When California passed its Consumer Privacy Act of 2018 at the end of June, what we suspected was made certain. Privacy is no longer a business issue only to be managed by lawyers, it is now a responsibility of corporate communications, too. And the rules governing data collection and use are no longer problems only to be solved by IT, they are opportunities for marketing to drive wider and deeper customer loyalty.
For 20 years, companies have kept their heads down on privacy. They had to. The rules were all over the map, if they existed at all, making it hard to know what should be said. And consumers had few questions; we were happy to get the benefit of unfettered data collection (Gmail, Facebook, Pandora). Better not to draw attention. Why rock the boat?
The danger, of course, was the occasional spotlight on surprising, suspicious or troubling behavior. A breach (hello, Target), government surveillance (the NSA did what?) or a hack (like that time all those baby monitors helped bring down the Internet) made consumers look up from their iPhones. It was only then that companies were drawn into a public discussion of privacy they sought to end as soon as possible.
A three-punch combination now has changed the world.
First there were status changing revelations. From the abuse of Facebook data in the 2016 Presidential election to social media-driven “fake news” to the Equifax breach, we were startled that companies we relied on were not reliable. Consumers just didn’t sit up and take notice, they demanded that there be action, guaranteeing that public attention would be constant.
Then there were new rules in Europe – the General Data Protection Regulation or GDRP about which so much has been written and said – not only established a baker’s dozen of data protection rights like the Right to be Forgotten “on the Continent” but exported them to companies, wherever they may be, that collect data in Europe.
Now comes even newer rules in California that mirror the European data protection rights. The state’s action may be referred to as “GDPR lite” because the potential fines are far less, but the demands of each on companies are very much in line. The California law goes into effect on January 1, 2020.
What emerges is a harmonized approach to data protection. Such a global regulatory framework will create the kind of level playing field all businesses seek at the same time consumers’ expectations demand companies be more open about their methods and actions to protect personal data.
Rather than making the privacy landscape more difficult, these mandatory requirements make it now possible to add a privacy plank to the corporate communications platform. What might have been thought of in the past as overhead – an investment in new talent, technology and training – can now be considered part of an expanded budget aimed not at compliance but market share.
By replacing a global fog of privacy laws with a sharp horizon line, companies now have the opportunity to confidently lift their heads up on privacy.
Consider just one of the rights of consumers: access to information.
Consumers in California and data subjects in Europe are able to ask businesses with whom they have a relationship for access to the data collected about them. This is a request at no cost (with some exception) to consumers; likely to be handled by a form on a website. But if that is the extent of it, it will be a lost opportunity.
View it not as a mandatory distraction, but an opportunity to engage. A regulatory request can become a way to better understand the concerns of customers and begin a wider-ranging discussion. A requirement can become a product attribute; there can be real market value in promoting access.
Then consider the broader implications of such a “nothing to hide” approach.
Data collection and use has been a real black box to consumers. Conflicting regulatory regimes have made it too complex and costly to be more open about data practices, even as breaches, mis-use and lawsuits have made us all far more aware and suspicious. But as a harmonized global platform continues to emerge, companies will be able to make privacy a point of good customer service at least and, potentially, a competitive difference.
What will that look like?
While every company has its own formula for using data to drive the bottom line, in this new era, what’s good for me is going to have to look a lot more like what’s good for you. That’s a story that can now be told without fear that some practices approved in one jurisdiction might be illegal in another.
Companies can now publicly make a case linking data collection and consumer value, not just because the rules say so, but because people want to hear it.
What data is being collected, how it is used, security measures to protect it and safeguards against its misuse can now become points of public discussion reinforcing a brand rather than nervous secrets that, if exposed, could damage the brand.
That’s now what makes privacy a public matter.
John Berard, founder of Credible Context, is a public relations consultant and privacy advocate based in Oregon.