You may be wondering when federal legislation will appear. Barring any scandals similar to Facebook’s Cambridge Analytica one doesn’t seem to be a priority for our policymakers, until after the 2020 elections.
For the moment, we wait for the proverbial battle, asking ourselves, “When will it happen, and will all be lost?” Being prepared is the best way to approach the expected data regulation.
The importance of knowing your audience
Understanding where your audience data comes from, how it’s secured and how it’s used are key to limiting regulatory surprises. Each of these questions has different implications and responsibilities for the data controller—you or your client—and third-party vendors.
Addressing these questions is the difference between good faith effort to comply and fines. In this scenario, it’s vital to understand if current sources will be usable under new regulations for interest targeting, frequency capping or geotargeting. And knowing if data will, under future regulations, be considered personally identifiable information (PII) and will require special handling/reporting or be usable at all really matters.
Opting in and determining what’s sensitive
State and federal legislators are educating themselves and putting forward proposals for consideration, which may or may not actually make it into legislation. Also on the horizon are the New York Privacy Act (currently in N.Y. state committee) and the California Consumer Protection Act (CCPA), to be effective in January 2020. What these new state laws will mean and if federal law will supersede them is an evolving situation.
GDPR, the first wide-reaching piece of legislation that addresses PII for European citizens, became effective on March 25, 2018. Any company doing business within the EU is required to comply or be penalized. So far, Google has received the largest penalty of 50 million euros for requiring personal data for services. Top line requirements are to notify users of data collection, provide complete transparency on use, allow users to opt in and have the right to be forgotten.
Will U.S. legislators borrow from GDPR to limit contravening international requirements in a medium that does not respect borders, or will they forge their own path? That is the big question.
The seven different pieces of proposed federal legislation include definitions that have implications ranging from an honor-based system to ending programmatic advertising, geo/interest targeting and effective retargeting. Defining PII, sensitive data and consent are not trivial issues.
What is PII?
The CCPA defines PII as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
A broad approach based on this language could force companies to re-identify users based on anonymized data since it can be linked for tracking. In doing so, such a requirement would be detrimental to data security as a direct connection between anonymized data to something public is currently a data safeguard.
Mostly everyone agrees that users need to control how their data is used and collected. The way that’s done is a whole different issue. Defining what constitutes PII will have wide-ranging effects for the industry—specifically, when consumers have the right to request, opt out of and delete data where no mechanisms currently exist.
Defining sensitive data
As with most things, the devil is in the details. Obvious data such as phone number, physical address, monetary transaction information, health information and biometric data will be protected by lawmakers.
The issue here is all that which can be inferred from assembling data from disparate sources. For example, is who a person likes on dating apps, their matches and preferences considered sensitive information? A detailed user profile can be created and used in future ways we cannot predict, for good and bad.
Legally defining consent is tricky. Requiring permission every time data is used could be catastrophic, making systems unusable. If a large amount of users opt out of tracking, or if, in the worst case, all current opt-in data was required to be verified, it would single-handedly invalidate all U.S. targeting data or make the data sets so small to be unusable.
But wait—there’s more!
Some states, being nimbler than Congress, are taking on privacy as well. Proposed state laws, such as the N.Y. Privacy Act, may land much sooner along with the CCPA, potentially resulting in a patchwork of contravening laws on a national and international scale, which could be a disaster. Companies are being left to discern the least common denominator for compliance.
Preparing for uncertainty
To borrow a military term, “situational awareness” is the best way to approach the current primordial ocean of state and federal legislation. That means adjusting policies without overspending, being proactive without being reactive and—sometimes worse—overreactive.
The following basic steps are the best way to stay aware of the changing landscape for proposed regulations that haven’t yet become clear in requirements or what the impact will be.