There’s been a lot of buzz about privacy over the last few weeks. Research by Gartner shows that the costs of compliance have more than doubled in the past year, and there are some high profile cases launched this week, and some really big fines. It’s becoming more and more clear that privacy is going to have a huge impact on businesses this decade, so companies need to move to a more privacy-first strategy. Let’s dig in.
Sephora was the first company to be hit big by the CCPA
In a decision that sent shockwaves through the tech industry, Sephora was fined $1.2 million for selling customer data without gaining consent from users. The California Consumer Privacy Act (CCPA) requires companies to get consent before selling personal information. This was the first time anyone had been fined under the law, setting an important precedent for privacy in California and beyond.
It’s likely we will see a few more of these over the coming weeks and months.
Class action lawsuit against Oracle Bluekai
A class action lawsuit has been filed against data broker Oracle Bluekai for allegedly creating BILLIONS of profiles about people without their knowledge, consent or control.
The case was launched by a group of both domestic and international plaintiffs and alleges that the data broker “created at least five billion profiles on consumers” without their knowledge or consent. The plaintiffs argue that this is a violation of the US constitution’s 4th amendment rights to privacy.
They also claim that because of Bluekai’s business model they are unable to opt-out from being tracked by companies using the service and have no say over what information is collected about them or how it is used.
What does it mean?
- Maintaining compliance with today’s local laws is not enough. You need to look across the globe and into the future.
- Companies will need consent from users before collecting their information, which means you’ll need to update your terms and conditions with new language about how you use people’s personal information.
- For marketing teams, this means that all agreements and technology needs to be examined carefully to determine what data could be shared. According to Forrester Analyst Steph Liu, brands are not very good at this today. Specifically, every vendor needs a service provider agreement and every company needs an inventory of data collected.
Over 6 years of GDPR, and the impact is huge
GDPR has been in effect for six years now, so it’s time to take stock of what’s happened. What impact has GDPR had on privacy? How have companies responded to the new rules?
At the time, it was a huge, unexpected hassle to get compliance in 2018. I remember it clearly. And now, the legislation has changed the way we view and protect data in a way that is pretty unprecedented. I don’t think a social change has had more impact in such a short time in history. Think about it, in 4 short years, we went from ~10% of the world having data protection laws to over 70% next year!
While we can’t say whether these pre-existing policies would have existed without GDPR (since we don’t know), one thing is clear: this legislation has been huge in raising awareness about privacy issues and creating a set of rules around how personal data should be handled by organizations across Europe and beyond.
Instead of focusing on compliance, companies need to put privacy first
Consumer data protection is a good thing. We are all consumers, and we all benefit from a world where data is valued and protected for the resource it is. Our data can be used for evil (see: elections, Cambridge Analytica, etc.) or good (more personalized web experiences, medical care, and mental health). It is powerful and should be treated that way.
Our world is becoming increasingly digital and data-driven, but we’re still not sure how this will affect us in the long run. Nevertheless, what we do know is that it’s time for companies to take action and start thinking about privacy first. Showing respect for user privacy shouldn’t be a legal obligation—it should be common sense!