Data privacy in 2022 is at the forefront of our current wave of digital transformation. Based on the findings from our 2022 State of the CDP Report, data privacy is a leading driver for organizations investing in a CDP platform. This is largely because they need a reliable and easy method for managing and securing their customers’ data due to all the recent privacy regulations that have been cropping up globally over the last five years.
But the story goes much deeper than just needing to accommodate privacy regulations. The reason there are so many regulations already in place, and many many more to come, is because the public is beginning to demand better control and restrictions around their personal data that is being collected.
So, companies have to meet two primary demands: First, they have to abide by state, national and global regulations in order to avoid hefty penalties and fines. And secondly, they have to build public trust in their organization by clearly and obviously respecting these privacy demands, or else risk losing out to competition that better understands the assignment.
As January 28th is Data Privacy Awareness Day, what better time to dive deep into the world of data privacy in 2022 and explore the current and upcoming climate of data privacy around the world?
The Data Privacy Landscape in America
Currently, there is no federal data privacy legislation in the United States. But that will likely change in the future. As the wave of public concern over continues to build, more states will pass privacy legislation. There are currently only three states with passed legislation and only six states with active bills. Although the short-term politics are uncertain, the impracticality of the state-by-state approach for businesses in their pursuit of compliance will eventually lead to heavy lobbying for a federal solution, which makes it essentially inevitable that federal legislation will eventually pass.
Today, the U.S. is taking the same approach that was previously taken in Europe – any company doing business in multiple states is at risk of simultaneous audits, under different rules. The umbrella nature of GDPR allows a different approach in Europe today, which has dramatically simplified operations for European business – the U.S. will eventually follow suit.
That impracticality begins with the sheer amount of requirements a company needs to comply with. Each state regulation might differ which ends up in a nightmare for legal/privacy teams, trying to implement compliant processes to manage and supervise data processing activities, technological adaptations (such as Consent Management) and the possibility to be audited by multiple authorities at the same time.
This scenario will lead to a huge increase in privacy budget, making it eventually impossible for small to mid-sized companies to be fully compliant.
Furthermore, a state-by-state approach makes it substantially more difficult to obtain a new alignment between EU and US data flows due to the complexity of achieving a level of adequacy.
Tech Companies Leading the Charge
Apple in particular appears to be continuously rolling out new privacy-centric policies and tools, which is subsequently forcing all industry players to react. Google is proposing its Privacy Sandbox in lieu of the third-party cookie, which has prompted some action.
US based companies have played a strong role in shaping and/or preventing regulations, resulting in regulations that are more in the companies’ interest than the end-users’. For example, the Florida privacy legislation failed to pass because businesses lobbied against private right to action, demonstrating that business interests over end-users rights.
The advertisement industry has an inherent conflict of interest (simply speaking, more data means more money), so they have been less involved in the redefining of data privacy requirements. At the same time, advertising standards which provide guidelines for member companies could help close the gap between regulation and implementation, if the approach is properly compliant.
Consumer Behavior and Consent Fatigue
There is new data that indicates that over half of US consumers accept all cookies when they visit a site, even though their concern about data privacy is growing. Today’s dominant approach subjects people to countless distracting and unwelcome interruptions throughout their day. It’s increasingly leading to ‘consent fatigue’, wherein people are more interested in closing the prompt (so they can interact with the site) than actually engaging with the consent dialog in any meaningful way. Data privacy is important, but this is the 47th banner today, and they just want to see the recipe.
It seems inevitable that device- or browser-level sets of preferences, or a sign-on based approach will eventually replace the current flood of banners and pop-ups, but that will take time.
The California attorney general recently released an FAQ including the suggestion to support the global privacy control browser signal. GDPR will probably follow a similar approach, once the ePrivacy directive is officially enforced as it may include the requirement to support Browser (or other) consent signals. NOYB is taking the lead working on an extension which aims to reduce ‘consent fatigue’.
Consent fatigue is a great example of how companies must straddle the fine line of following regulations and also winning over their target market with functional privacy policies. Some companies, for example, don’t make it easy for people to modify their cookie settings, offering only an “accept all” option or nothing. People will typically accept all in that case, but it also puts a bad taste in the mouth of the visitor who feels forced into a situation the new policies were designed to remove. In the end, public perception of your business is all that matters, so companies must create frictionless, but legal solutions to collecting and storing customer data.
For more information on how Tealium can support your data privacy in 2022 needs, click here to schedule a demo.