American-Style GDPR: It’s a Bare Minimum, Not a Goal
- AUTHOR Christine Chartier
- June 28, 2018
- No Comments
The fallout from European Union’s General Data Protection Regulation (GDPR) has been a bonanza for tech journalists. On May 25, the day GDPR became enforced, Digiday reported that Europe’s digital ad demand plummeted 25 to 40 percent. Austrian privacy activist Max Schrems slapped Google and Facebook with multibillion-dollar lawsuits for strong-arming users into accepting their data policies. Many Indian startups blocked EU users altogether to avoid the costs of GDPR compliance.
In other words, GDPR went as we should have expected: imperfectly. That raises a big question for the U.S.: Will we follow in Europe’s footsteps and with what effects?
If you begin to compare GPDR to watered-down American equivalents, you’ll miss the whole point: these privacy regulations are bare minimums.
Tech companies will not earn trust and loyalty merely be following privacy laws. Rather, smart B2B technology marketers will make consumer privacy part of their services, as if it were a feature that buyers should seek. The food industry provides a great example of why tech companies should not only embrace but one-up privacy regulation.
GPDR American Style
U.S. privacy regulation is no longer an if, but a when and how. Alastair Mactaggart, a real estate developer who was spooked by a conversation with a Google engineer, launched a campaign for the California Consumer Privacy Act (CCPA), which may appear on a California ballot this November. The week of Mark Zuckerberg’s testimony in Congress in April, Senator Edward Markey [D-MA] introduced the CONSENT Act. Both bills would influence the privacy standards, data collection methods, and business models of tech companies throughout the U.S.
More than a few publications have compared the CCPA and CONSENT Act with GDPR. Long story short, the CCPA gives people the rights to:
- Know what information is being collected
- Know whether the information is sold or shared and with whom
- Say to no to the sale of that information
The CONSENT Act would require internet companies to “…obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer” (with a small loophole Digiday points out). Critically, the law would prevent companies from refusing to serve customers who do not consent.
In these bills, you will not find GDPR staples like the “right to be forgotten,” controller versus processor distinctions, and frameworks for investigating violations. Again, that’s not the point. The cultural signal of these bills matters far more than their fine print.
Rats in the Meat
Consider that GDPR, the CONSENT Act, and the CCPA are not kneejerk reactions to a few breaches and bombshells, but rather part of a cycle. As my CEO Bonnie Crater has discussed elsewhere, disruptions start out underregulated, royally mess up, get overregulated, then find an equilibrium that satisfies consumers, businesses, and regulators. The Insights Economy, the tech ecosystem that mines and processes raw data into insights, is transitioning from the mess-up stage to regulation.
Tech companies that merely comply with privacy regulations set themselves up for branding and marketing failures. Privacy regulation is gaining steam because consumers are genuinely angry, suspicious, and jaded. They want to see companies treat privacy as a virtue, not as an onerous requirement standing in the way of their profit margins.
The more Google, Facebook, and their peers resist privacy regulation, the more that consumers will believe it’s necessary. The signal to consumers is, “If we show you how the sausage is made, you won’t want sausage anymore.”
Speaking of sausage, recall how Upton Sinclair’s The Jungle, a 1906 novel exposing health violations in the U.S. meat industry, led to public outcry and swift regulation. Likewise, remember how Rachel Carson’s 1962 book Silent Spring, which documented the effects of pesticides on the environment, led to the banning of DDT in agriculture.
Notice today that companies don’t brag about not allowing poisoned rats in their food or not using DDT to keep pests of their crops. Rather, companies now tout their non-GMO, grass-fed, free-range, USDA Organic, Fair Trade credentials. The food industry embraced the safety and sustainability of its food as a virtue. Brands won consumer trust and loyalty not by meeting minimums, but by setting higher standards than anyone asked of them.
Privacy as an Experience
If we think of privacy the way we think of meatpacking violations and pesticides, we marketers can face regulation more strategically. We need to make privacy a feature of experiences, NOT an obligation. If you sell B2B technology that will handle the data of consumers or businesspeople, consider how you can design and market exceptional privacy protections.
The tech industry will probably develop a premium privacy label akin to USDA Organic or Fair Trade. We’ll see marketing that touts privacy protections, opt-in agreements written in human English, and privacy controls a 10-year-old can figure out.
Let lobbying groups, lawyers, and politicians fight over what goes into U.S. privacy regulations. In the meantime, go beyond what you expect regulations to say. The question should not be one of compliance for companies aiming to earn respect, trust, and long-term patronage. Rather, smart marketers will hold privacy as a virtue and show that to customers who, justifiably, have become jaded about data collection.
If you’re struggling to implement GDPR for your organization, here is another blog from one of our engineers who provides an overview for Salesforce admins and developers.