GDPR is the Beginning, Not the End

In case any marketers and business decision-makers were thinking the work to become compliant with the GDPR earlier this year was now complete, and they could put their efforts back into lead generation programs — not so fast. The reality is these new rules are a symptom of the maturing of the digital, global marketplace. One where security, privacy, more open competition and stronger codes of ethics are now catching up with the advantages some companies have been able to exploit based on technology, scale, market leadership and geography/ territory independence. And that maturing process is not finished.

For example, later this year we can expect Europe to take another step forward with the introduction of a tougher set of ePrivacy Regulations — special new laws that expand on the scope of previous legislation and augment the new baselines the GDPR established around the processing of personal data and the protection of privacy. North American and other non-European companies have had to determine where they stand with respect to the GDPR overall, and they will have to repeat those exercises in terms of the pending ePrivacy Regulations.

But don’t be tempted to think this is just a European trend. Over strong objections by many tech companies that rely on surreptitious data collection for their livelihood, a landmark new data privacy bill passed successfully through the California state legislature and received final sign-off by Governor Jerry Brown earlier this summer. The California Consumer Privacy Act of 2018 is now set to become law at the end of 2019.

This Privacy Act will enforce a number of new conditions designed to protect consumers against having their personal data collected and sold without their knowledge or consent, including:

  • Businesses must disclose what information they collect, for what business purpose, and which, if any, third-parties they share that data with.
  • Businesses must comply with official consumer requests to delete that data.
  • Consumers can forbid the sale of their data, and businesses can never retaliate for this by changing the price or level of service provided to those consumers. However, businesses will be allowed to offer “financial incentives” for consumers to consent to such data collection and sale practices.
  • California authorities will be empowered to fine companies for violations.

Influential companies and trade organizations aligned to fight this Act, including Facebook and Google in particular, as it counters many of their current business practices. Internet providers such as AT&T and Verizon, which have made money by sharing their customer data with third-parties for years, were also opposed.

The fact the law appears to have made many of the ‘right’ people angry may actually have been part of its appeal, and contributed to its successful passing. And while only a single-state law at this time, California is certainly a populous state and one that is home to many market-leading technology companies. That makes it a highly influential state on both the political and the business stage, and it may be stepping in where the current U.S. Federal administration could appear to be looking the other way (e.g., the repeal of the net-neutrality laws).

At a minimum, the Act may serve as a deterrent to the types of behaviours enabled in a regulatory vacuum, and may lead to other states following suit. Notwithstanding the considerable opposition, companies now have until the end of 2019 to become compliant, and that is another step forward we all need to appreciate.