernames or e-mail addresses that utilize a password that allows access to an online account.

The inclusion of biometric information in the protected data is indicative of what's to come, said Podnar. "We have a situation where in addition to sort of these comprehensive laws, we have regulations that are worth noting. For example, there's the Illinois biometric Information Privacy Act, the PIPA. What's interesting is that that's specific to biometrics. We're living in the timeframes of the pandemic. And there's a lot of organizations that are collecting biometric data, especially if you're going back to the office, they're checking your temperature, there are these other privacy apps that are floating out there. And we need to be aware of them as well as these comprehensive privacy laws."

The Protection of Personal Information (POPI) Act

South Africa's POPI Act was passed in 2013, and is essentially South Africa's version of the GDPR, though it predates the GDPR by several years. It mandates eight conditions for the lawful processing of personal information by businesses:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security safeguards
  8. Data subject participation

The POPI Act has strict rules for what type of data can be collected, how long it can be kept, and from whom it can be collected. It requires businesses to have a Privacy Policy, and also protects the information that is collected from other businesses and corporations. Though there are other differences from the GDPR, if a business is GDPR compliant, they are well on their way to also being POPI compliant.

Proposed Privacy Legislation

The Consumer Data Privacy Legislation website lists all of the current and proposed privacy regulations in the United States, but given the international nature of the internet, it's not just national or state legislation that needs to be considered. According to the United Nations Conference on Trade and Development, 128 out of 194 countries (66%) have put in place legislation to secure the protection of data and privacy, and another 10% have drafted legislation to do so.

"What you're really getting into is the Baskin Robbins of comprehensive privacy laws. And that's what really, I think, is throwing people for a loop. It's the fact that no two are quite alike. Which means serving up the ice cream to consumers is really hard, because you don't know if they need to have sprinkles on top, or if they wanted cookie crumble, or were they really looking just to have the plain vanilla ice cream served up. And that's really the challenge," said Podnar.

In October of 2020, China's Standing Committee of the National People's Congress published the initial draft of its Personal Information Protection Law (PIPL), which ended its opinion-seeking period on Nov. 19, 2020. Among the new additions to its current data privacy rules are steep fines, extraterritorial applicability, similar to the GDPR, a requirement for a data protection officer, and new rules that govern cross-border data transfers.

To keep up with all the ongoing legislation, brands need to focus on the basics. "Marketers can leverage the principle of simplification to keep up with the onslaught of new legislation," Mohindroo said, by doing these two things:

  1. Simplify data collection and storage, shifting compliance checks as close to the consumer as possible.
  2. Simplify workflows that handle data, automating and leaving an audit trail behind.

"With 2020 as the great reset, consumer context has permanently shifted from the physical to the digital world. With unprecedented online trends even more consumer data is available and exposed. The consequence of data loss can be dire at the consumer, corporate and government levels. We can expect to see federal and perhaps global data privacy laws and regulations," Mohindroo said.


There is a lot on the table when it comes to consumer data privacy, and more and more countries and states are enacting legislation that is designed to protect consumer's data and give them more control over their privacy. Brands must step up to the challlenge and hire data privacy professionals who will work as privacy advocates for both customers and employees, and work to ensure that data privacy is always part of the mission and values of the brand.