The security of personally identifiable information (PII) data is top of mind as individuals become more concerned about their data and how it’s being used. As industry and global privacy standards such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) continue to expand, organizations that aggregate, process, and store personally identifiable data must take ownership in protecting that data. This also creates an opportunity to deepen trust and relationships with individual data subjects by empowering them to state their preferences and consent, along with delivering transparent communications.
GDPR, which regulates data protection in the European Union, went into effect in May, 2018. CCPA was enacted the following month and will go into effect on July 1, 2020. And on January 16, U.S. Senator Marco Rubio (R-FL) introduced the American Data Dissemination Act (ADD) which would, if it becomes law, regulate data privacy for consumers at the federal level. A CCPA provision grants that the law will not apply if it is preempted by or in conflict with federal law.
Rubio, Chair of the US Senate Committee on Small Business and Entrepreneurship, said that the legislation “provides overdue transparency and accountability from the tech industry while ensuring that small businesses and start-ups are still able to innovate and compete in the digital marketplace.”
GDPR Unleashes Data Privacy Transparency
Google’s recent $57 million fine for GDPR violations, along with Facebook’s data privacy scandal help to push the issue of data privacy to the forefront. Brands face tremendous pressure to ensure compliance but are often stymied by the breadth of the compliance requirements they need to follow.
A look at any homepage of an EU-based company reveals the measures companies must take to ensure GDPR compliance. They must show, for example, every partner that may have access to your device, cookies, and segment characteristics and they must provide an opt-in for each of them. And as your device’s information is bought and sold, it has downstream GDPR implications for every EU company that touches your data. Even though the device and cookie information are on their own not personally identifiable information, Recital 26 for example is clear that this information can become personally identifiable when combined with other information that a server has. For example, a cookie/device combination associated with a person makes that data personally identifiable and therefore this information falls under GDPR via Recital 26. This is one reason why EU web sites contain very specific and detailed opt-out capability. The old “by using this site you accept our use of cookies” just doesn’t comply with GDPR.
CCPA privacy laws are similar in many ways to GDPR. The four main consumer protections are the right to be informed – what data is being collected, from which device, the purpose, and how it’s being shared – the right to opt-out of data sharing, the right to be forgotten, and the right of fair treatment.
Some US-based multinational companies sought to ensure GDPR compliance on a global level in anticipation of a U.S. national law such as the one Rubio introduced, taking steps to let every visitor to a website now how their device is being tracked, what data they’re collecting and what they’re doing with that data. Heightened awareness over data privacy is introducing a lot of complexity to preference centers, in other words, and companies must know what to do with the data they’re collecting, whether first-party, second-party, or third-party data.
Processing Privacy Data Points with a CDP
One of the values of a customer data platform (CDP) as it relates to data privacy is that a CDP ingests data from any source. The Redpoint Customer Data Platform can provide an integrated master data management (MDM) component that processes all salient privacy data points, such as source, date, and the type of opt-in or opt-out (single, double, etc.). With an MDM solution tracking changes to selections over time it becomes a GDPR-compliance vault for the data processor role. It provides heuristic and probabilistic matching, and if data is not matched to a persona for a certain time period, the data will just live in the data layer until it’s safely deleted. Once matched, it is pushed to the MDM for first-party handling. The process for third-party data is similar, with a key exception being that data matching usually consists of detailed, small records. When a device is not matched to a persona, device information is preserved to enable marketing to a device, or based on behavior or site activity until it becomes stale.
Once the data matching and standard data handling cycles are complete, the beauty of MDM is that it dynamically updates the aggregates for a record. For the customer, GDPR and CCPA compliance entails subscribing to the updated record to use CDP as a marketing database. This fulfills the core requirements of data privacy regulations, which is the tracking of source date, device, person information, changes over time, frequencies, channels, and opt-out status. The persistent view is so thorough that preference centers are often adjusted with information preference centers know nothing about. The CDP with MDM also handles audit activities related to data controller and data processor compliance with GDPR, and audit activities related to CCPA requirements for up to one year.
Meeting the Rights of the Consumer
The right of inquiry is another transparency related regulation in both GDPR and CCPA, stipulating that a brand must satisfy a consumer’s inquiry about how their data is being collected, used, and shared – whether the inquiry is made by a phone call, a letter, on the website, or by email.
An MDM solution satisfies these types of inquires because it tracks every opt-in and opt-out over time, at every interaction, and the data can easily be supplied back to the person who asks for it. This satisfies right of inquiry for a data processor. A data controller – the company or brand itself – must satisfy the other parts of the right of inquiry requests apart from an MDM capability, such as providing a customer with the back-up information policy and whether the customer’s data is part of profiling analytics.
A key difference between right of inquiry under GDPR and CCPA provisions is that CCPA requires less detail in the information provided; a company can inform the consumer about the categories to which they’ve opted in or out, such as by “newsletter” or “website activities.” GDPR requires more specificity, where a consumer must be told how and when each data point was collected.
A more difficult provision to satisfy is the right to erasure – commonly known as the right to be forgotten. Under GDPR, an erasure request compels a brand to anonymize and disassociate transactional data from a record. Under CCPA, the data must be deleted. However, the right to erasure is not an absolute right; there are varying rules and regulations for a host of scenarios. Most EU companies choose to anonymize data after a right to erasure request as per the GDPR regulations. Redpoint solutions support both GDPR and CCPA provisions.
We wrote about the strategic importance of data in a recent blog post, with a focus on data quality and it importance for both marketers and IT to deliver new insights. The introduction of data privacy regulations underscores the importance of data quality for another reason, to satisfy requests from your customers and to satisfy current or future state and federal regulations. More information on how Redpoint supports data privacy rules can be found at our solution center and in a data management solution brief with more details on MDM.
RELATED ARTICLES
Why Data Quality Matters for IT and Business Stakeholders
Art of the Possible – The Role Data Can Play in Unlocking Marketing Creativity
Now that GDPR Has Launched – What Do You Need to Do?
