We’re closing in on the end of the year, in a few weeks the holidays will occur, and beyond that, we’ll close the book on 2022 and move forward into the new year. At the time of writing this means we are roughly 6 weeks of business after accounting for holidays in order to make changes and get the our strategies in position to hit the new year running.
With this in mind, I want to call attention to five items that I suspect are going to shake up the data collection / marketing fields. It’ll be important to consider these items, and plan to address them as we move into and through 2023.
Data Privacy Takes Center Stage
Depending on factors such as where your customers are, or how much revenue you make, or how much of that revenue is from sale of data, you may be subject to one or more of the upcoming data privacy laws in California, Colorado, Connecticut, Virginia or Utah. The exact criteria differs between states, but the enforcement of these laws will have second order effects that will be felt across multiple industries as we move through the year.
It will be important to understand and adjust for the expected reduction in marketable audience addressability and reach, in particular if you are buying audience information from an external party. The laws have multiple provisions around Targeted Advertising (definition varies by state), and that can make it difficult to use data already collected, or to move into new areas which are covered by the laws. Plans should be reviewed and updated accordingly, because it is likely that 2022’s targets + some increase as a forecast may be setting yourself up for failure in this new environment unless you are also considering the changes in tactics that may be required to hit those numbers.
Evaluate Your Consent Management Strategy
If the laws do apply to your organization it is very likely you have to create or rework your Consent Management strategy. Several of the laws have very specific requirements regarding the user experience and text that must be provided in order for the consent to be considered legally binding. My personal experience is that most brands will need to make changes.
Of particular note, is California will be maintaining the requirement to adhere to the Global Privacy Control which is something that by and large I find brands are behind in their compliance with. Further, several of the states may require explicit consent when engaging in data collection for Targeted Advertising activation activities. Compliance with these requirements will likely result in at least some data loss, the impact of which needs to be factored in to planning and execution.
Even if your organization are unaffected by the laws directly, sites or apps you choose to deliver advertisements through may be affected. This may result in less reach for ad displays depending on the end user’s consent choices. Marketing teams should plan accordingly.
Meanwhile, affected brands will need to review the existing integration (should it exist) and ensure whatever is on the website/app adheres to these new requirements. Brands may even be required to seek re-consent of information in specific scenarios (varies by state) and the processes for how this gets done also needs to be considered and implemented.
Update Disclosures / Policies / Contracts
Legal teams will likely be busy in the coming weeks seeking to ensure that any publicly facing disclosures (such as the Privacy Policy) are updated with new language that brings them into compliance with the forthcoming laws. Expect another avalanche of “We’ve Updated Our Privacy Policy” emails to your inbox in coming weeks.
For brands affected by the laws , they’ll need to plan for how these updates are reflected in production products (such as the website or mobile app). The laws are specific in many scenarios on what information needs to be included, and how it needs to work from a user experience perspective. Development teams may need to allocate time to ensure all requirements are met.
Further, changes will be happening in data processing agreements. New language is required in several scenarios in order to define the roles and responsibilities of each party. I expect legal teams to be very busy in the coming months as the specific requirements are worked out ahead of each States respective enactive date. These agreements will be critical as they may play a part in determining legal liability in the event of enforcement actions.
Plan for Assessments
For affected businesses, they may be required to conduct Data Protection Assessments which evaluate the data collected, purpose, security and risks around the collection (amongst other things). Many states require these in the event of ‘High Risk’ activities (sometimes defined by law), and some states go so far as to declare Targeted Advertising, as high risk.
Marketing teams in particular would be well served in understanding their/the client’s specific operating environment. In scenarios where a Data Protection Assessment is required, expect it to be more difficult/time consuming to onboard new vendors for activation activities. Marketing agencies need to be aware that pixel/vendor recommendations may force these assessments, and they will likely be expected to speak to them by clients.
Several of the states are very perspective in regard to the level of analysis required. Expect this to be a slow process. That’s the intent. Brands are supposed to consider the risks, and document and mitigate them, rather than just collect everything across the board without consideration. Brands would be well served in ensuring legal and privacy expects (such a privacy specialist, or privacy engineer) are involved in filling out these assessments because these will play a part in any enforcement action . Failure to create or produce a required assessment when prompted by an authority would be bad and may prompt the authority to issue a adverse decision, or higher fine, as a result.
Assessments also often have specific record keeping requirements that will be need to be thought through, and in some cases, will be subject to periodic reassessment depending on the specific data involved. These processes will need to be developed and executed on going forward to address those regulatory requirements.
Plan for Data Subject Access Requests
Reside in California, Colorado, Connecticut, Virginia or Utah? If so at various points in the year you may gain the ability to request a business to disclose or delete the data they have on you. For California, this includes in business to business and employment scenarios.
If however you’re an affected brand, you’ll need to stand up processes for how to execute on these consumer requests. That may involve identity verification services, training for front line staff, and documented business processes for the documentation and retention of such requests for a required span of time following the request event. Requests must be responded to in a span of days (number of days varies by law). Brands may also be required to establish and maintain a appeal process for when the consumer feels the initial result / decision was incorrect. Expect checking all the boxes to consume a large amount of time, as the activity in all likelihood cuts across multiple business units. Consider what would happen if requests came in at volume – automation is recommended where possible.
These activities will be net new to most affected brands. Solving this business process challenge will likely involve legal, customer service, and development teams. However getting this wrong risks that consumer (who cared enough to ask in the first place) proceeding to report the non-compliant business to the respective enforcement authority, which may result in that authority launching an investigation. This is one consumer touch point you really do not want to get wrong.
Conclusion
We’re seeing the sun beginning to set on specific data collection practices in the United States. We’re seeing broad regulation get applied to businesses across the board. While it’s not a Federal law (wouldn’t that be nice?) it’s a first step into this new world for many organizations. Brands who are successful in compliance in 2023, will likely continue to be so as more States enact their own compliance laws in the coming months / years. Now is a excellent time to invest in building out a privacy / compliance program.
Brands that avoid compliance activities they may find themselves locked out of client engagements as several of the state laws require vendors (who deal with covered kinds of personal data) adhere to the respective state law the contracting business is subject to. Avoiding compliance may subject the organization to larger fines. California, for example, triples the maximum fine amount for intentional violations of the California Consumer Privacy Act. Often these fines are wrapped up in far reaching compliance orders, and even the most carefully crafted roadmap may be derailed should a data privacy authority launch an investigation into your organization. Organizations should carefully consider these risks before deciding to deprioritize compliance activities.
You’re not out of time yet – but the clock is counting down. Take advantage of the next several weeks to ensure plans, roadmaps, assessments and everything else is aligned and ready to hit the ground running when the first two laws (California and Virginia) become effective when the clock strikes midnight on January 1st.