“Data-driven thinking”Written by members of the media community and has new ideas about the digital revolution in the media.
Today’s column is written by Ines Henrik, VP of Sales Planning and Media Strategy at Inmar Intelligence Company Aki Technologies.
When it comes to privacy laws, denial often precedes consent.
When the GDPR came into force again in 2018, some US companies ignored it, opting to stop or restrict work in the EU instead of adjusting their data privacy practices.
But with the privacy law California (CPRA), Colorado (CPA) and Virginia (VCDPA) Going into effect in 2023, American businesses will have no choice but to accept and work.
How exactly does this trio build on the precedents set by GDPR and CCPA? And what do companies need to do now to ensure compliance in 2023?
These laws will usher in an era of restrictions on class-based consent, privacy assessments and data sharing. Here’s how to prepare.
Understand the difference between a controller and a processor
The EU’s GDPR identifies two categories of businesses that deal with customer data: controllers and processors. The controller determines the purpose of data processing; The processor processes the data on behalf of the controller but does not determine the purpose of the processing.
Laws of Virginia and Colorado To borrow The difference between GDPR and controller-processor forces US businesses to compute with the taxonomy they operate in those states.
Most retailers and brands are considered regulators – and under the new law comes the new responsibility of being data regulators.
A new hurdle to navigate? Data subject access request. These requests are a way for consumers to find out what data a company has collected from them and to claim their rights to remove or correct errors in that data.
Ready for privacy impact assessment
Colorado and Virginia laws introduce a requirement for data regulators known as privacy impact assessments or data protection assessments. The management of a PIA involves evaluating the benefits of sensitive data processing for targeted advertising, customer profiling or other uses related to the customer’s risk data collection and usage location.
Not sure if you should handle PIAs? Data mapping contains answers. Data mapping The practice of knowing the details of how data flows across an organization. It helps businesses make sure they know exactly what data they’re storing, how they’re storing it, and where they’re going to limit risk, provide transparency to end users, and comply with regulatory requests.
If it sounds scary, don’t be afraid. Mapping can be automated, closing down some of the business burden.
Adjust data sharing limitations
CCPA has forced businesses to give customers the right to stop selling their data to third parties. But for the convenience of targeted online advertising, data sharing has made a sale and therefore there was a lack of clarity about whether an opt-out opportunity was needed.
But with CPRA, there is no gray area.
The law explicitly defines “sharing” to include “cross-textual behavioral advertising” (or targeted advertising based on user behavior). This means that many brands now need to develop opt-out capabilities for customers by sharing data with advertising technology providers for the convenience of advertising.
Brands must clearly state what data they are sharing and give consumers the right to opt out of sharing with third parties. This transition could present a major challenge not only in terms of implementation and compliance, but also in terms of its potential impact on marketing. Marketers will want to create the best possible case for customers to process and share the necessary data, explaining that price exchange makes customer data possible.
Complying with the new privacy law will require some legwork, but if companies fix it, they can turn privacy challenges into opportunities. Eliminating regulatory liability is a big win, but increasing consumer confidence is the most important win.