One vitally important session presented at the FSC Leadership Conference looked at the new General Data Protection Regulation (GDPR), set to go into effect in the U.K. in May, before spreading throughout the EU — a law that applies to every company, everywhere, when serving these nations.
Attorney Alan L. Frei, Partner at Baker Hostetler, kicked-off the discussion with an overview of U.S. privacy regulations to provide a baseline comparison with what the GDPR will bring to stakeholders.
Frei discussed the California Online Privacy Protection Act (CalOPPA) as well as best practices for mobile device users such as those issued by Google and other entities with a focus on preserving user privacy.
“Are you using third parties to collect information or sharing info you have collected with third parties?” Frei asked the attentive audience. “Has ‘privacy by design’ been incorporated into your campaign and design process?”
The notion of “privacy by design” — which extends to business models, database architecture and more, rather than being a matter of background colors and font selection, quickly became a repetitive theme.
Frei outlined differences in opt-in, opt-out, and give-up approaches to future marketing communications as well as CAN-SPAM and TCPA requirements, and the need to record customer service calls. He also asked the audience about their involvement in behavioral advertising and targeting, among other means of consumer tracking that are increasingly coming under regulatory scrutiny. The subject of collecting location-based information, especially in the context of geo-discrimination and analytics, was also tackled as it pertains to current laws.
Among the considerations Frei brought to the fore, the Video Privacy Protection Act (VPPA), which has long prohibited the disclosure of consumer’s media viewing habits, raised some eyebrows, while needed disclosures about social media marketing and advertising must make it clear that a speaker/writer has a material connection to the product or service being offered.
“The U.S. Federal Trade Commission (FTC) is aggressively pursuing affiliates over non-disclosure,” Frei explained, underscoring the sometimes-unexpected liability and reach of commercial disclosure and privacy requirements. “Have you and your vendors adopted a formal data security compliance program? What about formalized agreements covering content and ad errors and omissions?”
If the breadth and depth of U.S. regulations intimidated some attendees, the new European rules were an eye-opening exercise in the need to be prepared, no matter how overwhelming the prospect may be.
Taking over the presentation for a glimpse at what’s coming in May, Dr. Kai Westerwelle, a partner at Taylor Wessing, revealed the realities of the uphill battle facing merchants in the months to come.
“Europe is a bit more difficult regarding privacy and privacy protection,” Westerwelle said, as he led into a discussion of Europe’s backspin into harmonization, where more consistent regulation will govern the transfer of data from Europe to the U.S., and explored Safe Harbor and Privacy Shield provisions, along with new regulations governing cookies.
According to the U.S. Department of Commerce, the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks “were designed … to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”
Compliance with Privacy Shield, it seems, gets merchants well along the way to GDPR compliance.
On the topic of meeting the regulatory requirements of different countries across Europe given the lack of a unified mandate, Westerwelle told the audience “We have a very big space to maneuver in.”
“The EU is drifting apart on privacy,” Westerwelle said. “Different countries have different approaches, so a U.K.-centric model may not cover other countries.”
With the GDPR set to take effect in May, however, it behooves merchants to use this regulation as a model for their ongoing privacy programs, as it is reportedly set to cover the entire EU in 2020.
“For the first time ever, we have a different regulatory scope,” Westerwelle said. “[The GDPR] applies to every platform targeting EU customer no matter where they are in the world. Whenever you store data from Europe, think of the GDPR.”
Westerwelle shocked some attendees with the reality that their corporate headquarters’ location, level of market share, or any other factor, does not shield their businesses from having to comply with GDPR.
“Every company touching EU personal data has work to do,” Westerwelle said, specifying everything that can or does identify users’ personal data, including IP addresses, is covered by the new regulations. “The GDPR also specifies ‘sensitive data’ — including a user’s sexual interests — as requiring even more stringent care.”
Highlighting the vast difference in U.S.-centric data policies and those in Europe, Westerwelle was clear:
“In the U.S., you can use any data until you can’t,” he explained. “In the EU, it is the exact opposite — you can’t use any data until you can.”
It was a stark lesson in informed consent, which requires an unambiguous declaration with a statement of clear, affirmative action, localized to comply with EU law.
This means no pre-checks; no “by submitting this form/entering this site I consent…” shenanigans, consent must be spelled out and positively affirmed by the user.
“You have to make documentation for every but of data collected,” Westerwelle said. “This begins with complete data mapping. Data mapping is the hardest thing for you to do to comply with the GDPR.”
Detailed data mapping is the heavy lifting of compliance and the point at which merchant’s eyes open as to the extent their sites and service partners collect data. This includes remote access, such as live chat, interactions with call centers/customer support, connections with ISPs and payment facilitators, etc.
Westerwelle noted that comprehensive data mapping must not only account for when data is acquired but when it is deleted as well and points to the need for formal data retention policies.
“You have to delete the data as soon as you no longer have a direct need for it,” Westerwelle explained, citing ongoing consent for newsletter mailing to an email address as an example of data that needs to have periodical re-authorization for use, saying this authority “should be renewed every six months.”
That’s a bitter pill to swallow for many marketers that have built their business on legacy mailing lists, especially when “there is specific contractual language required.”
Another action point is the naming of a corporate Data Protection Officer (DPO).
“A DPO is someone making sure your company is complying with everything under the law, and is legally obliged to report to authorities if something goes wrong — such as providing mandatory data breach notifications within 72 hours,” Westerwelle said, adding, “It is often difficult to get facts [about data breaches] in three days…”
As for penalties for non-compliance, they can be most severe, with egregious violations reportedly running at up to four percent of the annual turnover of the offender’s entire global group of companies — not just that of the problematic property — up to $40M. That’s a stiff chunk of change, and regulators are eyeing the actions of affiliates for which merchants are liable, making huge fines a likely proposition.
The discussion moved to the likelihood of offenders being caught, and while regulator staffing shortages and other burdens make the chance of a mid-size company randomly being identified as an offender, Westerwelle told the audience they should find no comfort in that fact.
“Your enemy is your customer,” Westerwelle said, citing the possibility that disgruntled customers and ex-employees can report businesses to authorities, which are then legally obligated to investigate them.
As for immediate steps to take, Westerwelle emphasized that “I don’t want this!” is NOT an option if you want to serve customers in the EU.
“Make stakeholders aware and consider budgets. Map data and create a data inventory,” Westerwelle advised. “Identify who is the lead supervisory authority, and review privacy notices and consents.”
Finally, Westerwelle underscored “the right to be forgotten” and how the GDPR not only provides for users to demand that merchants expunge all available data about them, but to demand a copy of all data the merchant holds about them.
“Focus on the design of your database,” Westerwelle concluded. “You have to be ready to transfer user data to the user on demand.”
The complexity and seriousness of the message took many attendees by surprise, but the resilience of the adult entertainment industry is legendary, and this will be only one more hurdle for the increasingly corporate and sophisticated players driving the industry forward. Kudos to the FSC for fostering more awareness of this vital issue that will impact all online businesses.
Some last bits of advice: consult a qualified attorney and ensure your compliance before the deadline.