Watch out America, GDPR is coming for you
Back in 2018, I watched (in mild horror) as UK and European businesses scrambled at the last second to become compliant with the General Data Protection Regulation (GDPR). The law came into force on May 25 – a day I still refer to as the GDPRpocalypse. I saw recipient inboxes inundated with last-minute privacy policy update emails – the team and I spent weeks and months working with brands to help them get back out of the spam folder after the reputation damage – and overworked developers battling with bugs in last-minute spit-and-duct-tape integrations.
What’s playing out across the Atlantic in the USA is more of a slow wave than a sudden tsunami, but US businesses are still at risk of being swept away if they leave it last minute to scramble the flood defenses.
One of the benefits of Dotdigital is we’ve been here before – we’re set up for these legislative changes as a trusted platform that knows how to navigate the waters this type of challenge brings. As you’re reading about what’s to come, remember we’ll keep you updated – we’ve got your back. We’re not your lawyers though – so remember to check with them for any legal advice.
State legislation: the story so far
California blazed a trail in the USA when the CCPA (California Consumer Privacy Act) went into effect on January 1 2020, granting Californian residents 6 rights that will feel pretty familiar to those of us fluent in GDPR: the right to know what data a company holds on them, the right to request deletion of that data, the right to opt out of sale of that data, making the sale of personal data for consumers under 16 years of age illegal without prior authorization, the right to not be discriminated against for exercising any rights and the right to privately initiate action if their personal data is breached.
Jan 1 2023 was a busy day. The CPRA (California Privacy Rights Act) amendments to the CCPA came into force, granting a further two rights: the right to amend inaccurate data and the right to say what companies can do with and how much they’re allowed to share sensitive data about Californians. The Virginian VCDPA (Virginia Consumer Data Protection Act) also went into effect for Virginian businesses that meet qualifying criteria.
Just this July, Colorado and my own adopted home state of Connecticut joined the GDPaRty with the CPA (Colorado Privacy Act) and CTDPA (Connecticut Data Privacy Act) respectively coming into effect at the beginning of the month. Colorado has gone further than other states so far by adding the right of portability: to be able to download and move your personal data to another platform.
US EU Adequacy Decision
On July 10 2023, the US EU Adequacy Decision was passed. This means that personal data can flow between the EU and US businesses that comply with a detailed set of privacy obligations – the EU-U.S. Data Privacy Framework.
This provides safeguarding for personal data about EU citizens from US government intelligence (outside of what is necessary and proportionate for national security). It also preserves rights established by GDPR, such as the right to be able to identify the data controller and how and why data is being collected and processed, and the right to access, correct, and have personal data deleted. Finally, it establishes access to free resolution mechanisms and arbitration if data is handled wrongly.
Where this is going
Utah’s UCPA (Utah Consumer Privacy Act) bill has been signed and is likely to become effective for qualifying businesses at the end of 2023. There are at least 5 more states which are due to have privacy laws come into effect by 2026. And while lobbyists, lawyers, and the FTC are skeptical about federal legislation passing, the writing is on the wall: state by state, more privacy laws are coming.
Targeted advertising is being, well, targeted by existing and upcoming legislation as consumers become increasingly aware of how they’re being tracked and the value of their personal data. Law makers are looking to crack down on the sale and sharing of personal data, including the transfer of data to third parties for monetary or other valuable consideration. The concept of a Universal Opt Out Mechanism (UOOM) – whereby if someone opts out on one device or browser, they’re opted out on all devices and browsers – is well within the realm of possibility.
There’s also increased talk of addressing “dark patterns” within privacy legislation or in separate legislation. A dark pattern is any technique that tries to manipulate people into doing something they would not otherwise have done. Examples include:
- trick or trap subscription programs, also known as negative option subscriptions; are free or cheap when you enroll, but if you don’t cancel then a fee is charged or the price goes up
- disguising advertising as editorial content
- junk or hidden fees
- manipulating people into sharing unnecessary data e.g. misleading people into selecting the highest data-sharing option
- uneven weighting on options; having “accept” or “reject” is evenly weighted, offering “accept” or “manage preferences” would be uneven
- creating a false sense of urgency; fake countdown timers that never hit 00:00, and those products where 99 other people always seem to have this item in their cart
What this means for US businesses
While the specifics of legislation vary, the themes are the same – and it’s reasonable to expect future legislation to be similar.
US businesses are going to need to be able to provide data subjects (people they hold personal data about) with ways to:
- find out what data has been collected
- find out why their data is being collected and processed
- obtain a copy of their data
- amend the data held
- restrict or opt out of the selling or sharing of some or all of their personal data with third parties
- restrict or opt out of the use of some or all of their personal data for profiling or targeted advertising
- request processing of their data be stopped
- port their data to another platform
- request the data held to be deleted
Consumers will be able to initiate action against businesses if their personal data is breached or in the case where they’re unable to exercise the above.
US businesses that have a robust opt-in process and where records are kept of explicit consent for data collection and processing are going to be in a much better starting place. In addition to keeping opt-in data, brands that understand what data they collect and process and why, who document their data flows, and who use integrated platforms are going to be better able to fulfill the rights of their contacts and data subjects, as well as more easily implement a UOOM for targeted advertising.
Dark patterns also need to be on your radar; just because something is a common technique in your industry or vertical doesn’t mean that it’s not a dark pattern, and you could be penalized.
How to prepare for the new changes
I love hanging out with our fabulous legal and privacy teams here at Dotdigital, but I understand that talking to your lawyers or DPO might not be your idea of fun. Unfortunately, it’s going to be needed so you can stay on top of the rapidly changing privacy landscape.
If you want to avoid the legal conversations being long ones, then you can always decide to implement best practices when it comes to personal data. Best practices almost always trump the legal minimum. So rather than arduous legalese on what you might be able to get away with, make it a quick conversation where you ask for a review of your best practice plans or implementation to make sure all the boxes are ticked.
Here’s some homework to do before you go talk legals:
- get familiar with GDPR; the US legislation looks similar, and having an understanding of some of the terminology and framework will help you understand the new laws. We have some great resources in our GDPR advice center to help you get started.
- understand what personal data you are collecting/processing – and why. Ask whether the collection and processing are necessary, ensure you have consent, and map out your data flows to include where storage and processing happen.
- talk to your developers and your vendors’ solutions architects to identify opportunities for integration to improve the flow and oversight of your data.
- identify any marketing or advertising strategies that include manipulative techniques that could be identified as a dark pattern, and start investigating best practice alternatives.
Dotdigital can help
We’ve seen the writing on the wall and, having held our UK and European customers’ hands a few years back, we’re in a great place to help our US customers adapt to the changing landscape. We’re ISO 27001 certified in Information Security Management Systems, meaning that you can trust us to do our part when it comes to managing your data safely and securely. Our trust center has more details, as well as contact information for our Security Team who are happy to answer questions.
Dotdigital customers can also leverage our CXDP superpowers, using our many integrations to connect all your customer data. Our solutions consultants are always happy to discuss your needs and how the Dotdigital platform can help you manage your data effectively. Reach out to your CSM or Dotdigital Support so they can put you in touch.
And, as always, our Deliverability Team is here to help advise you on best practices to stay ahead of the legal curve. Just drop an email to support@dotdigital.com and we’ll get back to you.