News now of the U.S. federal government and a dozen of the states contemplating legislation this year follows closely on the passage of the California Consumer Privacy Act of 2018 and implementation of the European General Data Protection Regulation last year.
These actions make clear what has been gathering for the last 20 years of data breaches and misuse. Privacy is no longer a business issue to be managed by lawyers, it is now a responsibility of sales, marketing, and corporate communications, too. And the rules governing data collection and use are no longer problems only to be solved by IT, they are opportunities for marketing to drive wider and deeper customer loyalty.
For 20 years, companies have kept their heads down on privacy. They had to. The rules were all over the map, if they existed at all, making it hard to know what should be said. And consumers had few questions; we were happy to get the benefit of unfettered data collection (Gmail, Facebook, Pandora). Better not to draw attention. Why rock the boat?
The danger, of course, was the occasional spotlight on surprising, suspicious or troubling behavior. A breach (hello, Target), government surveillance (the NSA did what?) or a hack (like that time all those baby monitors helped bring down the Internet) made consumers look up from their iPhones. It was only then that companies were drawn into a public discussion of privacy they sought to end as soon as possible.
A three-punch combination now has changed the world.
- First, there was status changing revelations. From the abuse of Facebook data in the 2016 Presidential election to social media-driven “fake news” to the Equifax breach, we were startled that companies we relied on were not reliable. Consumers just didn’t sit up and take notice, they demanded that there be action, guaranteeing that public attention would be constant.
- Then there were new rules in Europe – that General Data Protection Regulation or GDRP about which so much has been written and said – not only established a baker’s dozen of data protection rights like the Right to be Forgotten “on the Continent” but exported them to companies, wherever they may be, that collect data in Europe. For example, the UK data protection office recently cited the Washington Post for bad data practices.
- Then came the rules in California that mirror the European data protection rights. The state’s action may be referred to as “GDPR lite” because the potential fines are far less, but the demands of each on companies are very much in line. The California law goes into effect in 2020.
What emerges is a harmonized approach to data protection. Such a global regulatory framework will create the kind of level playing field all businesses seek at the same time consumers’ demand companies be more open about their methods and actions to protect personal data. Too many companies are still in the early stages of dealing with their consumers’ late-stage expectations.
Rather than making the privacy landscape more difficult, these mandatory requirements make it now possible to add a privacy plank to the corporate platform. What might have been thought of in the past as overhead – an investment in new talent, technology, and training – can now be considered part of an expanded budget aimed at not just at compliance but market share, too.
By replacing a global fog of privacy laws with a sharp horizon line, companies now have the opportunity to confidently lift their heads up on privacy.
Consider just one of the rights of consumers: access to information.
Consumers in California and data subjects in Europe are able to ask businesses with whom they have a relationship for access to the data collected about them. This is a request at no cost (with some exception) to consumers; likely to be handled by a form on a website. But if that is the extent of it, it will be a lost opportunity.
View it not as a mandatory distraction, but an opportunity to engage. A regulatory request can become a way to better understand the concerns of customers and begin a wide-ranging discussion. A requirement can become a product attribute; there can be real market value in promoting access.
Then consider the broader implications of such a “nothing to hide” approach.
Data collection and use have been a real black box to consumers. Conflicting regulatory regimes have made it too complex and costly to be more open about data practices, even as breaches, misuse and lawsuits have made us all far more aware and suspicious. But as a harmonized global platform continues to emerge, companies will be able to make privacy a point of good customer service at least and, potentially, a competitive difference.
What will that look like?
While every company has its own formula for using data to drive the bottom line, in this new era, what’s good for me is going to have to look a lot more like what’s good for you. That’s a story that can now be told without fear that some practices approved in one jurisdiction might be illegal in another.
Companies can now publicly make a case linking data collection and consumer value, not just because the rules say so, but because people want to hear it.
What data is being collected, how it is used, security measures to protect it and safeguards against its misuse can now become points of public discussion reinforcing a brand rather than nervous secrets that, if exposed, could damage the brand.
That’s now what makes privacy a public matter.
About This Post
Tandem is excited to bring you this post from guest blogger John Berard of Credible Context. John will be joining us as keynote speaker for “How a Focus on Privacy Creates a Competitive Edge” on April 18. You can RSVP to this event here.