With GDPR nearing its one-year mark, user data privacy has never been more present in the public consciousness. Despite some initial confusion over its reach and implementation, GDPR has paved the way for a new age of user choice, trust and empowerment. Consumers are now more aware and educated than ever about the value of their personal data. And while Europe has initially led the way, lawmakers worldwide are now following suit, with many planning on passing their own data privacy legislation.
For any business with International operations, or aspirations, this should be more than just a consideration. To ensure organizational practices are fair to the consumer, and legally compliant, you need to know if your user data policy is ready for the new wave of international privacy legislation. It’s time to think beyond GDPR.
The Global Impact
The implementation of GDPR is in the hands of individual governments, with some countries in the EU supplementing the law with its own regulations. Most recently, the Netherlands became the first European country to clearly outline fines. France’s top data-privacy agency CNIL, which recently fined Google nearly $57 million, even established a network of data protection officers to help provide advice for brands.
GDPR certainly brought to light many necessary data privacy issues, but privacy has been a hot topic globally long before May 25, 2018. Singapore ratified the Personal Data Protection Act (PDPA) back in 2012. While the language is similar to GDPR, Singapore’s PDPA operates on a more limited scope, and doesn’t require explicit consent from individuals. In 2016, Turkey debuted the Data Protection Law (DPL). Again, it’s largely similar to GDPR, but the Turkish DPL does have a couple of key differences: it doesn’t include the interests of third parties to the equation and doesn’t mention the erasure rights of data subjects. Under GDPR, citizens can request access to their data or ask to be forgotten.
One surprising stand out in privacy protection is China. Passed during the same year as GDPR, the Cybersecurity Law of China (CSL) takes data protection one step further with a particular focus on cybersecurity. CSL requires companies to set up a broad framework for cybersecurity, emphasizing the idea that data protection cannot be managed entirely without cybersecurity.
These are just a handful of the many data privacy laws that international businesses will need to bear in mind when reaching customers in these territories. But the situation in the world’s most developed economy has the potential to be even more complicated.
The US’ Reaction to Data Privacy
In the US, laws are beginning to unfold state by state. After California’s Consumer Privacy Act (CCPA), Vermont, Maryland, Washington and eight other US states are considering passing privacy and data protection laws of their own.
However, without a federal level regulation in place, US-based businesses are forced to comply with multiple (and sometimes contradicting) variations of state-led rules with no central agency to enforce it. This is extremely challenging, with different states having varying provisions regarding what categories and types of personal data warrant protection, which entities are covered, and even what constitutes a breach. It’s no wonder many claim they aren’t cut out to comply with the CCPA or GDPR-like guidelines.
In fact, many companies have retreated from the EU as a direct result of GDPR. Just recently, Oracle Data Cloud closed its AddThis audience data platform in the EU. In addition to collapsing companies, more data breaches are being reported (as required by GDPR). According to a recent survey, more than 59,000 data-breach notifications have been reported across the EU, with the walled gardens remaining the biggest violators.
The Future of Data Respect
Most consumers noticed the laws coming into effect. Brands they’d previously interacted with, began sending “opt-in” requests via email, and more explicit cookie notifications began popping up on websites and in-apps. This is training consumers to expect a certain level of transparency. Rightly so!
Many governing bodies understand that some personal data is needed to provide curated experiences, but they don’t fully comprehend the nuances of legitimate data use, why it’s important and how it can add value to consumers. This explains why the demand for federal regulation in the US has been so scattered.
There are ways companies can get ahead of it. Instead of banking on uncertainty and leaving their fate to lawmakers who don’t understand the inner workings of data collection, storage and protection, marketers brands and publisher must take a proactive stance.
So how do you do this? To prepare for compliance with any existing or upcoming privacy laws, wherever in the world you do business, it’s essential to have a Data Protection Officer in place who ensures compliance and stays ahead of impending regulations. Companies also need to gently, clearly and compassionately educate consumers on how their data is used. This means clearer, more explicit consent forms and privacy policies. One of the major reasons consent forms and terms of services are largely ignored is because they’re too long, complicated, ambiguous and filled with legal jargon.
At Ogury, we understand these challenges. We’ve been GDPR compliant since the day Ogury was founded in 2014, and remain rooted in our commitment to helping organizations move into a new era of data responsibility, globally.
It’s why we created Consent Manager, a registered IAB Consent Management Provider (CMP), to help streamline the consent process for brands and publishers, and to provide complete transparency and control to users. Providing every consumer with a clear and informed choice to share or withdraw their data places control firmly in their hands – and ensures compliance when it comes to data privacy laws. Which is exactly the way it should be.
Curious to learn more about user consent, or just want to check out what Consent Manager can do for you? Reach out to me directly at Evan@ogury.com
Evan Rutchik, CRO, USA