Taking the GDPR Stateside: An Industry Discussion on the Potential for Privacy Regulation in California

With Europe taking the lead on privacy regulation, proposals have been made in the U.S. to bring in similar legislation for the U.S. market. In California, proposals for a consumer privacy act are currently being discussed, allowing residents in the U.S. state to control the use of, and request insights on, their data from companies. ExchangeWire asked Peter Yeung, general counsel and vice president, Episerver; Marc Shull, SVP of social and disruptive marketing strategies, Yes Lifecycle Marketing; and Mark Bartlett, chief experience officer, FPX, about their take on possible privacy legislation stateside.

ExchangeWire: What is your take on the new European legislation coming into effect in May?

Mark Bartlett: The General Data Protection Regulations are designed to strengthen existing privacy and data regulations, which is an important step towards protecting the rights of consumers. The regulations apply to any organisation that handles EU citizens’ personal data, which includes business emails and business-related data that can be used to identify an individual.

Marc Shull: I see the GDPR as the natural next step in the constantly changing brand-customer dynamic that marketers like to talk about. But, in reality, is often only a one-way street. As businesses and governments have failed spectacularly to protect consumers’ data privacy of their own initiative, it was only a matter of time until legislation was passed that forced them to get their act together. On the bright side, the GDPR has the potential to make marketers’ lives easier by reducing the number of country-level laws they have to contend with, offering a clearer path on marketer obligations and greater control over their consumers’ data protection. Most savvy marketers I’ve spoken to agree that it’s simpler to treat everyone as if they’re European to ensure they’re fully compliant with the GDPR. Given the effort so many countries outside the EU are putting forth to reach compliance, I expect the GDPR to become the new global norm for data privacy.

Bartlett: They’re part of a shift in mindset towards more transparent use of customer data online. While compliance will be a challenge for many organisations in the short term, ultimately it gives more control back to individuals and can increase customer trust, if done correctly and communicated well.

Peter Yeung: The GDPR is an opportunity for marketers to have a equal shot at success. Those who fear the GDPR need to consider that consumers aren’t the only ones who can benefit from it. The new legislation will offer marketers the chance to deliver the right messages at the right time to consumers. And for marketers who are already running effective campaigns and engagements, there won’t be quite as much to change to reach compliance.

There is talk of implementing similar regulations in California. Considering that only 6% of U.S. companies are ready for the GDPR, do you think it is feasible?

Peter Yeung, General Counsel & VP, Episerver

Yeung: I certainly think that it’s feasible to implement similar data protection regulations in California and elsewhere. The GDPR alone effects any brand that provide a service to any citizen in the European Union. Therefore, American brands already are starting to maintain a certain standard of privacy and data protection. Americans have faced an overwhelming number of personal security breaches and hacks in the last year that are also driving higher demands when it comes to the handling of personal information, so I wouldn’t expect much pushback.

Shull: I think it is very realistic for a significant number of U.S. organisations to be GDPR-compliant, or mostly compliant, by 25 May. If the California law makes the November ballot, it will create increased pressure for the foot draggers to step up their efforts. If the legislation doesn’t pass in California, then it is only a matter of time before it does in one of the other data-privacy leading states. As for any new data privacy laws, there will be a natural phase-in period, similar to what has happened in the EU.

Bartlett: While the GDPR would be a challenge for U.S. organisations, a lot depends on how long organisations would have to prepare to comply. However, instead of treating this as a Eurocentric mindset that won’t ever apply to the U.S., companies need to be prepared to enhance transparency with their user data. Today’s global commerce market means that the GDPR will affect organisations around the world. On this note, organisations should prepare for the GDPR sooner rather than later. To do this, businesses should create a GDPR task force internally to identify necessary changes and spearhead execution. This task force should include a variety of stakeholders from different departments that are affected by the regulations and make them responsible for gaining familiarity with the regulations. Then, they can educate the next layer of stakeholders to make sure everyone takes the appropriate steps to achieve full compliance.

How quickly could such legislation be implemented?

Marc Shull, SVP of Social & Disruptive Marketing Strategies, Yes Lifecycle Marketing

Shull: I think we will see a real separation here between those who can implement it quickly and those who cannot. Large U.S. multinationals, and smaller organisations with good foresight, currently implementing GDPR solutions, will be far ahead of the game, and could be compliant shortly after any similar domestic law went into effect. It could be devastating for short-sighted organisations that wait until they are forced into data protection by domestic law. Consulting organisations and governmental bodies have produced a huge volume of helpful documentation that can help organisations align their policies, contractual language, best practices, terms and conditions for consent, etc. Meaningful change towards better data privacy and protection only takes a matter of months.

Yeung: If California had to develop legislation from scratch, it would take many, many years to undertake and pass. However, much like they did for auto emissions laws, adopting something that the Europeans have already created would expedite the creation and passage of such laws. But, you never know with the power of lobbying groups and the gridlock that happens in government. It won’t take 30 years to get California to pass a similar GDPR law, but it would take at least a year or two – if nothing else, they'll watch the fall out in Europe from the GDPR.

How would brands and marketers be affected by a GDPR-equivalent in the U.S.?

Shull: The GDPR is so far reaching that U.S. organisations must comply with it, so a U.S. version likely wouldn’t require significant alterations to those efforts, and it could lead to some long-term benefits for them and their customers. From a marketing perspective, data protection and privacy will become a brand-management issue. Marketers will need to start thinking of their customer data as an asset that needs to be protected and nurtured, and no longer something they 'own'. This should lead to marketers re-evaluating how they build and maintain relationships with customers. As with any change of this scope, some brands will figure out how to turn it to their advantage, and others will fall by the wayside.

Yeung: If compliant, brands and marketers can benefit greatly by a GDPR equivalent in the U.S. Having quality, actionable customer data is what drives better results for businesses. Under a legislation like the GDPR, marketers have no choice but to accumulate more concise data. While initially this would require more of marketers, I expect to see significant improvements in engagement.

Mark Bartlett, Chief Experience Officer, FPX

Bartlett: If the GDPR were to happen in the U.S., they would require some serious work for brands and marketers to become compliant. Because the GDPR impacts the use of an individual’s data, this affects a broad table of stakeholders in any B2B organisation. The department that has made the most noise around the GDPR is marketing, and for good reason. Under the regulations, marketers will need to get explicit consent from individuals when sending marketing emails and other media. Right now, marketers can use a soft or implied opt-in method; but with this change a prospect or customer will need to agree to receive emails by physically opting-in. This is a much higher barrier to entry than what currently exists. The GDPR also gives individuals the ability to 'be forgotten' by brands. Individuals also have the right to view how businesses are using their information upon request. This is a degree of transparency that would challenge U.S. organisations that 'own' user data through opt-ins and byzantine terms and agreements and don’t share how they use that data with consumers.

If these regulations were enacted in the U.S., it would require a rethink for many organisations about how they handle transparency. Businesses would have to create landing pages and other tools that give users the option to explicitly opt-in and opt-out, and they would be required to provide evidence of compliance with these requests. Adding these pages and rules would be both a logistical and tactical challenge, as organisations would have to work with IT teams to build the pages; and it would also require more oversight and compliance within targeted marketing campaigns. Personalisation would have to be rethought to make sure each consumer is legally targetable.