Customer data privacy trends: Building trust, post-pandemic
Learn about three key customer data trends as businesses rebound in the wake of the pandemic and why a CDP is so important for building trust.
A major bill protecting the privacy rights of consumers in all 50 states has made its way out of a U.S. House of Representatives committee, marking the first time such a sweeping bill has advanced this far.
The American Data and Privacy Protection Act (ADPPA) has a long way to go before becoming law, but brands should be aware of its provisions and their potential impact on business.
Learn about three key customer data trends as businesses rebound in the wake of the pandemic and why a CDP is so important for building trust.
The American Data Privacy and Protection Act (ADPPA) sets requirements for how companies and organizations, including nonprofits, should handle personal data, including information that identifies a person or can be reasonably linked to an individual.
The bill would affect most data-collecting entities. It also applies to entities that process so-called “covered data” and are subject to the Federal Trade Commission Act (FTC Act). Any business or nonprofit that collects, processes, or transfers data that can be reasonably linked to individuals, chances are they would be beholden to the law. It wouldn’t apply to government entities.
ADPPA limits business use of personally identifiable data. It largely prohibits organizations from collecting, processing, or transferring personal data beyond what is reasonably necessary to provide a service requested by the individual.
However, the bill includes 17 permissible exceptions, covering activities such as the need to authenticate users and prevent fraud.
Data brokers would face more obligations under the ADPPA, including registering with the FTC, which would establish and maintain a searchable online registry containing the names of these entities. There would also be a “Do Not Collect” registry that would allow users to request that data brokers delete their information within 30 days.
Brands need to find ways to stay ahead of the wave of ongoing legislation, new rules, and compliance requirements. That includes these three moves:
Privacy advocates have long sought to give consumers more visibility and control over their personal information. Under the proposed American Data Privacy and Protection Act, businesses must allow users to access, correct, and delete their personal data.
Businesses would need to have mechanisms in place to respond to all user requests to see and adjust whatever data organizations have about them.
With ADPPA, lawmakers aim to reduce the number of data breaches by making data security mandatory. In just the first half of this year, there were nearly 2,000 data breaches, many involving personally identifiable information, or PII.
Businesses that can’t demonstrate that they’ve done their utmost to protect customer data could eventually face stiff fines and penalties, although enforcement has yet to be completely worked out (the bill includes a clause saying the FTC will need to establish a privacy bureau to handle this).
Companies with more than 15 employees would also need to have a privacy officer and data security officer.
Data compliance encompasses the standards and regulations in place to ensure data is secure, protected from data theft, misuse, and loss. Here's a primer on getting started.
As drafted, the data privacy bill would require businesses be transparent in what they do with consumer data and how they protect it. The would need to make publicly disclose their privacy policies “in a clear, conspicuous, not misleading, and readily accessible manner.
The policies would need to detail the types of data an organization collects as well as how and when it collects, processes, and transfers it.
The ADPPA limits or outlaws many forms of targeted advertising, especially to minors. Some say this would impose the strictest such restrictions in the United States and, perhaps, the world.
Businesses would need to be extremely careful to avoid pressuring minors to disclose any unnecessary personal data or to aim marketing or advertising directly at them.
Consumers can sue businesses for alleged privacy violations. Beginning two years after the ADPPA’s passage, users could sue for remedies such as injunctive relief, compensatory damages, and reasonable attorney’s fees if they believe an organization mishandled their private data.
GDPR fines soared in the third quarter, highlighting the growing risk businesses face as European regulators scrutinize data privacy practices.
Despite a bipartisan desire to do something about data privacy and consumer support for the bill’s provisions, considerable roadblocks to the bill’s passage remain.
For example, lawmakers from states with existing privacy rules, including Connecticut, Colorado, Utah, Vermont, and California, have expressed concerns the ADPPA could trump protections they’ve already enacted for their citizens. California legislators, in particular, worry about it undermining their landmark 2018 California Consumer Privacy Act (CCPA) as well as another initiative taking effect next year.
After an enforcement sweep of online businesses, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora in August for allegedly failing to tell consumers it was selling their data, for failing to process user requests to opt-out of such practices, and for failing to address its violations quickly enough. Other retailers received notices that they must remedy their CCPA violations.
While an amendment to the ADPPA attempts to appease California lawmakers with language specifically calling out the CCPA as remaining in force, some still see the state law as threatened and oppose the federal legislation.
As CPRA and the privacy-first web continue to gain traction, organizations need to adapt. Customers demand transparency about the collection and use of their personal information. Planning now saves you fines and headaches in the future.
Not surprisingly, data brokers oppose it, and the U.S. Chamber of Commerce has called it “unworkable.”
Regardless of these battles, there’s a sense of optimism on Capitol Hill the ADPPA will find enough support for passage. After intense negotiation, the bill emerged relatively unscathed from the House Energy and Commerce Committee. However, with midterm elections coming in November, it’s possible lawmakers will prefer to let the next Congress decide the ADPPA’s future.
Even if it isn’t ratified, the momentum behind the ADPPA suggests that there will be a federal data privacy law, and businesses should be ready and able to respond.