Privacy – it’s nothing new. We as a species have been searching for privacy in one way or another for generations. And while some of us yearn for the spotlight (at least in some areas of our lives), privacy has taken on a new meaning for many in this digital world.
We now post what we do at almost every opportunity, and we give up some of our privacy to show how well we are doing, where we have been our likes and dislikes. But there are certain pieces of information that we look to be able to safeguard – obviously in today’s day and age that includes our SSN and credit card numbers for which regulations already exist. In the age of COVID, we have all begun to use e-tail much more freely. We are ordering not only clothing or household goods and take-out but regular food shopping, etc. Being able to know who I am, my likes and dislikes so that advertising can be more targeted makes economic sense from the business point of view. But the definition of privacy and what information we want to share, and how, continue to evolve. Enter the notion of Privacy Regulations.
To be clear, rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. The impetus behind these privacy regulations is in giving the owner of this information, the person to whom this information pertains, some control over how the information is used. Many (not all) of the regulations also contain provisions for fines should data be breached or used in a way that is not in accordance with the wishes of the owner.
The first widely known privacy regulation in the U.S. (aside from HIPPA) was CCPA ‘“ the California Consumer Protection Act, which has recently been followed up by the CDPA – Consumer Data Protection Act in Virginia. Both of these differ in many respects, and I won’t get into the legalities of the acts themselves, who they cover, etc., in this article. Suffice it to say that if you are doing business in California or Virginia or collect data on residents of either State, you probably fall under the auspices of these acts.
But are there circumstances where you would not be required to follow either of these regulations? Absolutely. The easiest is if you are receiving a request from someone to ‘be forgotten’ to have their personal information removed, but this person is also not a resident of either State. Compliance is not mandated. There have been many times when I have contacted an organization and have asked to be ‘forgotten’ only to have to prove that I am a resident of CA, and when I cannot, I am told that they have no obligation to do so. From a legal perspective, they are absolutely correct. Yes, I can request that they no longer contact me as per the CAN-SPAM Act of 2003, but that does not prevent them from using the information they know about me to target advertising or sell my information to others.
But, from a competitive viewpoint, are there benefits to following these regulations even if not mandated to do so ‘“ and can this be turned into a competitive advantage.
At this point, we are all looking for that competitive advantage. Our goal is to be able to increase market share, sales, income, and profits, and data plays a prominent role in this quest. Most often, we look at becoming more effective and efficient in our processes to reduce costs, negotiating lower costs for raw materials, or marketing our differentiators in order to attract new clients. Rarely do we look at regulatory compliance as a differentiator. We tend to see it more as a cost of doing business and a necessary evil.
Some time ago, organizations stopped looking at IT as a ‘cost center’ and started thinking of it as a ‘profit center.’ There are a number of ways in which this can be done (perhaps another article?), but needless to say that these organizations who recategorized IT early on became more data-driven and understood the idea of information for a competitive advantage. I believe that those organizations that look at privacy regulations in the same manner, will reap the same types of benefits.
Let’s take an example. Most of the e-tailers we buy from have had to become CCPA compliant as they do business in California and will now need to become CDPA compliant. Can you see Amazon, Netflix, or Lands’™ End deciding that rather than becoming CCPA/CDPA compliant, they just decided to forgo the California or Virginia markets? Not likely, but if they did, I would have a choice, I can either shop at Major Retailer A, who has decided that as I do not live in California or Virginia, they do not have to abide by my wishes, or I can buy my jeans at Major retailer B who has indicated that regardless of whether or not I live in California, Virginia, or anyplace else within the U.S., if I don’t want my data to be used for marketing purposes, then not a problem if I decide that I wish to be forgotten, they will process that request as well.
From a process viewpoint for the organization, this makes sense. There are no longer two distinct processes dependent on my state of residence. Regardless of where I am, my request is processed. True, this may increase the number of requests that are actually handled, but as this is an automated process, there is no increase in costs. However, if there are multiple processes (resident/non-resident), there may be some human intervention necessary to ensure that my request was valid and then a separate branch to inform me that my request was not being honored as well as ancillary processes to deal with the additional requests for information, customer service calls requesting more clarification, etc.
For most larger organizations here in the U.S. that did business on an international basis (yes, Amazon and other e-tailers, but even places such as NBC or Netflix that might charge for web content that is visible overseas), privacy compliance became mandatory with the advent of the EU standard GDPR. Organizations were reminded of how serious privacy and protection were with some of the fines handed out by the EU for violations ‘“ which can reach 4% of an organization’s global revenue. The top 5 fines levied for 2020-2021 (so far) are:
- Google – €50 million ($56.6 million)
- H&M – €35 million ($41 million)
- TIM – €27.8 million ($31.5 million)
- British Airways – €22 million ($26 million)
- Marriott – €20.4 million ($23.8 million)
Were these fines paid? Can you imagine Google or Marriott deciding not to pay the fine and giving up the European market? CCPA and the newer CDPA were based on the GDPR regulation. While the fines for each of these are not the same as those for the GDPR, we will begin to see more and more states enacting their own privacy regulations until the U.S. Federal Government determines that a national policy is necessary. That will happen when more fines are being levied, and the government sees this as an additional potential revenue stream. Until that time, organizations will need to deal with the regulations one at a time, ensuring that they are compliant with the strictest ones ensuring that they meet or exceed those that are less stringent. Unless yours is a highly regional business, privacy regulations are in your future.
Also, remember that removing your email address or ‘forgetting’ you is only part of the regulations. There are rules regarding who internally has access to your data, security and governance safeguards, etc. Organizations that follow privacy regulations understand how to control access to your personal information both internally and externally.
From a consumer viewpoint, would I rather do business with an organization that will abide by those regulations regardless of my state of residence or an organization that informs me that they only need comply if I am a member of the, for lack of a better term, ‘protected class’? For me, the answer is rather simple, which gets us to the privacy compliance as a competitive advantage.
I live in NJ, and there are regional businesses that are currently not under the auspices of either CCPA or CDPA. These include supermarkets, entertainment venues, hotels, restaurant chains, brick-and-mortar retailers, and even some e-tailers. While these businesses may not legally have to follow these privacy regulations, privacy still occupies one of the higher echelons of my mind. There is also a relatively highly competitive market for many things here in the State. If I have the choice to provide my information to one business or another (credit card data, email address, etc.) I would rather choose that business that indicates that they follow the precepts of these privacy regulations over one that does not. Adding that information in a prominent place to a web page or on the door to the business takes little effort, and considering that these businesses will need to implement privacy in the future only puts them ahead of the curve. True, enactment of the regulations can be costly, but this gives those organizations that do not need to be compliant more time to study and build the necessary processes and applications, implementing only those that are necessary to track and remove information that would be considered ‘private.’ Regulatory timelines would not need to be followed nor would reporting to either regulatory agencies or the individual, thus delaying certain costs. The upside, especially if marketed, would be the increase in business associated with those consumers that are concerned with their privacy. This segment could be further increased by informing the consumer base of exactly what this means.
For those regions where privacy regulations have already been enacted and for those businesses that are already compliant, the reasoning still holds. Marketing that they will do everything possible to protect their customer’s privacy, regardless of the fact that they are required to do so, can be used as a competitive advantage over those that do not market themselves in the same way.
Privacy is evolving and will continue to be enacted in the U.S. at a more rapid pace. Those organizations that embrace the regulations before they are required can use this to their advantage.
Aaron Gavzy is Lead Data Strategist focusing on Global Data, Analytics, AI, and Advisory Services. He has over 30 years of demonstrated experience in the development and delivery of innovative strategic solutions for solving business and tactical issues across a variety of industries. He has lead consulting practices at large, multi-national consulting firms and is both a former CIO and CFO.