Changes in attitude to data protection laws in the US

2018 has been a watershed year for America in its attitude toward the gathering and use of its citizens’ data.  The European Union (EU) brought in GDPR to protect its citizens globally, yet the United States lacks a comprehensive federal data protection law. Now the state of California has taken the lead and we are starting to see shifts in attitudes towards data protection. Emilie Laugesen, Concep’s VP of Client Service in North America, explains what firms can do to protect their clients’ data.

Typically, the majority of American consumers place more trust in businesses and tend to be suspicious of the government.  In the EU, it’s the opposite. US citizens happily hand over personal data to tech companies - like Facebook and Google - but are reticent to share personal habits or social media information with federal bodies.  This is about to change and professional services firms need to respond.

Recent high-profile events have put the spotlight on the way big tech harvests and abuses the personal information of US citizens: Facebook CEO Mark Zuckerberg’s appearance before US Congress in April was a seminal moment; the US election data misuse by Cambridge Analytica; and mass data breaches by high profile American businesses - including Equifax and cab firm Uber.

Some US commentators see GDPR as an attack on its world leading technology companies however the new EU legislation is already being viewed by others as an international standard.  Microsoft has announced that it is extending the privacy rights cast into law by GDPR in Europe to all of its users worldwide. “As an EU regulation, GDPR creates important new rights specifically for individuals in the European Union. But we believe GDPR establishes important principles that are relevant globally,” states Julie Brill, Microsoft's corporate vice president and deputy general counsel.

Taking the US lead: the California Consumer Privacy Act 2018

Whilst there is no federal data protection law in the US, California has taken the lead and become the first US state to pass a data privacy law - the California Consumer Privacy Act of 2018. The new California legislation, similar in scope to Europe’s GDPR, will give new rights to the state's 40 million inhabitants. This includes the ability to view the data that companies hold on them and, critically, request that it be deleted and not sold to third parties.  Any company that holds data on more than 50,000 people is subject to the law. Each violation carries a hefty $7,500 fine. The law also protects consumer rights:

  1. Right of Access: The Consumer has the right to request businesses that collect personal information to disclose what specific pieces of personal information have been collected.
  2. Right of Deletion:The Consumer has the right to request that the business delete any personal information collected.
  3. Right to know: Business must release information if the Consumer’s personal information was sold or disclosed, and to whom.
  4. Right to have Control:Consumers will have control how their data is collected, used and sold.

Data protection law in the heart of tech land

Whilst the new law applies to California citizens only, its adoption is significant for a number of reasons. Firstly, in 2017, California became the world’s fifth largest economy with a GDP of $2.47 trillion. This makes it larger than the UK economy.  Secondly, California is home to Silicon Valley and a major slice of the US technology industry.  Hundreds of tech companies – such as Apple, Alphabet (Google), Intel, Facebook, Oracle, and Uber – are headquartered in the state.  Having a data protection law in tech’s heart land, has put it centre stage and everyone is taking notice.

Microsoft has announced that it is extending the privacy rights cast into law by GDPR in Europe to all of its users worldwide. “As an EU regulation, GDPR creates important new rights specifically for individuals in the European Union. But we believe GDPR establishes important principles that are relevant globally,” states Julie Brill, Microsoft's corporate vice president and deputy general counsel.

How are Concep’s Clients responding?

In the US, the majority of Concep clients are law firms who are working hard to ensure they meet data protection legal requirements. Emilie Laugesen, Concep’s VP of Client Services, has guided North American clients through the adoption of the Canadian Anti-Spam Law CASL and more recently, GDPR and reflects on what is happening:

 “Currently, the focus is all around compliance. However, about 20% of our clients are forward thinking and want to be ahead of the game.  They believe that the pressure to change isn’t just coming from the regulators – that it’s the public that are driving these changes. These firms are concerned they are doing the right thing, they want to know all the details and understand how to respond.  It means moving from a compliance mind-set to understanding that data protection is the key to building trusted relationships – and at Concep we are showing them there are few key changes they can make to get it right."

What can marketing practitioners do to protect their clients’ data?

  1. Create two-way dialogueusing feedback or surveys across a range of channels; email, website and social.
  2. Create consent opt-inworkflows for new contacts. Ask your contacts what they want to receive, make it relevant and respect their preferences. Concep provides the option of a password protected preference center if clients want an additional layer of data protection.
  3. Ensure your privacy policyis up-to-date and linked on all email and survey templates. Explain clearly how you handle contact data and data requests.  It should be specific to regional legislation.

As a final piece of advice, Laugesen suggests: “It’s important that marketers talk to their marketing technology vendors. You shouldn’t have to reinvent the wheel when it comes to creating workflows and practices that are compliant with data protection. You’ll also want to ask them about how they are protecting your clients’ data when it’s not in transit – or encryption at rest on your system. The key thing is to start having those conversations and finding out how they can help.

Talk to Concep about how to ensure your marketing communications are protecting your client’s data.