Brands Need Globally Compliant Data Use Policies

Especially to prepare for CCPA

Illustration of a light shining down on a few people working at desks.
The best option is to adhere to larger policies since more specific smaller ones won't be possible.
Getty Images

Back when GDPR dropped in 2018, some companies simply pulled their advertising business from the EU, others opted to maintain compliance only in GDPR-affected territories and some chose to make their entire global business GDPR-compliant rather than deal with the legal, operational and engineering expense and hassle of maintaining distinct policies for different regions. Global compliance was a long-game strategy, and it looks like it was the best one. It’s plainly evident that data privacy is a global trend. While each law is different, together the emergent regulations should stand as a call to action for all digital businesses.

Comply, one way or another

Generally speaking, companies facing a deluge of data privacy laws have two options. They can meet each new law on its own terms, bringing together operations, legal, engineering and any other stakeholder departments to formulate a plan and put it into action every time the game changes. Or—the far better option—they can get ahead of the inevitable new data paradigm and adopt a global data policy framework. That is, they can adopt an operational policy that aims to comply with any likely potential iteration of the data privacy regulations we can expect to see.

Adopting a global data privacy framework is a challenge, no doubt. But the alternative is worse. Adopting individual policies to suit the rules of every individual region is too costly, too inefficient and too legally risky to bear. Of all the factors that could impact a company’s bottom line, regulatory compliance should not be one of them. Every company that had to adapt to the OMS shakeup of 2018 or chose to embrace GDPR compliance rather than flee the EU had to bring together stakeholders from across their organization to revamp their way of doing things. Continually re-evaluating company-wide processes wastes money and human resources. We need to save energy for operational revamps to use when crises we can’t foresee emerge. And there’s nothing unforeseeable about the data privacy regulations.

Adopting individual policies to suit the rules of every individual region is too costly, too inefficient and too legally risky to bear.

Globally compliant policy frameworks are easier, cheaper and safer

When we can see where global trends are pointing, it makes little sense to wait for governments to hand down data directives to us. Any forward-looking company has the background it needs to be proactive and to develop a framework that works for its business and customers and that passes muster for privacy trends as we see them playing out. Remember, real money is at stake. Under CCPA, minimum fines for a data breach are $100–$750 per Californian affected. GDPR brought lawsuits in the EU and CCPA will bring lawsuits in the U.S. Consumers have more knowledge than ever about how their data is used and shared, and they’re watching. A strong global data policy framework for your company will show the way around lawsuits.

A global policy will also mitigate the need to re-evaluate legal, operational and engineering practices each time another government raises the privacy bar. Addressing these laws one at a time is daunting, inefficient and expensive. It will require expertise in regional law around the globe, engineering resources to identify whether IPs are located in affected areas and operational action. It’s not practical and it’s not smart to undertake a company-wide shakeup for each new data law.

The way forward

Every one of these laws is subtly different from its kin, but in essence, they all serve the same broad intent. They address user consent (clear opt-ins to have their data collected and/or shared), they set terms of liability, and they establish authorities to oversee compliance. These basic building blocks give us a sense of what form a sound global data policy will take.