GDPR, CCPA, CPRA … it’s enough to make a marketer’s head spin. Three US states have enacted comprehensive consumer data privacy laws, and more are likely on the way.
And that’s not to mention the possibility of a US federal privacy law.
What does this mean? Responsible marketing. And what does that mean? Responsible consumer data collection. Responsible governance. And ensuring the ability to comply with requests from consumers and prospects who care about their data privacy.
Are you tech ready? Is your marketing staff trained to handle personal-data requests from your customers and prospects who trust your brand to be compliant? How do your customers stand to benefit from your practices around these new laws?
In this latest CX Decoded Podcast, we’ll help marketers cut through the data-privacy haze with CMSWire’s Rich Hein and Dom Nicastro, who are joined by digital policy and data privacy expert Kristina Podnar.
Rich Hein: Marketing was already getting tougher with regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and most recently the California Privacy Rights Act (CPRA). These privacy laws are all designed to protect individual users' rights over their data, and that's good. But the fractured way that the legislation is catching up to technology, I'm hearing it's making it very difficult for marketers to keep up.
Kristina Podnar: Absolutely. Honestly, we are so incredibly fragmented. And interestingly enough, the US remains one of the few major players in the global economy without a national privacy legislation, which is a little bit confounding. But it's also creating a lot of headaches for marketers. We definitely have some states that have enacted privacy laws, and the federal government has enacted industry-specific laws. Things like HIPAA for the health industry or Gramm-Leach-Bliley Act, or FCRA. But there is no single homogeneous enforcement set of data privacy guidelines that all US companies are required to follow.
And as you mentioned, there's a patchwork of international regulations. And all of that makes my head explode, and I'm actually working in this space. So I'm not really sure how marketers get up every day and make their coffee and pretend like it's all good.
Rich Hein: I know California, Nevada and Maine are some of the states have already enacted legislation. And there are more than 28 states that are set to do so, I believe. And the US does seem to be one of the few major countries that doesn't have any kind of federal privacy regulations. The states are doing what they can but I feel like it's really making it difficult for for marketers.
Dom, you and I were talking earlier. How many states are looking to enact new legislation, and are there any that jump out that you see as particularly different?
Dom Nicastro: We look at comprehensive consumer data privacy laws signed. My research tells me there are only three states that are doing that: California, Maine, Nevada. And on top of that, there are wannabes that are trying to push legislation through the Senate chambers. I mean, Rich, you mentioned 28 earlier is that roughly where you see things going, Kristina? Three dozen states that are actually trying to be the Californias, Maines and Nevadas of the world?
Kristina Podnar: No. Actually, some of those 28 that you mentioned are inactive or dead on arrival. Maryland, for example, would be one of those. They had the Online Consumer Protection Act, that one is not going forward.
But we do have quite a few states that are pushing ahead. I feel like we're at the horse racetrack. In the leading spots we have states like Hawaii, Connecticut, and you've got Minnesota. Minnesota is doing a really great job with its HF 36, which is basically signed and ready to roll almost. The same thing with New York and Washington state, which everybody's been talking about.
So I think the next ones that we're going to see coming out of the gate and things that marketers should be paying attention to are Minnesota, New York, Washington, Connecticut, Hawaii, North Dakota and Texas. Louisiana will be after that, probably next year. I wouldn't anticipate anything this year.
And then far behind them, kind of going back to square one on our Monopoly board, are the other states including Maryland, Illinois, Florida, Arizona. We're talking about comprehensive privacy laws. But amongst all of that, there's actually additional fragmentation. We have a situation where in addition to some of these comprehensive laws, we have regulations that are worth noting.
So, for example, there's the Illinois Biometric Information Privacy Act. That's specific to biometrics. Rich mentioned that we're living in the timeframe of the pandemic. And there are a lot of organizations that are collecting biometric data, especially if you're going back to the office and checking your temperature. There are other privacy acts that are floating out there, and we need to be aware of them as well as these comprehensive privacy laws.
So lots of moving pieces, lots of fragmentation, just in case you weren't having fun already.
Rich Hein: What do you think is going to throw a curveball for marketers?
Kristina Podnar: I think for most marketers, it's the variation between the individual privacy and the comprehensive law aspect. What you're really getting into is the Baskin Robbins of comprehensive privacy laws, and that's what really I think is throwing people for a loop. It's the fact that no two are quite alike, which means serving up the ice cream to consumers is really hard because you don't know if they need to have sprinkles on top, or if they wanted cookie crumble. Or are they really looking just to have the plain vanilla ice cream served up? And that's really the challenge.
Dom Nicastro: What's the least path of compliance resistance? What's your advice to those marketing teams when there are 30 states that are enacting privacy laws, and there's no federal privacy law in sight? Just follow CCPA, and then we'll be set?
Kristina Podnar: No. That's a problem. Think about this from a GDPR/CCPA perspective. When GDPR came about everybody was like, 'OK, we have to do GDPR.' And then they said, 'CCPA is California's version of GDPR, so we should be good.' They are similar in some ways, but they are different 32% of the time, and 32% of the time is just enough to be wrong a lot of the time.
It's the same thing from state to state. For example, even though Nevada has its own privacy law, and California has its own privacy law, there are slight distinctions that happen between states. In some instances it's going to be what rights you have in terms of your data. Is it that you can see the data? Is it the fact you can have the data? Is that you can delete the data? Is it an opt-in, opt-out model, which is a really big thing that we're seeing different states discuss? California is an opt-out model where you basically don't have to opt-in like you do under GDPR. You can opt-out. You can't just assume they can take one state, and be OK.
I often equate this to an interesting and related area that's been around for a while: data breach laws in the United States. The fact that we couldn't all get our act together and have a federal level statute relegated us to really having 50 different flavors of ice cream. Each state has its own flavor when it comes to data breach. And if you haven't had a data breach yet, count your blessings because going through a data breach for any organization turns out to be a crazy exercise where not only do you have to inform certain attorneys general at certain times, but you have to worry about does it rise to a threshold.
Some states say when more than 600 people have had their data compromised, let me know. Others say 1,000. Some say there is no minimum threshold, you have to report it right away. Massachusetts has its own timeframe for reporting those data breaches versus California and other states.
And so, just as much fragmentation as we're seeing there, I think we're going to see that in the data privacy law space, unless the feds get together and say, well, let's cut out this nonsense, let's pretend we're a single country, and let's do this comprehensively.