By now a lot of businesses are coming to a rather daunting realization: complying with GDPR, CCPA, the new Virginia law and the host of emerging privacy regulations is more complex than they bargained for. Let’s look at some of those complexities, along with the requirements for meeting them.
More Than Simple Consent
Both GDPR and CCPA grant citizens with their jurisdictions certain digital rights. GDPR lays out eight distinct rights to “data subjects,” including the right to be informed how their data is used, how you, the data processor is actually processing their data, the right to be forgotten, as well as the right to opt out of automated decisioning.
CCPA, meanwhile, grants California citizens five distinct rights, including the right to know what data is collected about them, the right to access that data, the right to say no to selling that data, as well as the right to be forgotten.
If you collect consumer data in any manner, you must ensure that your company and its ecosystem of vendors is capable of honoring every one of the rights to which that user is entitled. And you must be able to prove that you have honored their wishes.
The Many Faces of Me
Let’s say I decide to exercise my right to opt out of data collection or processing -- a decision I inform you of via your website, which I access from my office computer. The challenge is that my computer may not be the only way I interact with your brand. I may engage with your brand via email, my mobile device, smart TV and home computer, and I have the expectation that you will honor all of my rights across all of these channels and devices.
To do that, you’ll need an identity resolution mechanism for matching my email address, IP address, and device IDs to me, and to ensure that my wishes are honored across every touchpoint
Your Vendor’s Keeper
In a very real sense, both GDPR and CCPA hold you accountable for the actions of your vendors.
Under GDPR, you are responsible for your vendors when you’re the one who determines the “purposes and means” of processing the consumer data. In other words, if you opt to collect consumer data on website visitors so that you can retarget them at a later date, then you are responsible for ensuring that all of your vendors who aid in that retargeting initiative are fully compliant with GDPR.
CCPA leverages “agency law,” which essentially says that any agent who acts on your behalf is your responsibility. Like the GDPR, CCPA requires you to ensure that all third parties and service providers you engage must comply with a consumer’s privacy preferences.
Orchestrating Consent is No Simple Matter
By now you’re beginning to realize that consent in all its forms is no simple matter. Pierre Garnier in Paris may be okay with you collecting his data for advertising purposes, but object to you applying an algorithm for profiling purposes. Meanwhile Bob Barton in Palo Alto was once okay with you collecting his data, but now he wants you to stop, and to delete the data you have on him.
To meet these expectations, you’ll need to update both your own internal systems, as well as tell all of your vendors to do the same. Let’s say you receive an email from Bob regarding his desire to be forgotten. Now you need to send his erasure instructions to your CRM vendor, say Hubspot. But in order to execute that request, Hubspot needs Bob’s visitor ID -- the proprietary ID Hubspot had assigned to him, which isn’t included in his email form.
Now consider that you’ll face this dilemma with every vendor that may touch Bob’s (or Pierre’s) data in some way! And, you may implement Pierre’s wishes ASAP, but it may take your vendor a few days to figure out who he is in their system. The delay may anger Pierre to the point that he reports it as a violation to the regulator.
To learn more about consent orchestration, click here.
Mastering Data Control
To thrive in this new era of privacy, you pretty much need a mastery of data control. The broad reach of personal data across business and partner systems demands data control that is:
- Transmissible: You need a way to communicate privacy instructions to all of your vendors.
- Enforceable: It doesn’t just broadcast the privacy instruction, it enforces it in connected systems;
- Programmatic: It is automated in software, ideally via API’s; and,
- Auditable: To comply with third-party verification or regulatory requests, past and present privacy instructions (including compliance or non-compliance by user, time, and system) are computable at any moment with instant lookback and total recall.
Fortunately, solutions like Ketch’s can help you achieve data mastery, and ensure that all of your customers’ privacy preferences are met. We’re happy to discuss your approach to data control, and ensure it is applied across every system that touches your customers’ data. To schedule some time with one of our data privacy experts, click here.