Does your company collect data? If so, new privacy laws make it imperative that you understand what can and can’t be done with it. These rapid regulatory changes to how data is used will impact both the overall profitability of data usage, as well as your company’s potential liability.

The European Union’s General Data Protection Regulation (GDPR) took effect in 2018 and the California Consumer Privacy Act (CCPA) took place in 2020. Passed in 2018, this was the first law of its kind within the United States and in many ways kicked off a surge of domestic consumer data privacy laws. CCPA requires companies serving California residents to allow people to:

• request the data collected about them
• opt out of data collection and sale
• request the deletion of personal data.

California’s law is just the tip of the iceberg, and the regulatory landscape is set to become more complex. Currently, more than 20 states are in varying stages of passing their own legislation. Further, California itself has a ballot initiative this year that will supersede its current regulation, expand the existing categories of data privacy, and create a standalone state agency responsible for managing data privacy for residents. Given the likely absence of a federal standard, companies are facing a patchwork of state laws with varying burdens, requirements, and penalties.

What cars can tell us about data privacy

Up until this point, the world of collecting and selling user data was a lucrative proposition, padding the bottom lines of all manner of companies—from Silicon Valley tech companies to banks and retailers. With the passage of California’s law, the previous wild west of data collection and sale is crumbling under regulatory pressures that will inhibit profitability.

If we look at the automotive industry as an extended metaphor, manufacturers that holistically embrace regulations and market forces, such as higher miles per gallon, electrification, or emerging advanced safety technologies—thereby innovating in those areas—do markedly better than those that continue to iterate on what has been the historically successful approach. The same holds true for data usage.

Through Infinitive’s engagement and advisement with companies grappling with both the GDPR and CCPA, we have recognized a variety of challenges when responding to legislation of this sort. Often, the technical or organizational complexities required result in a near-term response to only the GDPR or CCPA, with companies opting to deal with future legislation when it arises. As with the automotive example, however, companies that respond to data legislation comprehensively will be better suited to remain profitable with their data management operations.

Here are some questions to consider as you begin this journey

Where is your data? Companies must have a firm grasp on the data that is gathered and stored within their four walls. As company size increases, it can become difficult to maintain visibility on where data resides, how much of it there is, and how long it is held on to.

How well is your data managed? After considering where data resides, companies should take a hard look at how well they manage data. For example, is data held in a centralized location, such as a data lake, or does its storage vary depending on department? Is data cloud-based, solely on-premises, or some combination of the two? How stringent and comprehensive are the controls in place that ensure metadata is complete and accurate? Questions such as these help you understand how much effort is required to respond to legislation. If your metadata is well-managed, for example, it will be relatively easy to make scope determinations and evaluate your regulatory burden.

Who in your company is consuming data and what are they consuming it for? As the saying goes, “the devil is in the details.” With larger companies in particular, we have seen sources of data have hundreds of unique consumers. While some state legislation may be less interested in data usage, some draft state laws require data only be used for the express purpose for which it was collected. If you were asked to provide proof of that, could you?

What are the sources of your data? Many companies have turned to third-party data usage for the relative ease of access and enormous business upside it provides. In a more heavily regulated environment, changes to that data or the underlying contracts and agreements carry potentially heavy organizational and legal burden. For example, if a company has an existing agreement with a third-party vendor of user data, and a state regulation then forbids ingestion of a certain category of privacy data in that stream, how challenging would it be to renegotiate that contract? Could it be done without revealing potential mission-critical proprietary data usage strategies? Similarly, how difficult would it be to ensure that ingested data complies with the overall strategy for returned data? Or, as we see more often, would the company need to go through a painful adjustment period with all their third-party vendors to ensure that data is used responsibly and in a compliant manner?

What now?

No business wants to be in the uncomfortable position of complying with a myriad of regulations on a state-by-state basis, but it’s unlikely that a unified, preemptive, and comprehensive federal standard will be passed in the next two years. While the current challenges with COVID-19 have caused states to truncate their legislative sessions this year, multiple state laws are slated to be considered and passed when assembly sessions resume.

Our team at Infinitive can help you craft a data usage strategy that addresses current regulations and prepares you for the future.