SVP, General Counsel & Data Compliance Officer
Connecticut recently joined California (CPRA), Colorado (CPA), Virginia (CDPA), Utah (UCPA) in the growing list of states that have passed their own consumer privacy laws. Compliance for marketers, who were accustomed to self-regulation prior to CCPA and still find themselves without a federal national law, has become more challenging and jumbled with each passing year.
The timeline for brands and marketers to prepare is quickly shrinking, with each of these laws becoming effective in 2023, either on January 1st or July 1st. While there are common principles, each state's approach is different when giving residents the ability to (i) access their data, (ii) correct or delete their data, (iii) opt-out of the sale or use of their data, including for targeted advertising, (iv) and other rights provided under the laws. So, what is a marketer to do?
Beyond consulting privacy counsel, which is always advised, a strong approach is to lean into your network of data experts. Working with data, tech, publisher, and agency partners with robust compliance programs will provide the broadest understanding of the impact of privacy laws. There are many factors to consider, and each partner will have a unique perspective based on their areas of focus.
The first consideration is whether the laws are applicable to the marketer – which can be determined by revenue or volume of consumer data for which the business processes. Based on this assessment, a determination can be made on whether a global, national, or state jurisdiction-based strategy makes the most sense.
Next, marketers need to consider the data they have, how it is activated, and the current and future use cases. Conducting or updating a data inventory audit and establishing a data flow map will provide a detailed understanding of what is coming in and out of their walls. Outlining use cases will assist with making any required updates to its privacy policies as required by the laws.
Another consideration is whether the marketer uses “sensitive data” or “sensitive personal information” – which is new in the CPRA, and each of the other states, which have different definitions of such data. Some examples of sensitive data attributes include personal identifiers like social security or driver license numbers, precise geolocation, and racial or ethnic data. If these data attributes are used, marketers are required under these laws to obtain explicit opt-in consent prior to the use of the data.
In addition, having a process to respond to consumer privacy rights requests is critical. To date, businesses only had to manage to CCPA and have architected procedures and workflows that address those requirements. As more states pass privacy laws, strategies on how to comply and respond to consumers, and potentially regulators, will need to evolve.
Overall, we encourage our marketing partners to remain alert for new laws and state-specific regulations to help with compliance. While there is uncertainty, having a robust and flexible strategy will enable efficient actions in the face of any new regulations or marketplace changes. Staying educated and aware of upcoming changes will also help through periods of complexity.
Alliant was built with a privacy-by-design approach, and we have been working closely with the industry since the inception of CCPA to help make the future of data-driven marketing better for all. Complying with these five state laws – and possibly the many others pending before various state legislatures – will be challenging. However, we are committed to meeting evolving consumer and marketer expectations and have a leading in-house data governance team to ensure that our partners can leverage Alliant as a compliant, and ethical, partner in their trusted network.
For more information on our data processes and certifications, visit our data governance page.