Lisa Wilding-Brown
A few years back, my family and I relocated from New York state to Dallas, Texas—land of cowboys and unbridled bravado. Not long after, the Dallas/Fort Worth area experienced a barrage of tornadic weather in a 24-hour period—17 tornadoes to be exact—with the closest twister only a few miles from my home. Needless to say, this New Yorker was traumatized from the experience; I spent the next four years making plans to relocate back to snowy upstate New York where the Spring is a predictable and benign time of year. April showers bring May flowers, sure, but F5 tornadoes? Heck no.
How was the Spring of 2018 for you? Despite relocating, May 2018 was the stormiest month for me on record. I may have escaped the high winds and hail, but it was replaced with a metaphoric storm of sorts: GDPR. If you are like me, you spent last Spring reviewing legal amendments from pretty much anyone you had ever done business with: clients, vendors, recruitment partners were all running, fast and furious, toward legal compliance. I may have escaped the Wild West, but I still felt like I was trying to outrun a storm of epic proportions. After completing hundreds of contracts and RFIs, the dust had settled, and we all took a deep sigh of relief—or so we thought. Just when the GDPR storm had passed, came a new wave of privacy regulation in the US and with it another season of upheaval.
For Market Research companies, one thing is abundantly clear: The Wild West of Data is O-V-E-R. Widely publicized misuses of data such as Cambridge Analytica, coupled with massive data breaches from tech giants like Google and Uber, have primed the online climate for a major overhaul. Consumers have reached their breaking point and lawmakers have heard their war cry. As stewards of online data collection, the responsibility rests squarely on our shoulders and so it should; this is one storm that we need to run towards—out of moral, ethical and legal obligation.
On May 22, 2018, the Vermont Data Broker Law was passed by lawmakers. This new law defines a data broker as:
A business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
The law requires data brokers to register on an annual basis with the Secretary of State as well as to detail company practices surrounding standard security measures, the collection and utilization of PII (personally identifiable information) and opt-out procedures. When registering with the Secretary of State, which took effect on January 1, 2019, data brokers are required to disclose whether the data broker implements a purchaser credentialing process, the number and nature of security breaches the broker has experienced in the last 12 months, and the details surrounding brokered PII of minors. While the Vermont Data Broker Law defines a fairly specific description around consumer data protection, the California Consumer Privacy Act (CCPA) is much broader in scope and mirrors that of GDPR, with some variance. Lawmakers passed the law on June 28, 2018, and the law will take effect on January 1, 2020.
Much like the GDPR, the CCPA includes a broad definition of ‘personal information,’ defined under the CCPA as:
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The addition of the term ‘household’ adds a dimension to this privacy law that presents some added complexity. More specifically, information collected by a company does not have to be associated with the name of an individual but rather can be identified as a household. The CCPA applies to for-profit companies that both collect and process the personal information of California residents and do business in the State of California. It should be noted that a company does not need to be physically located in California for the law to apply—generating sales in the state is the only requirement. The CCPA applies to information in any format and it not restricted to online practice.
A business must meet one of the three requirements for the CCPA to apply:
Increased disclosure is a central tenet of the CCPA and businesses subject to the CCPA will need to be exceptionally transparent and forthright with consumers. Privacy notices will need to inform consumers of their rights under the CCPA, and how their personal information will be used, shared, stored and deleted. Clear language will need to be presented which will detail the various categories of PII that may be shared or sold to third parties as well as the recipient categories (i.e., the types of businesses buying consumer data from your company). These disclosures will need to be updated every 12 months in order to satisfy CCPA compliance. Just like GDPR, a business must allow consumers to opt-out of the service provided as well as ensure that any 3rd-parties that have been provided information also expunge data associated with the requester. The CCPA also mandates that businesses include a ‘Do Not Sell My Personal Information’ link on its homepage so that consumers can easily submit their request.
The CCPA has already been amended once and it is possible that further changes to the CCPA could come to fruition. With that said, it is important that businesses begin to map out the corresponding data flows for California consumers, review opt-out procedures, privacy notices and third-party agreements in the near term. Failure to comply could result in fees ranging from $2,500-$7,500 per violation.
Contrary to what you may be thinking, my intent here is not to initiate an anxiety attack! As Alexander Graham Bell once said, “Before anything else, preparation is the key to success.”
Stuart L. Pardau, the founder and principal of the Law Offices of Stuart L. Pardau & Associates and outside Legal Advisor to the Insights Association recently provided me with the following sage advice:
It’s important to always remember that the laws across jurisdictions are different, and you should conduct a separate, stand-alone audit of your procedures and documentation with these differences in mind. Compliance with GDPR does not ensure CCPA compliance (and vice versa). That said, previous work done in connection with categorization of the source and type of personal data in your possession, third parties with whom you share such data, along any prior overhauls of your privacy policy, are all incrementally helpful and places you in a better position with respect to CCPA compliance.
Phew. It isn’t all panic-inducing news here, folks!
While time is on our side for CCPA, you better get comfortable being uncomfortable. The privacy landscape is continuing to evolve, and we should expect other states to follow the tracks of Vermont and California, implementing regulations of their own. Additionally, it would not be unrealistic to expect privacy regulations to take shape on the federal level. As each new government entity introduces regulation around consumer control and privacy, our business worlds’ will become more complicated. The key is to expect change on the horizon and start preparing NOW.
The CCPA represents what we have been seeing and feeling for years. Consumers are changing. Today, consumers are tech-enabled, digitally fragmented, exceptionally brand savvy and, above everything else, empowered. The ‘interwebs’ (as my husband likes to refer to it) no longer represents the carefree chasm it once was. To this point, Pardau warns:
The CCPA is a wake-up call for Tech companies large and small. Having a detailed privacy policy simply isn’t enough. Just like with the GDPR, the CCPA represents a sweeping change in state legislation and businesses should stay vigilant as the privacy landscape evolves and other states follow.
With the arrival of CCPA, other trends surrounding privacy are becoming apparent too. In a recent article Wired author and tech enthusiast Gregory Barber conducted a very interesting experiment. Feeling anxious and distrustful of big online business, Barber set out to reverse the consumer data paradox, deciding to ‘sell’ his data in exchange for cryptocurrency. Aside from it being a brilliant and funny article, Barber represents a growing segment of the population that has learned the value of their data—as well as the means to monetize it.
If data is the new oil for brands, why can’t it be equally rewarding for the purveyors of the data itself? According to Barber:
My tipping point was the Facebook hack, exposed in September, in which I—along with some 90 million other potential victims—was temporarily locked out of my account. I imagined my identity rippling across the internet…After a long season of leaks, hacks, and shady data pillaging, I’d had enough. I considered simply deleting my account. But then I landed on a different strategy: making a profit.
After testing several services and apps, Barber hawked his data including bio-metrics, GPS locational data and social media details. While Barber understood that his data had value, he was disappointed by the actual bounty and, in the end, only earned a meager return of .30 cents:
I’d begun this project with plans to be at the vanguard of the new data economy, to break my data free of its corporate silos and sell it far and wide. Instead, my efforts had simply heightened my sense of just how much I was sharing and made me inclined to expose a little less…
There is a lot of work ahead of us. Beyond changing operational procedures, privacy notifications, and mapping out the various data tributaries that exist in any online business there is a much bigger challenge that we face: winning back consumer trust. It’s no mystery that our industry thinks it is prettier than the reality. Long have we held the belief that we aren’t direct marketers or a typical online click-baiter. In contrast, WE are researchers and therefore operate on a moral high ground that remains untouched and superior to other disciplines.
Here is the reality. You’ve heard me say it before friends—we are data hoarders and privacy legislation affects us deeply. As an industry, we find ourselves in a precarious position in 2019. We think consumers know the difference between ‘us’ and the ‘others,’ but the fact of the matter is the lack of privacy and countless data breaches by mega tech giants and billion-dollar brands have created real damage for the market research community. Rather, we are painted with the same brush—the GRBN’s (Global Research Business Network) most recent Consumer Trust Survey brought this point to light. Of the Americans surveyed in the study, only 27% of participants indicated that they trust Market Research companies. The painful reality is that search engines like Google (35%) scored better than we did. Let. That. Sink. In.
So, what’s next? Small and large companies alike will become more transparent and data protectionism will drive global business—this is a reality we can well expect to see. Just how far this transparency goes remains to be seen. While the amendments, RFIs, and logistics can be painful for businesses, the CCPA and other TBD legislation are born from a consumer-first philosophy that is long over-due. It’s true, we will see regulation stifle business growth and it’s a reality that we are all facing together. A friend who works at a very large social media platform recently admitted to me that nearly all new product development was put on hold so that his company could focus exclusively on GDPR compliance
My hope is that the outcome of greater transparency will generate more positive than negative for our industry. We have a very real opportunity to harness this new era and do the right thing. Namely, treating our research participants with true respect and earning back the trust we lost all those years ago.
