Look Past GDPR Into Data Privacy Rules on a State-by-State Basis

Regulation on a local level will set the standard in the U.S.

Green outline of the United States; ones and zeros run across the screen; over the United States is a giant lock
Data privacy laws are being honed on the local level. iStock

No marketer’s day passes without touching data privacy. Personal data is now the most prized commodity of the information age, traded on an unprecedented scale by some of the most powerful companies in the world.

For marketers, it’s no longer business as usual. Consumers now dictate how their personal information is collected, stored, accessed and shared. I’m not saying our world has been turned upside down, but at the least it’s been turned on its ear.

So what’s to be done about it? Like it or not, marketers are on the cusp of major social change, navigating how to engage consumers in full control of their personal information now outranks marketing automation, algorithms, processes and the granularity of marketing science. We who have strategized and executed campaigns founded on targeting the right customer with the right message in the right moment must reimagine our approach.

Well, what about GDPR?

Many in the marketing community consider the GDPR, which codifies data privacy rules in the 28-member EU countries, as the new de-facto standard. But for small- to medium-sized agencies not doing business in the EU, it’s not a factor.

The states and localities are where data privacy laws with teeth are currently being shaped.

If you’ve spent time trying to digest GDPR, you’re wasting your time. And don’t think GDPR is a blueprint for future U.S. federal government data privacy legislation. No such bill—let alone law—exists, and there’s not one in sight.

It’s the states, not the federal government you need to look toward. The states and localities are where data privacy laws with teeth are currently being shaped. For now, they present the best route for marketers to follow. With that in mind, consider these four best practices:

Look ahead

While all 50 states have breach notification laws in place where you must be notified if your data is stolen by a hacker, only a handful, most prominently California, have enacted or even framed formal data privacy legislation.

But the trend line is clearly established at the state and local level. A number of cities, such as New York with its Stop Hacks and Improve Electronic Data Security Act (SHIELD), have also instituted strong data privacy laws. A few Silicon Valley leaders themselves are looking ahead (most prominently Apple CEO Tim Cook), coming on board and calling for federal data privacy legislation. You’d be wise to look into the details of state and city data privacy policies for where you’re based and where you do business. The International Association of Privacy Professionals is a good resource for more information.

Follow the leader

California’s Consumer Privacy Act, which goes into effect on January 1, 2020 and is the first of its kind in the U.S., is well ahead of any other data privacy legislation in the U.S. The law requires any organization using personal data in the course of doing business in the state to disclose to residents the types of information collected on them, where that confidential data is collected and if it’s being sold or shared. Its provisions apply to any entity that conducts business in the state even if it operates only online. It’s a good idea to familiarize yourself with the act’s regulations before it becomes law as it will be the template for others that follow at all levels of government.

Know your data brokers

Data brokers collect information on consumers and then sell it to other entities, including agencies and businesses. Brokers operate in the middle between the people whose data they collect and those that leverage it. With California’s impending consumer privacy law, most companies that touch the state’s consumers will be affected, specifically those that collect and share data on at least 50,000 people or get half of their revenue from selling personal information. Data brokers are squarely in its sights. As a result, the new regulations could diminish their role and noticeably affect marketers’ access to consumer data. Given these and other considerations, you should look closely at your data sources. Here’s more on how data brokers operate.

Keep your eyes and ears open

A new federal bill, the Consumer Data Protection Act proposed by Oregon Senator Ron Wyden, contains some elements of the California law. It may ultimately lay out how a national privacy law could look. For one, consumers nationwide would have more choices on how companies share and sell their data. Although the potential legislation is already facing headwinds and may go nowhere in 2019, it’s well worth keeping tabs on its progress. Sen. Wyden and others might be paving the road ahead for a federal law to lock down consumers’ data privacy.

So, what do Americans want?

In an American Barometer survey, Americans said protecting data privacy is more important for companies than healthcare insurance and job creation. In other words, Americans want to defend their right to privacy. As simple as it sounds, that is the path ahead for marketers.

Curtis Thornhill is the founder and CEO of Apt Marketing Solutions.
@aptresults Natalie Torosyan is a data analyst at Apt Marketing Solutions.