Informational privacy is a hot topic. Just recently new privacy laws in California and Virginia have brought Europe-inspired requirements on how companies process personal information to the US.
Data is a valuable, but challenging asset.
Organizations can only meaningfully protect, and effectively make the most of, their digital assets if they know what data they have, the usage limitations that apply to it and where it resides and who has access to it. Data management is a huge challenge for organizations in the modern hyper-connected tech-enabled world; yet challenges can be turned into opportunities by organizations willing and able to step-up to them.
Data management is not just about legal compliance. In many ways, it comes down to branding.
Marketing experts know that having a strong brand enables businesses to stand out and surpass their competition. Developing a strong brand is no longer only about logos, slogans and pricing. In the words of Jeff Bezos: “A brand is literally what people say about your business when you’re not in the room”. Forward thinking organizations have been actively bundling corporate values, company culture, and even the overall “philosophy” of the company into their brand architecture for years and the trend is accelerating.
Take Patagonia, for example, a certified B-Corp that has been actively branding itself around the fight against climate change for years. In 2020, it started using its clothes to make a statement about climate change with a new clothing tag that reads, “Vote the a-holes out.”
Even when it comes to issues that are politically controversial and even financially burdensome, companies are, at this point expected to take a public stand. Several companies have spoken out against the Georgia voting law, prompting Trump and his supports to calls for boycotts of their products and services and, in some cases, risking State tax breaks in the process.
Consciously branding your organization around privacy is an imperative at this point.
In fact, it is highly likely that customers have already formed their own intuitive sense of where your organization stands on informational privacy, whether you actively work on carving a privacy branding for yourself or not.
In the fight to define what people say about your businesses’ privacy and security practices when you’re not in the room, one major consideration is the stand that the organization has taken (or will take) for legal compliance.
To be candid, from a legal mandate point of view, the train has left the station.
California’s paradigm-shifting California Consumer Privacy Act (CCPA), now in full effect for traditional consumer data, practically necessitates businesses to map their personal information and have a robust way to manage it to comply with legal restrictions and consumers’ rights to know and delete. Revisions to that law, effective January 1, 2023, will bring personal information of a company’s personnel, and persons with whom the company interacts with in a B-to-B context, fully under the CCPA. Covered businesses will also need to practice data minimization, as well as publish and follow limited-purpose-based retention notices. In addition to the Golden State, Virginia has passed comprehensive consumer privacy legislation, also effective January 1, 2023. Scores of other states are considering similar legislation.
One way in which US laws are distinct from what we have seen in Europe and other regions is the way these laws influence corporate branding. This is due to the way these laws define and require transparency around rights. The most iconic example is the right to opt-out of sale. The CCPA defines what a “sale” is and requires organizations that engage in conduct that falls under the definition to disclose that they are “selling” and offer a way to opt-out (or opt-in for minors under 16). Legislative proposals across other states use the same terminology, although they may define the concept of “sale” differently.
As legal experts, we help clients define and actively communicate their privacy branding strategy in a way that we believe adds value to them. Are you “selling” data? If so, how would you frame your activities in a way that adds (rather than detracts) value from your brand? How will you enable individuals to opt-out? Will you extend the same rights to all US customers, or will you break it down by State? If not selling, what activities will you have to curtail to take that stand? What contractual language is required or advisable in either event? How will your compliance stand in the US affect your compliance elsewhere in the world?
In our experience, the most challenging area to navigate for organizations has been online advertising. The instant availability of personal digital usage data, and the ability to track usage over time and unrelated services or activities, has generated marketing synergies that can result in more relevant ads for consumers, and thereby increased revenue for publishers (advertisers pay more to send a targeted ad than a generic ad). Advocates of so-called interest-based advertising argue that this helps to keep most online services and content ad-supported and free to the consumer, minimizing an economic digital divide. However, some consumers see these practices as an intrusion, especially if they feel uninformed about the practice and unable to limit it.
Leading social media platforms that strongly believe the availability of user data to facilitate on-platform advertising is beneficial to consumers, are choosing to integrate this idea into their own branding and actively running campaigns to articulate that message to the public, and at the same time providing more transparency and choice to users.
Others are going even further, incorporating privacy into their core brand message as a path to establish trust with their customers and creating and enforcing policies that present privacy as a stand-alone, value-add to their brand.
The revisions to CCPA, effective January 1, 2023, will bring new branding challenges and opportunities. Will your organization limit its use of sensitive data or offer an opt-out? How will you meaningfully address and explain automated decision-making activities? These and many other questions will need to be answered in the public sphere and will impact your brand. Will you be ready to answer them?
Every company is different, and the impacts of privacy decisions, such as whether to afford full European Union and/or California / Virginia rights to all consumers, or just those legally entitled to those rights, is a business not a legal decision. So is whether or not to provided consumer privacy choices beyond what applicable law requires (e.g., opt-in where the law required only opt-out, or no choice at all). The point is, wherever your organization stands, if you are not considering your privacy brand strategy at the same time that you address your evolving compliance obligations, you are missing an opportunity to define yourself. And if you cut corners on mapping your data and developing a robust information governance and security program, you are not just setting yourself up for non-compliance, but also missing an opportunity to create and protect asset and brand value.
In other words, how you address consumer privacy as a market differentiator is up to your organization, but our strong legal advice is to be pro-active and build a data management program that will enable you to substantiate your claims.