Author’s note: You’ve done all of your research, spent hours going through different options, seen an amazing demo, and are finally ready to purchase your customer data platform. But one last step looms…final approval. Make sure that you are armed with information you need to prove that your CDP is safe and secure. This is the first article in Bloomreach’s series “Don’t panic: A marketer’s guide to customer data security”. This series will help educate marketers on why security is so important right now and give them the proper tools to help ease the nerves of risk-averse colleagues who may not fully understand the benefits of a CDP.
Consumers have made one thing clear over the past few years: they want more transparency from companies and control over how their personal data is being collected and stored.
That means, among other things, that the time is now for marketers to begin keeping security in mind in all things they do.
But how do you just begin to “keep security in mind”? You must first have an understanding of what the laws in each part of the world specifically require.
Look no further! Here’s a quick look at the five modern standards for marketers to be aware of. This is important baseline knowledge to have as our “Don’t panic: A marketer’s guide to customer data security” series rolls on over the next few weeks.
But first, isn’t it somebody else’s job to be worried about security? Not anymore.
Why Should Marketers Invest into Knowledge about Best Practices?
Before diving into specific laws in countries across the world, it’s important to understand why this topic even matters for marketers.
For years, it was the responsibility of members of the IT team or another department focused only on security to deal with privacy issues.
Those days are over. It is now every employee’s job in some way, shape or form to be aware of security and data privacy concerns. This includes marketers.
Why is this the case? A simple case of meeting the demands of customers.
According to the RSA Data Privacy & Security Report, 73 percent of survey respondents are more aware of data breaches compared to five years prior to the survey. Additionally, 62 percent of all respondents said they would blame the company for a breach, not the hacker.
One more eye-opening statistic: 50 percent of respondents said they would be more likely to shop with a company if it could prove that it takes data protection seriously.
Statistics like that make it easy to see why it’s time for every employee at your company, including marketers, to be serious about security and data privacy.
Let’s also examine a hypothetical situation. A marketer has important individual goals that directly correlate to company success, including helping to raise customer lifetime value, click rates, and conversion rates. Making even the smallest of improvements in those areas helps the marketer’s business to generate more revenue.
But what if there is a stumble along the way? A data breach, or some type of incident in which private customer data leaks to a party that it shouldn’t? Or even an issue where your company is collecting private information without securing the proper permission to do so. Not only could your business be dealing with fines in the millions, it could also be forced to completely rebuild all of the customer trust it has built up over the years.
All of that hard work done to build a loyal customer base can be gone in the blink of an eye.
To ensure you have the knowledge to be in compliance with local regulations, let’s dive into our list of laws and regulations. While this list is not exhaustive of all of the laws and regulations of the world, it will give you a good idea of general legal expectations and the surrounding topics of importance.
General Data Protection Regulation
GDPR Overview
The General Data Protection Regulation (GDPR) is the legal framework that created guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since GDPR guidelines apply to individuals who live in the EU, the regulation applies to any ecommerce store that has customers who live there, regardless of where the website is based. In simple terms, this means that GDPR restrictions must be minded by all websites that attract European visitors, even if they don’t specifically have a target audience segment of EU residents.
Specifically, GDPR requires that websites notify visitors of what information is being collected from them when they are browsing the site. Users must explicitly agree to allowing their information to be gathered. There are several other required data-related disclosures from businesses, including mandatory reporting of a data breach.
The regulation came into full effect in May 2018. Since then, many notable companies have received GDPR fines for being in violation of the law, including Google and H&M in 2020.
What It Means for Marketers
It is a good idea for marketers to become fully familiar with GDPR to help their businesses avoid fines and to keep the trust of your customers.
If a marketer is using a customer data platform or preparing to, he or she has access to many customer data points and should be aware of GDPR compliant data collection, storage and deletion methods. This will create a peace of mind for customers and members of the in-house security team.
Collecting website cookies and newsletter opt ins and opt outs is now an essential thing for marketers to track to stay in compliance with GDPR. If customers don’t want cookies tracked, don’t collect data from them. If consumers opt out of receiving your weekly email newsletter, stop sending it.
Being fully compliant with GDPR is a massive undertaking for a company. It requires full understanding and cooperation from every department, particularly marketing.
Additional resources: Bloomreach has compiled a list of GDPR use cases that will be valuable to marketers. Bloomreach also goes in-depth with GDPR resources for customers that can help in numerous different situations.
California Consumer Privacy Act
CCPA Overview
The California Consumer Privacy Act (CCPA) is enforced by the office of California’s Attorney General and helps to protect residents of California from consumer data misusage. It was the first law of its kind in the United States. CCPA applies to any business in the world that sells the PI of more than 50,000 California residents annually or has an annual gross revenue exceeding $25 million.
The CCPA gives consumers the right to opt out of having their data sold to a third party vendor. It also gives customers the right to request disclosure of previously collected data and the right to request the deletion of collected data.
What it Means for Marketers
CCPA also encompasses one of marketing’s big buzzwords right now: cookies.
Cookies are considered unique identifiers and are a part of CCPA’s definition of personal information. This means that marketers must know what type (first party or third party) of cookies are being collected by their websites to ensure CCPA compliance.
If your business meets the CCPA compliance thresholds, you are liable for the personal information (including cookies) that you collect through your website from California residents. Ensure that you are in compliance with CCPA by understanding what type of cookies your website uses and therefore what personal information you are collecting from visitors.
Additional resources: Bloomreach’s Customer Data & Experience Platform is perfectly suited to handle CCPA legislation. This overview of CCPA also helps to clarify specific questions about the law.
California Privacy Rights Act
CPRA Overview
The California Privacy Rights Act (CPRA) enhances CCPA and will put even more strict privacy guidelines in play once it fully goes into effect on January 1, 2023. It helps to align standards more with GDPR but there are some major differences as well.
One big one? The right to opt out of automated decision-making technology, including “profiling”. This is in connection with decisions related to a consumer’s work performance, economic situation, health, behavior, location, or other personal preferences. Consumers must now be given the option of “opting out” of sharing the above types of personal data with third parties.
Among other things, the CPRA also introduces “sensitive personal information” as a new regulated data set for marketers to be aware of. Sensitive PI includes race, ethnicity, religious beliefs, genetic data, and other similarly private data. The CPRA also increases the rights of children and requires a new opt-in consent to share the PI of customers under the age of 16 with a third party.
What It Means for Marketers
Marketers should be very aware of the specific rules surrounding CPRA opt outs. Opt out rights explicitly extend to the sharing of personal information used for marketing purposes.
This act also establishes a governing body that holds the job of enforcing the guidelines of the act. This governing body can levy fines against businesses for failing to comply. Monetary amounts of fines are similar to CCPA ($2,500-$7,500) but can be increased when the personal information of a minor is involved.
The bottom line here? If you know CCPA, it’s time to learn CPRA as well. Enforcement is right around the corner and there are new areas of consumer data that are protected by this new act.
Additional resource: Compare the CCPA and CPRA and learn how your company can stay in compliance. One more quick look at CPRA for good measure.
Lei Geral de Proteção de Dados
LGPD Overview
Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect in February 2020 and protects the personal data of Brazilian citizens. It is very similar to GDPR in many ways but also differs as well.
Like GDPR, the nation in which a business is housed is irrelevant to this law. If doing business with a Brazilian citizen, you are required to follow the law. LGPD also has many of the same specific data protection points of GDPR including a consumer’s right to access personal data and the right to revoke consent.
One big difference is that there is no written deadline for reporting data breaches. While GDPR requires a report to be made within 72 hours of discovery, LGPD just requires communication to take place in a “reasonable time period”. This certainly leaves more wiggle room for damage control if there were ever an issue.
Another major difference is that LGPD has more strict guidelines in regards to hiring a Data Protection Officer. The law is written as such so that any company who holds the personal data of a Brazilian citizen is required to employ a Data Protection Officer to protect that data.
What It Means for Marketers
An important thing for marketers to know about LGPD is that fines are less severe than GDPR fines. While GDPR fines can quickly climb to €20 million, fines generally top out around €11 million for LGPD. While that number is still one to be concerned about, these extreme fines are reserved for major companies that are in violation.
Generally speaking, if marketers understand GDPR, they have a good enough understanding of LGPD to safely operate. The differences between the two laws do not lie in areas that affect marketers every day.
Additional resources: Go in-depth on where these laws are the same and where they are different to ensure understanding. You can also get a standalone look at LGPD, independent of GDPR.
Consumer Privacy Protection Act
CPPA Overview
In late 2020, the Canadian federal government introduced the Consumer Privacy Protection Act (CPPA). The bill represents the first proposed changes to Canadian privacy laws in over 20 years. Specifically, the proposed law would strengthen protections for individuals from privacy loss due to failures and limitations of corporate consumer privacy measures.
CPPA would help bring Canada up to speed with the European Union and give it a comparable law to GDPR. This new proposed legislation clarifies the requirements of individuals consenting to sharing personal data and outlines specific information that a business must provide to customers before personal data can be collected.
Monetary fines of up to 25 million Canadian dollars would be in play for organizations who fail to be in compliance. That is on the extreme end, of course. In general, the CPPA would give customers more control over their personal data and more of an influence in how it is collected by companies.
What It Means for Marketers
The aligning of privacy laws in Canada and the European Union would be good news for marketers.
Why? Simplicity.
Passage of this law would allow privacy guidelines in Canada to be much more comparable to the EU. Currently, Canadian law is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which is over 20 years old and provides very little in the way of modern privacy protection for Canadians.
The uniformity of Canadian and EU law will allow marketers to operate similarly with customers and businesses in each location.
Additional resource: Learn more about the CPPA and how it specifically aligns with GDPR.
Bloomreach Leads the Way with Security Compliance
With so many different laws and regulations across the world, it can be overwhelming trying to keep up.
Let the experts at Bloomreach ensure that your company is always compliant.
Bloomreach’s Customer Data & Experience platform is a platform with top-of-the-line security features. From day one, Bloomreach has made security and data privacy a priority and these topics will always be of the utmost importance to our team.
Bloomreach was the world’s first GDPR certified SaaS company and we have always made it our highest priority to protect the data that we work with. Learn more about the security certificates that Bloomreach holds to see first hand how seriously we take keeping our customers protected.
Want to learn more? Watch our short demo video to see how you can turn customer data into marketing magic without worrying about security and data privacy. If you’re interested in learning more about data privacy and security, Bloomreach Academy’s Privacy Fundamentals course is the deep dive you need to master the topic and become an expert.