As web-based technology has grown and matured over the last decade, a glaring gap has emerged in the digital privacy strategies of many businesses who operate online. As these strategies have diverged, the distance between how customers view their privacy rights and how businesses view their privacy obligations has similarly grown. With the media and legislative bodies increasingly pointing a spotlight on the issue, this is beginning to change. Businesses of all types are now looking at building robust privacy features, with a particularly importance to digital commerce companies, due to the sensitivity of the data they collect from their customers and store.
Large data breaches and the monetization of personally identifying customer data have forced governing bodies to rethink existing legislation, much of which was written well before anyone was providing data over the internet. As countries and regions roll out privacy regulations, companies are scrambling to figure out what they need to do to become compliant with the privacy regulation du jour. The complexity of these different regulations can lead to confusion, and that confusion can lead to cost overruns. But privacy doesn’t need to be complex, and there are some simple ways to maintain global privacy compliance using commonsense strategies.
In this post we’ll take a look at some of the most consequential privacy regulations, as well as an approach to crafting a unified global approach to data privacy that can minimize the risk of non-compliance and speed up development.
While there are many different privacy regulations in place, the two that we’ll focus on are the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Given the breadth of their scope, and the potential customers and businesses that they impact, chances are good that one of these regulations applies to you, whether you realize it or not. Even if they don’t currently, upcoming regulations in other regions are likely to borrow from the precedent set by these two landmark pieces of legislation, which means the sooner you come to speed, the better protected your business will be in the future.
GDPR was enacted in the European Union in April 2016, and took effect in May 2018, yet there are still multinational corporations that struggle to meet the requirements put forth by the sweeping legislation. At a high level, GDPR dictates how businesses can process the data of its users or customers. Applying to all organizations operating within the EU, as well as any business that offers goods to “EU Data Subjects” (i.e., citizens of countries in the EU and residents of the EU), it’s easy to understand why GDPR is widely regarded as the world’s most significant piece of legislation regarding data privacy.
Non-compliance with GDPR comes with the risk of substantial fines—up to either 4% of global revenue, or 20 million EUR, whichever is higher. With so much on the line, it is of critical importance for businesses of all stripes to achieve compliance prior to entering European markets. However, this is unlikely to be a one-time effort. As European courts continue to clarify the requirements outlined by the law, additional work may be required to maintain a compliant experience. Because of this uncertainty, commerce sites must not only come up to standard, but also stay apprised of future changes and clarifications to the legislation.
The CCPA is legislation that was passed in California in June 2018, and will become effective on January 1, 2020. While the CCPA shares some commonalities with the GDPR, it is not the Californian twin of the European law. The CCPA applies to all companies operating within California (even if the company is not based in California), and among other things, requires businesses to obtain consent from Californian residents before their data can be sold.
With the enforcement of CCPA still several months away, it may be tempting to deprioritize related development; however, roadmapping, implementation, and testing of functionality and business processes related to CCPA may take months, depending on the scope of standard business operations for your company. Penalties are fined at $2,500 per violation, which adds up fast. If 10,000 records are improperly sold, that would represent a fine of $25 million.
As we’ve seen above, these regulations are serious business for your company. Given that many businesses will be required to accommodate both (not to mention other regulations still on the horizon), it’s important to come up with a strategy for the most efficient path that is not only compliant globally, but also best serves your customers and users. Here are some tips:
What we’ve seen is that while there are many different flavors of privacy regulations around the world, they generally share common elements, and more importantly, countries and regions are looking to global precedents when crafting their own regulations. What this means is that by adopting a “super set” of privacy regulations as their own policy, businesses can make implementation straightforward, reducing country-specific development work, and, in turn, minimizing risk. At Avatria, this is the approach we recommend to our global commerce clients. When country-specific features are required, we parameterize the functionality so it can be turned on and off at a country-by-country level. We’ve recently implemented this approach at a large B2B client in the process of rolling out a series of global sites, and it has provided greater ease and flexibility as we approach each one.
In conclusion, data privacy is a hot button issue that is becoming increasingly relevant and visible, however it’s also something that businesses of all sizes struggle with. Taking a forward-thinking, comprehensive approach to these regulations can ultimately save time and money when it matters most. If you’re unsure how to go about creating a global data privacy strategy, or you need help executing your current strategy, please contact us to see how Avatria may be able to help.
Disclaimer: The content of this article should not be interpreted as legal advice and Avatria bears no responsibility for the possible interpretations of this post. For any questions regarding data privacy regulations, please consult an attorney.