Privacy is more important than ever. Recently, we’ve seen Apple, the world’s largest hardware company, pivot into a leader in online privacy protection. If you’ve been paying attention to the news, you probably aren’t surprised that the privacy and security of our data are of major concern to people all over the world. One sign of this is the growing adoption and passage of regulations meant to protect an individual’s right to privacy on the internet.
The most famous of these regulations is the General Data Protection Regulation, or GDPR, which is noteworthy both for its depth (see our checklist, below, for what it takes to be truly compliant) and its breadth, as it applies to every country in the European Union (27 by last count).
The GDPR was merely the first of its kind, and other localities are following suit with guidelines of their own. The protection of an individual’s data is going to be a chief concern for governments in the years to come, and it’s time for marketers to get ready for it.
The Big Lesson
If there is anything to take from this post, it’s this: these regulations are an opportunity for you to assess your business’s relationship to the data you collect. Sure, it’s a good idea to be as compliant as you can be, within reason, but we also should consider ourselves stewards of the personal privacy of our customers. That is an important and vital duty that is incumbent upon anyone who wants to run an ethical business. The GDPR and others might sound scary, but it’s actually pretty easy to follow the spirit of the laws, if not the letter (we’ll get to that later). As long as you’re taking data, and the privacy of your customers, seriously, you’ll be ahead of the game.
The Facts Are These
So far, every regulation has followed a specific pattern, which we will outline here:
- “Extraterritorial application” is a fancy term that means the law applies to the personal data of anyone living in those locations, regardless of where the business itself is located. That means you can be an American company and, if you do business with EU members, you will be expected to abide by the GDPR, for example.
- The consequences of violating these laws vary wildly among the countries implementing them. For instance, the GDPR allows for each EU member to define for itself what kinds of penalties or level of enforcement it prefers—there is no universal rule for what fines or punishments will be leveled against those who are found to be in violation of any of the below laws.
The Countries and Their Laws
Click the link to skip down to the specific regulations for each locale, and keep an eye on this page for updates as time goes on and more and more places adopt their own versions.
- GDPR (EU)
- LGPD (Brazil)
- PDPA (Singapore, Thailand)
- Privacy Amendment (Australia)
- CCPA (California, USA)
The GDPR
This is the granddaddy of all regulations, and its mere mention can send company executives into a rabbit hole of anxiety. Make no mistake about it, GDPR is important to get right. But it also feels like an overwhelming undertaking. Here’s a link to the official website.
Let’s answer some of the basic questions you might have about this scary law, and learn why you probably shouldn’t be scared at all.
Who has to follow the GDPR?
If you’re operating within any EU member nation, you’re subject to the regulation. That doesn’t just mean that you have to sell your widgets to people who live in France—it also applies to anybody doing business of any kind with people from those countries. So unless you’re specifically restricting individuals from EU nations from using your service, or visiting your website, you’re going to be subject to the law. The maximum fine is 4% of a company’s annual global revenue, so it would behoove most companies to be compliant.
Well, it would, if the juice is worth the squeeze. What’s the squeeze we’re talking about here? Well, you might have to hire some new employees, because you probably don’t have a GDPR controller on staff.
How do I comply with the GDPR?
The GDPR mostly concerns itself with two roles: a controller and a processor. A processor is anyone who “processes” personal data on behalf of the controller, while the controller is just what it sounds like—the controller of the data being processed. Processors have to make sure the data they’re processing stays safe, and are the primary handlers of the data that individuals entrust to the company employing those processors. Processors and controllers can both be held liable for data breaches.
Do I really have to hire somebody just to handle the GDPR?
No, you don’t. Anyone who has sufficient knowledge of privacy and the data being processed by the data processors can be assigned the role of GDPR controller, but you have to make sure to have that name squared away and ready. You should also have a plan in place for the handling of personal data and a crisis plan for a possible data breach.
So what do I really have to do?
Assign a Controller
Someone in your organization, probably the person who knows the most about the personal data being collected, needs to be given the role of Data Controller. Have them come up with a plan, and make sure you have a solid grasp on how personal data is handled at your organization. It’s a good idea to set up a flow chart of how data moves through the different parts of your organization—this will help you identify parts of the chain that might be vulnerable or unreliable.
Update Your Website
You have to make sure that all of your policies are very clearly communicated on your website, along with clear controls for your users to opt-out of having their data collected. Clarity is the guiding light of the GDPR and similar regulations. You need to be as clear as possible to your customers, and let them know exactly what you’ll be using their data for.
Also, age verification is no longer just for sites you don’t want your kids to access anymore—the GDPR specifically requires parental consent for collecting the data of anyone under the age of 16. That means you’ll need to keep track of both the parent and the child in your own privacy database.
That cookie notice you see on so many websites is important, too. It’s part of that whole clarity thing we mentioned before. The cookie notice should be a brief statement about what data is being collected and why, with a link to the more detailed privacy policy.
Decide just how compliant you want to be
This is a little harder to assess, and your mileage may vary depending on the size of your company, how much business you do in the EU, and whether you feel like taking risks. Lots of consultants will tell you that it’s impossible to be 100% compliant, so you shouldn’t even try. As long as you’re practicing good data hygiene, outlined above, then you probably won’t need to worry. Still, you can follow our GDPR checklist to make sure you’re hitting as many of the important pieces as possible, and being as compliant as you can be.
LGPD (Brazil)
The Lei Geral de Proteção de Dados, or LGPD, is Brazil’s version of the EU’s GDPR. They are so similar, in fact, that the EU’s own site about the differences between the LGPD and GDPR mentions this similarity. Here’s a link to an English translation of the LGPD.
Therefore, you don’t really need to give yourself twice the work in combing through both regulations—once you learn everything you need to know about the GDPR, you’re pretty much covered for the LGPD. Even so, we’ll go through those minor differences now:
Legal basis for processing data
Both the GDPR and LGPD are quite comprehensive in how protected the individual’s data is. They both outline specific legal bases for processing personal data, and anybody collecting data must choose one of them as its justification. The main legal basis used by most is explicit user permission, which is why you see an opt-in warning on so many pages. There are other bases for collecting personal data that do not require explicit opt-in. The main one that LGPD allows that is not allowed by the GDPR is data collected to protect a credit score.
Deadline for reporting
The main difference between the LGPD and the GDPR data breach reporting deadline is that the GDPR has one and the LGPD does not—it simply states that a data breach must be reported “in a reasonable time period,” while the GDPR very clearly states that the report must take place within 72 hours of the breach.
Fines
Another major departure for the LGPD is the level of fine that it requires from violators. While the GDPR member nations each can define how much their fines are, the maximum allowed is up to 20 million euros or 4% of annual global revenue, whichever is higher. The LGPD only requires 2% of the value of the company’s business within Brazil, with a maximum of 11 million euros. As of July 2020, the euro and the US dollar were worth roughly the same, with a slight edge in favor of the dollar ($0.15, to be precise).
PDPA (Singapore, Thailand)
Singapore and Thailand both passed their own versions of the GDPR, though Singapore was the first, in 2012. The only important differences you need to know are that the fines are lower, but it includes a provision for criminal charges. Most of the regulations from other countries have hefty fines, but this is (so far) the only one that can put you in jail if you don’t comply. That’s really only a concern if you live in Thailand, but it’s still something to consider. Here’s a link to a site about the PDPA of Singapore and here’s a site for Thailand.
The Privacy Amendment (Notifiable Data Breaches) to the Privacy Act (Australia)
This is a simple one: if you have a data breach, you have to notify your customers within 30 days of your discovery of it, or you’ll face up to $1.1 million in fines. Again, as long as you’re practicing the best data protection and breach mitigation strategies you can, you’ll be fine. Here’s more information.
CCPA (California, USA)
Although also not a direct copy of the GDPR, California’s version shares much of the same DNA as its EU counterpart. Compliance with one does not guarantee compliance with the other, so make sure you’ve gone over the particulars. It’s a good idea to get familiar with the CCPA, since it looks like it might become the primary source for similar laws in other states. There’s even talk that these regulations could come from the federal government, and as we know, federal laws take precedence over state laws. If it does, and people like Tim Cook of Apple think we should have one, expect it to look a lot like the CCPA. Here’s the website for the CCPA.
If all of this digital marketing stuff seems a little overwhelming, it’s okay—we’re here to help. Get in touch and let us help you with the hard parts.
Interested in diving a little bit deeper into issues related to digital marketing and privacy regulations? Check out one of these helpful resources: