Acronyms, Anyone? A Privacy Regulation Update

Acronyms, Anyone? A Privacy Regulation Update

While most of the country is just now breaking out of lockdown, state legislatures from coast to coast have been busy over the past 14+ months hammering out privacy laws. Here in the U.S., the CCPA has gained the lion’s share of industry and press attention, but since January 1st, 2020, other states have entered the data privacy arena. This quick overview provides a rundown of privacy legislation passed since CCPA first took effect, insight on other bills likely to go into effect, and some ideas on how to prepare.

CPRA, CDPA & More

The California Privacy Rights Act is an initiative passed by popular vote to update the CCPA. Like CCPA, CPRA will be the baseline that most marketers will use to guide their consumer notice and choice efforts. The CPRA, which goes into effect on Jan. 1, 2023, clarifies, and in some senses broadens, the existing standards, while also removing the 30-day window to correct errors without penalty.

The threshold for determining whether a business is covered under the act has been slightly raised. Data collection, use, retention, and sharing of personal information will be limited to what is “reasonably necessary” to achieve the specified purposes. Consumers will also have more rights to opt out of retargeting, the use of sensitive PII, automated decision-making or artificial intelligence, as well as the right to correct. Additionally, a new state level organization will be formed to oversee enforcement (funded partially by the fines collected), replacing the state Attorney General’s office.

Similarly, Virginia’s new privacy law Consumer Data Protection Act (CDPA), will go into effect on Jan. 1, 2023. Key differences from CPRA are that consumers will have specific rights based on the type of data about them, and marketers will be required to gain consumer opt-in for sensitive data. In June, Colorado became the third state to pass a broad privacy law, the Colorado Privacy Act. If signed by the Governor, which is expected, in would phase into effect between 2023 and 2025.

Other State and Federal Laws

Although many states have proposed new privacy regulations that seem likely to pass, including Nevada, Maine, and Vermont, they are all fairly limited in scope. On the other hand, proposals from states such as New York, Connecticut, and Maryland have the potential to increase requirements over and above California’s requirements. Florida is also in the privacy mix, although a recent proposal was narrowly defeated.

Progress is also being made federally, with several bills proposed on Capitol Hill last year and one so far this year. Proposals came from both sides of the aisle with striking resemblances in key features, an indication of strong bipartisan support on the topic.

Proposed federal bills appear to have consensus on protections for PII, sensitive data, anti-discrimination and data minimization. Where they begin to differentiate is around federal pre-emption of state laws (which would simplify things for the entire data ecosystem), private right of action in contrast to FTC or state-based regulatory action, and definitions of sensitive data, and what you can do with it.

Preparing for 2023

One of the easiest ways to stay acquainted with the latest regulatory changes is by signing up for content from sources like legal newsletters from law firms specializing in privacy services, trade organizations like ANA or IAB, and active participants like Alliant. Each of these can provide different points of view and help your teams avoid surprises. 

No federal law or new state law is likely to usurp the primacy of CCPA or CPRA before they become effective in 2023. On the tactical front, brands should consider applying rights evenly across all U.S residents as prescribed by California and Virginia. The rules are sufficiently similar that steps can be taken to try to comply with both. Marketing teams should begin planning their approaches to new regulations, enhancing existing CCPA programs. Some initial steps can include creating a data map for sensitive data (like listing all common and unique “sensitive” PII), re-evaluating automated workflows, inferences and non-exempted data. Furthermore, plan compliance strategy for managing right to correct, data privacy audits, data minimization, and exceptions. Finally, monitor new developments and start triangulating what nuances each may present.

The Future of Data

As brands evolve policies and procedures to adhere with legislation, or to integrate new identity solutions or cohort technology, your central focus should be clear and transparent communication with customers. Notice and choice are the foundation for effectively respecting privacy of consumers, managing customer relationships and collaborating with partners.

If you are responsible for, or a user of, data within your organization, start thinking about what permissions and disclosures you want to have in place well before 2023. This will limit missed opportunities and allow for new and exciting partnership opportunities.

The future will certainly look a bit different, but with the right strategies in place, brands will be able to fuel growth with effective data.

ABOUT THE AUTHOR

Nicholas Godlove, Corporate Counsel

Nick joined Alliant after a successful career in private practice advising technology companies on privacy and contracts. He is deeply involved in Alliant’s data security and consumer privacy efforts. Nick earned his law degree at UC Davis and holds a Masters in Cybersecurity from Brown. Nick loves his subscription to Audible, where he listens to a classic novel each month

 

Why You Need to Build a Data Governance Team Right Now

Why You Need to Build a Data Governance Team Right Now

Originally published by Streetfight Magazine, this commentary from Alliant’s compliance expert discusses importance of Data Governance for brands. You may know Nick from CCPA and other compliance related conversations with Alliant. Here he offers the what, why and who that every brand should consider when building a Data Governance team in their organization.

Modern marketing has increasingly become a data-driven practice by necessity. Any organization lacking a data strategy is lagging behind its technologically advanced competitors. The data that marketers use on a daily basis for market research and advertising decisions — consumer purchases, behaviors, and interests — has never been more important, nor has it ever been under greater scrutiny.

In today’s climate in which consumer and regulatory expectations change so quickly, data governance is increasingly becoming a necessary function for all businesses leveraging consumer data.

GDPR, CCPA, and future state and federal privacy laws force brands, agencies, tech vendors, and data providers to either comply or face fines and other legal action. Without a data governance team to operationalize and manage their consumer data assets, they put themselves at extreme risk of losing competitive advantage or of being put out of business altogether.

Because data governance brings a unique combination of technological as well as legal and compliance challenges, it requires a multi-disciplinary team of strategic, business-operational, and implementation-focused stakeholders.

Of course, talking about data governance is significantly easier than executing it, as building a team to handle this critical component of your business can be a challenge. Here’s why it’s so critical to get this right — right now — along with some guidance on how to build a first-class data governance operation.

What does a data governance team do?

At a high level, a data governance team is responsible for overseeing how data is collected, analyzed, stored, and used by your business. It oversees the documentation, training, partner agreements, and retention policies related to data.

Why adopt data governance now?

While marketing and advertising teams have widely adopted data for their strategic initiatives, data governance and hygiene practices haven’t been adopted at quite the same rate. Those who haven’t caught up may continue to lose significant value from their data.

For example, when there is insufficient data governance, certain business activities may cease to occur because there is insufficient data to effectively engage in that activity. Other costs and risks to operating without proper data governance in place include missed (or slower-to-market) opportunities for new products or insight-driven marketing campaigns. As new federal and state regulations emerge, data governance would also allow better preparedness and agility in managing and addressing new policies.

Who needs to be on a data governance team?

Because data governance brings a unique combination of technological as well as legal and compliance challenges, it requires a multi-disciplinary team of strategic, business-operational, and implementation-focused stakeholders.

The data governance team would likely include representatives from:

  • IT, to manage the technical side of data collection and storage and to administer permissions to access data

  • Legal, to oversee the documentation, reporting, and compliance components, setting the foundation for data governance policies

  • End users across marketing, sales, and data science teams, to put the data into action across various business functions and strategic decisions

Basically, any of your internal teams that touch data need to have a seat at the data governance table. Not only do these stakeholders need to be part of a data governance team, but their interests must be well balanced to ensure that your data efforts can move the business forward. Over-emphasizing any one component may come at the risk of ignoring another, which can cause problems down the line and inhibit the use of data.

Depending on business size and resources, it may make sense for the data governance team to start as a selection of key players, wrangled by a project manager. The project manager can come from any discipline; there is not currently a single “right” answer as to who owns data projects.

For example, an IT team placed in charge can manage permissions, but that doesn’t guarantee compliance, nor does it ensure clean, quality data. It’s easy to limp along with poor data and harder to build a multi-disciplinary team that manages all aspects of governance. As the function becomes more defined and the organization more in tune to its value, you may decide to launch a dedicated data governance team to coordinate among stakeholders.

Getting up and running

The key to successfully building a data governance team within your organization is executive buy-in from all key executives across the organization. Without the full sponsorship of internal data governance from top leaders, it will be significantly more difficult to achieve your short- and long-term data governance goals.

Once a team is in place, it must first audit all the data within project scope: to understand where it comes from; where it resides; and who has access to it, both within the company and externally. If nothing else, the data governance team must document how the data is utilized and formalize the processes that use it. Oftentimes during this process, businesses are surprised to learn how many hands touch the data on its journey from collection to use, and how many opportunities for inaccuracy or data loss creep in.

Once the team unlocks better clarity into its data, the team is also responsible for maintaining a clean CRM file that is accessible, standardized, and understandable. More mature data governance teams will manage metadata, meticulously maintaining insights about the data itself, which is essential for further analytic or activation uses.

Data governance doesn’t have to be an onerous process nor a sea change at your organization. Many practices may exist already that just need to be identified, organized, and codified. More than anything, data governance is about having an internal consultancy that oversees the process and makes sure that all key stakeholders are represented. As the marketing and advertising worlds move toward data transparency, it’s critical that all parties uphold standards of privacy that build trust with customers and partners.

ABOUT THE AUTHOR

Nick Godlove, Corporate Counsel

Nick came to Alliant after a successful career in private practice advising technology companies on privacy and contracts. He is deeply involved in Alliant’s data security and consumer privacy efforts. Nick earned his law degree at UC Davis and holds a Masters in Cybersecurity from Brown. Nick loves his subscription to Audible, where he listens to a classic novel each month.

An Update on CCPA

An Update on CCPA

Digging in to recent amendments and regulations

Legislative proposals to amend the California Consumer Privacy Act (“CCPA”) statute were recently signed, finalizing the law for its January 1, 2020 effective date.  Highlights from amendments to the law include:

  • Broadened exemptions for compliance with the Fair Credit Reporting Act, and specifically excluded deidentified and aggregate consumer information from the definition of “personal information”
  • Created a one-year exemption for certain B2B transactions along with a one-year exemption for employee information
  • Streamlined definition of “publically available” information.
  • Consumer request methods were further detailed
  • “Data brokers” are now required to register with the California Attorney General

The day before these amendments were signed into law, the California Attorney General also released draft regulations that proposed rules to direct businesses on how they can comply with the law. The Attorney General will hold public hearings on the draft regulations and accept written comments, so it is likely these regulations will be revised and might not go into effect until after the CCPA becomes effective on January 1, 2020.

By and large, the regulations proposed by the Attorney General provide useful guidance, but there are some unexpected components that, if adopted, could greatly impact organizations ability comply. A few of the provisions Alliant is carefully watching include:

  • Businesses would be required to provide clear, conspicuous, and understandable notice to consumers of their privacy practices at or before the time their personal information is collected
  • A new requirement to use consumer’s information only in a manner consistent with the notice provided, and directly notify consumers to obtain explicit consent to use the information in a way not previously disclosed
  • Clearly defined a “household,” which is an important concept in consumer information, as “a person or group of people occupying a single dwelling”
  • Clarified various methods of communicating with consumers, and requires explanations of incentives or price differences for sale of information

Alliant will continue to build its CCPA compliance procedures based on the solidified statutory language, while also tracking the moving target of regulations over the next several months. Please consult with qualified counsel, or join our CCPA updates & education series, if you have any questions on the impact of these rules.

ABOUT THE AUTHOR

Nick Godlove, Corporate Counsel

Nick came to Alliant after a successful career in private practice advising technology companies on privacy and contracts. He is deeply involved in Alliant’s data security and consumer privacy efforts. Nick earned his law degree at UC Davis and holds a Masters in Cybersecurity from Brown. Nick loves his subscription to Audible, where he listens to a classic novel each month.

CCPA Update

CCPA Update

It’s September and there are only four short months before the California Consumer Privacy Act goes into effect. Alliant has been hard at work developing new procedures and processes required to comply with the law, and is well on the road to full compliance.

Although the effort is resource-intensive, Alliant believes that providing consumers with more data transparency will ultimately strengthen the case for responsible data use by marketers.

Ultimately, Alliant believes that data transparency will strengthen the marketplace for consumer insight.

As part of our process, we are coordinating with DataHub Members and third party data providers to discuss their compliance efforts and provide support where possible. Our team has been working closely with industry groups such as ANA, IAB, an ad hoc consortium of peer data providers, in house and outside council to ensure that we have as clear and unified approach to compliance as possible.

Consumer Verification, Anyone?

One challenge that many DataHub Members have is meeting the requirement to verify consumers’ identity before disclosing their data reports. Alliant is developing a robust online platform for managing and documenting consumer requests for their marketing information, and it will be possible to provide this service to DataHub Members. Talk with your Alliant account executive if you would be interested in hearing more about this potential solution.

In the coming weeks, we hope to talk with all DataHub Members about their efforts to comply with CCPA. We look forward to the conversation.

ABOUT THE AUTHOR

Nick Godlove, Corporate Counsel

Nick came to Alliant after a successful career in private practice advising technology companies on privacy and contracts. He is deeply involved in Alliant’s data security and consumer privacy efforts. Nick earned his law degree at UC Davis and holds a Masters in Cybersecurity from Brown. Nick loves his subscription to Audible, where he listens to a classic novel each month.

A Team Approach to Regulatory Compliance

By now, everyone who relies on marketing data for business success understands that the rules are changing. Virtually every consumer-facing business needs to re-consider its obligations regarding consumers’ rights to transparency and choice  in using personal information.

At Alliant, we see compliance as a team sport.

We have been working diligently to prepare for Alliant’s obligations under the California Consumer Protection Act (CCPA) as well as other pending state laws ­— partnering with our peer marketing services provider organizations to develop industry standards for categorizing and reporting on data use for consumers requesting more information.

Our goal is to ensure that everyone in Alliant’s network has the information and tools needed to fully comply with CCPA

As we work to finalize definitions and create the processes required to address CCPA, our attention is now turning to DataHub Members and other partners. Our goal is to ensure that everyone in Alliant’s network has the information and tools needed to fully comply with CCPA — as well as new consumer transparency regulations that may follow.

Over the coming months, look for more information from Alliant on CCPA. Our team will be reaching out to answer any questions or concerns our Member organizations may have, and to identify areas where we can support your compliance efforts.

We believe that access to consumer data is a privilege, and we support efforts to educate consumers and lawmakers about the benefits of data-driven marketing. Working together, we can ensure that the entire data supply chain is secure, transparent, and compliant.

All the best,

JoAnne Monfradi Dunn
President & CEO

ABOUT JOANNE

President & Chief Executive Officer

JoAnne is the founder of Alliant – and the architect of our vision to deliver innovative consumer targeting solutions powered by the aggregated purchase transactions of multiple direct-to-consumer marketers.

A lifetime marketer, JoAnne’s career includes positions at Time Life, The Norman Rockwell Museum, and Mal Dunn Associates. She is a committed advocate for development of comprehensive data governance and security standards, and has a long history of industry service. She is also an expert baker.

Keep Your Negative Option Approach Positive

Keep Your Negative Option Approach Positive

For most experienced marketers negative option contracts are nothing new.

Traditionally the contract of choice for magazine subscriptions and continuity marketers, negative option deals today are enjoying a renaissance. Auto-renew offers are being used in emerging businesses ranging from subscription boxes to popular media services like Netflix, all manner of new information and services businesses, and even auto-shipped consumer packaged goods. Typically the consumer receives the first month (or months) free or for a reduced price, and a credit card is automatically charged at the full rate each subsequent month until the consumer cancels the subscription.

The growing popularity of negative option contracts has provoked increased scrutiny from lawmakers and regulatory bodies.

Perhaps unsurprisingly, the growing popularity of negative option contracts has provoked increased scrutiny from lawmakers and regulators.

Many of the new regulations focus on ensuring that merchants do not use unfair or deceptive advertising or contract language. Recent national legislation such as the Electronic Funds Transfer Act and the Restore Online Shoppers’ Confidence Act specifically focus on “clear and conspicuous” disclosure requirements.

Alliant DataHub Members should also be aware that state laws add layers of complication. California began regulating trial periods and continuity plans in 2017, with other states passing similar laws requiring specific disclosures in subscription offers. A new District of Columbia law mirrors other states’ “clear and conspicuous” disclosure requirements, and also requires highly detailed notifications prior to subscription renewals and affirmative consent before charging a customer following a free trial.

Interestingly, new rules are being introduced in the supply chain too. Starting in April 2019, MasterCard will require merchants to receive explicit authorization to begin recurring payments at the conclusion of a subscription trial period. These regulations benefit consumers by reducing confusion and unexplained monthly charges — but they pose consequences for marketers if they are missed.

Taken as a whole, many of the new rules are just restatements of best practices and good customer service. Consumers should understand what they are getting into. Credit card charges should be easily attributed to the marketer. And there should not be large delays between the charge and the delivery of the product.

But changing rules may negatively impact consumers and marketers as well. Consumers like the ease of auto-renewals, and the speed and surprise of subscriptions. The new rules increase friction and raise the overall costs to merchants, which could result in increased prices to the customer. Finally, rules that are too onerous may cause companies to end their free trial periods entirely, which hurts consumers seeking new products with low initial risk.

If your organization is seeking to attract new consumers for a monthly subscription, you may want to consult qualified counsel about what changes you may need to make on your offer and contract.

Additionally, it may be in your interest to reevaluate your audience targeting strategies. You can make data work for you with models that find consumers who are more likely to affirmatively renew after a trial period, as opposed to “serial cancellers”. In this respect, Alliant offers a number of solutions designed to help grow your subscription business profitably — even with increasing legal requirements.

ABOUT THE AUTHOR

Nicholas Godlove, Corporate Counsel

Nick came to Alliant after a successful career in private practice advising technology companies on privacy and contracts. He is deeply involved in Alliant’s data security and consumer privacy efforts. Nick earned his law degree at UC Davis and holds a Masters in Cybersecurity from Brown. Nick loves his subscription to Audible, where he listens to a classic novel each month.