GDPR, CCPA, ePrivacy - Which data laws are next and how the new privacy landscape will affect marketers
The GDPR signaled a pretty dramatic shift in terms of public and regulatory attitudes towards data protection. In this talk, we look at the “new” public attitude, the emerging data privacy / legal landscape – and how this directly affects marketers. Now when you hear “data” and “legal” together, it can seem like a lot – a tedious lot. This webinar is not that. Here’s what this webinar does NOT contain:
- legal jargon,
- boring monologues on clauses,
- ambiguous technical terms.
Here’s what you CAN expect from this webinar:
- Easy-to-understand breakdown of the existing laws that are actually relevant to marketers,
- A heads-up on which rules are on the table to come into effect next (US, EU, Brazil, and India),
- The impact this will have on marketing,
- How you can be prepared,
- Interactive Q&A.
Answers to some questions that weren't covered during the webinar
Q: How should we think about GDPR and all other things mentioned on the first slide if we are a legal tech start-up for direct-to-consumer app?
A: In general, any company dealing with the public should carefully consider their own compliance – more so if you're in the legal space. The first step should always be determining your laws of reference – this will help you to determine whether or not something like the GDPR or the CCPA (or both!) apply to you. When thinking about a law like the GDPR, I would say some key principles to keep in mind are data minimalization and transparency. You can read up on how to determine your law of reference here, read here for an overview on compliance for app developers or read this medium post on GDPR compliance for startups.
Q: Does a small business in the US have to worry if their business and customers are from the US, however, some might still come from Europe, how would it matter?
A: EU laws like the GDPR apply whenever you process the personal data of EU based persons – even ip addresses can be considered personal data. These laws apply whether you’re based in the EU or not, and the consequences of non-compliance are pretty serious. If your business, products or services do not actually apply to EU-based persons, then your best bet would be to block traffic coming from the EU to avoid accidentally processing EU data. However, do note, that some similar legal protections (via the CCPA) may apply to Californian consumers – which would hold you responsible whether or not your business is based in California. The consequences of non-compliance for these are also pretty serious so it’s definitely something you should be aware of and consider. You can read more about the CCPA here.
Q: If our EU traffic is under 5% (barely 1-2%), do we still have to worry about the GDPR, etc?
A: Yes, the GDPR protections apply to all EU-based persons. The percentage of the traffic is irrelevant in this regard.
Q: How much of this applies if your website is only collecting Google Analytics data that does not include personal data?
A: The data that Google Analytics collects is likely still considered to be personal data under the GDPR in most cases, so will still need to comply. Furthermore, several European countries, including the UK, have clearly stated that consent is required before running even analytical cookies. In fact, if you use third-party services on your site, you might be processing personal data and not even aware of it. Here’s one way you can analyze your site to see whether or not it might be running cookie scripts and similar technologies, that you’re not aware of.
Q: What are the general standard guidelines to include for a website?
A: 1) Figure out your laws of reference.
2) Consider your points of data collection to understand the various disclosures you may need to make, or where you may need to ask for consent, etc.
3) Implement by either using the right tools or consulting with a lawyer. Here’s an overview of the various laws to consider or basic websites, and when you actually need to consider these laws.
Q: Using a Google Ads cookie for California users is a "sale" of data? So CCPA applies to anyone using this cookie regardless of size or total number of individuals' PII collected annually?
A: The CCPA definition of a sale is very very broad, and in general includes sharing personal info in anyway that benefits you, whether monetarily or not. So, yes, a Google Ads cookie will likely fall into this definition.The CCPA applies in any of the following 3 scenarios:
Less common scenario - You have an annual gross revenue of over 25M; OR
More common scenario - You make more than half of your revenue through activities that would be considered "selling" consumer info under the CCPA Definition; OR
Common scenario - You buy, receive in some way, sell (CCPA definition), or even share the personal info of at least 50K consumers per year, for commercial purposes.
Q: Do the GDPR regulations in Europe also apply for B2B Business?
A: Yes. The GDPR applies wherever you are processing personal data. This means if you can identify an individual either directly or indirectly, the GDPR will apply. Personal data includes anything that makes someone identifiable, including (but not limited to) names, phone numbers, IP addresses, and personal email addresses.
Q: Do we need to implement a contact form for users to opt out of their data in California?
A: You can choose how to implement this. While something like IAB’s US Privacy Framework can facilitate a one-click opt-out in regards to ads, if you’re sharing their personal info with other third parties (that are not a part of the ad network), you may need to manually inform those third-parties that the user has opted out. In these cases, a contact form could be a good solution, however, do keep in mind that there are strict rules over how long you have to fulfil the user’s request.
Q: At the online conferences where the organizer obtains GDPR consent, does that consent extend to sponsors who receive the email list?
A: Only if the organizer explicitly informed the attendees of this fact and allowed them to provide opt-in, granular consent that is specific to the various sponsors’ purpose for collecting the data.