I’ll long remember last spring for the time I spent working on GDPR compliance. The General Data Protection Regulation had a massive impact and required sweeping changes for countless market research companies, including ours. This was the largest regulatory movement in consumer privacy to date, and its enduring impact will be felt for years.
And while GDPR hit just about everybody to some degree, we are still only scratching the surface of consumer privacy in the US. That’s starting to change, though, as states like Vermont and California have now passed their own regulations around consumer protectionism. Companies will be expected to make further changes to their data management operations and consent procedures, and these changes are only likely to accelerate.
I recently presented on this topic with Stuart Pardau, Founder and Principal of the Law Offices of Stuart L. Pardau and Associates at the Insights Association’s New England Chapter’s IMPACT event on May 9. During our session we looked at recent trends in consumer privacy, and the sweeping changes coming with the implementation of the California Consumer Privacy Act (CCPA), and specifically what these changes mean for market research companies.
The Wild West of Data Is Over
Last year was a tough one for consumer privacy, and it hit the market research industry particularly hard. The Identity Theft Resource Center reports that exposed PII records are up by 126%, and there were several high profile breaches in 2018:
- Cambridge Analytica/Facebook – 87 Million Users
- Facebook access tokens – 29 Million Users
- Uber – 20 Million Users
- Google+ – 53 Million Users
- MyFitnessPal – 150 Million Users
- Exactis – 340 Million Users
- Marriott Starwood Hotels – 500 Million Users
- Aadhar – 1.1 Billion Users (largest in recorded history)
Combined with a 44% rise in malware and 117% rise in ransomware, we’re seeing businesses of all sizes and in all industries losing data, and public trust is rapidly eroding. In particular, consumer trust in market research is at an all-time low. As part of the 2018 GRBN Trust Survey, we found that only 27% of participants trust our industry, lower than mobile phone providers, online stores, and search engines.
With the cost of cyber fraud exploding (expected to reach $6 trillion by 2021), it’s not surprising that so many regulations are being considered. Some of the recently passed and pending new legislation includes:
GDPR (General Data Protection Regulation)
Enacted on May 25, 2018, GDPR requires active opt-in, greater transparency around data usage and storage, consumer right to data erasure, and ongoing updates to privacy policies must be actively communicated to users.
China Cyber Security Law
China’s sweeping cyber security law passed in 2017 and requires companies to explain to users what data is being collected. The law requires user consent to collect data, secure data encryption when passing user data, and that companies have contingency plans for security breaches. They supplemented the law with a Personal Information Security Specification in 2018.
Vermont Data Broker Law
Enacted on January 1 of this year, Vermont’s new law defines a data broker as a business or unit of business that collects and sells or licenses personal information of consumers with whom the business doesn’t have a direct relationship. These brokers must register with the State and document their security measures, how they collect and use PII, and their opt-out procedures. They must disclose purchaser credentialing processes, any security breaches in the prior 12 months, and details around PII handling of minors.
California Consumer Privacy Act
Scheduled to go into effect on January 1, 2020, CCPA applies to all for-profit companies that collect and process personal information of California residents and do business in the State. The law isn’t as sweeping as Europe’s, requiring that companies either have annual gross revenue over $25 million, work with the PII 50,000 or more California residents per year, or derive at least 50% of its annual revenue by selling information of California residents.
For those this affects, there are several new provisions, many similar to those in GDPR. Consumer rights and data use must be disclosed, the different categories of PII that are shared or sold to third parties must be clearly outlined, and disclosures must be updated every 12 months. When someone opts-out, it must be detailed and all 3rd parties must be informed of the request. CCPA also now requires that businesses include a “Do Not Sell My Personal Information” button on their homepages. Fees for violations range from $2,500-$7,500 per violation.
All 50 states have also enacted some form of data breach notification requirements and more states are expected to follow with data privacy laws similar to CCPA and GDPR. It’s only a matter of time until federal law follows.
The Future of Privacy Regulation
This is just the beginning. While we can’t know for sure what will be enacted and when, California is often the vanguard for consumer-rights issues, and several states are looking at potential legislation, and federal legislation is increasingly likely.
For technology companies that deal in consumer data, both big and small, this is a big caution light. Consumers are learning the value of their data and are increasingly distrustful of companies that offer services in exchange for it. Winning back that consumer trust won’t be easy; it will require greater transparency from companies and time.
Check out a recording of our recent webinar "Are We on a Data Diet? A review of US state consumer privacy legislation and how it is impacting our appetite for insights." to learn more!