Table of Contents
Customer data is the lifeblood of a company’s marketing strategy. But while marketing departments want to collect as much data as they can and use it forever, local privacy laws often won’t allow this. Companies must remain within strict guidelines. But even within these guidelines, there are allowances for data processing for marketing purposes. You just have to know what you’re allowed to do, and how.
In this article, we’ll be comparing several of the most far-reaching privacy laws on the books today to see how each one handles data processing.
GDPR – Europe
The GDPR lists six acceptable reasons to process a customer’s personal data:
- The customer has given explicit consent. Consent cannot be assumed—it must always be clearly given.
- The personal data is necessary to meet obligations the customer has agreed to.
- The company needs the personal data to meet their own legal obligations. For example, a company that sells specialty alcohol will need to have enough personal data to know their customers are all of legal drinking age.
- The personal data is necessary to protect the customers’ vital interests. This principle largely applies only to saving someone’s life and will likely not surface outside of the medical field.
- The company needs the personal data for the public interest or to exercise some legal authority. Companies can retain and process personal data to support democratic engagement, carry out a governmental function, or administer justice.
- The company can prove legitimate interest. If the company can prove that a customer has shown genuine interest in something, and that processing the data for this purpose doesn’t infringe on the customer’s privacy or violate their rights, they’re allowed to process the data.
CCPA – California
Unlike the GDPR, California’s privacy law doesn’t have a list of acceptable reasons to retain or process customer data. However, the CCPA (California Consumer Privacy Act) still places restrictions on businesses’ usage of the data in question.
- If the company wants to use customer data in a for-profit manner, they must obtain explicit consent.
- Customers may request that the company not sell their personal data, and the company is required to comply.
- If a customer chooses to opt out, the company requires their explicit permission to sell and/or disclose their personal information.
PIPA – Maryland
Maryland’s privacy law, the Personal Information Protection Act (PIPA) is also known as the Maryland Data Breach Notification Law. As its name suggests, PIPA focuses on requiring companies to minimize the damage caused by data breaches and keep affected consumers informed at every step. A set of updates set to take effect in October 2022 further expanded these requirements.
With these updates taken into account, PIPA states that:
- Following a data breach’s discovery, businesses have 10 days to inform all affected consumers of risks to their personal data.
- Affected consumers must always be informed of a data breach, unless a detailed investigation can determine that the information is unlikely to be misused. (As an example: if all that was stolen was encrypted data impossible to decipher without a key, and the key was not compromised, the company can reasonably conclude that the data is not likely to be misused.)
- Before affected consumers are informed of a data breach, the business should inform the Attorney General. The notice to the AG should contain:
- A detailed description of when and how the data breach occurred
- How many people were affected
- A list of what the company has done and/or plans to do in response
- An explanation and sample of how the company plans to inform consumers of the breach
CDPA – Virginia
The Consumer Data Protection Act (CDPA), Virginia’s privacy law, goes into impressive detail on company responsibilities and consumer rights. It also represents a significant change from other American privacy laws, such as California’s CCPA, which only require companies to allow customers to opt-out of data processing. The CDPA instead requires companies to obtain explicit consent to process sensitive data in the first place.
Company responsibilities under the CDPA include:
- Obtaining explicit consent before processing sensitive personal information
- Using a trustworthy security system to keep user data confidential and secure
- Only collecting user data that is relevant and necessary for their purposes, and may not collect more than the bare minimum that they need
- Only processing user data for their publicly stated purposes
- Never processing user data in a discriminatory manner or for discriminatory purposes
- Disclosing whether they sell user data to third parties or use data for targeted ads, and clearly explaining how users can opt-out if desired
- Providing at least one simple way to submit an opt-out request. Companies also cannot require that users create a new account to submit their request.
- Respecting users’ right to be informed, including information such as:
- The personal data collected
- The purposes for processing
- What personal data is shared with third parties
- What third parties receive shared personal data
- How to exercise their consumer rights
Consumer rights under the CDPA include:
- The right to access, correct, delete, or transfer their personal data
- The right to know how their data is being processed and by whom
- The right to opt-out of data processing for the purposes of profiling, targeted ads, or sale of their personal data to third parties
- The right to submit up to two DSARs annually, both free of charge
- The right to a response to their request within 45 days of submission. A 45-day extension is permitted if required with advance notice to the consumer
- The right to be informed of a DSAR denial within the 45-day window. Consumers also have the right to know why their request was denied and how to appeal
- The right to appeal a DSAR denial and receive a response within 60 days of submission
None of the users’ rights established in the CDPA can be waived through a contract or any other means.
CASL – Canada
CASL, the Canadian Anti-Spam Law, is one of the simpler privacy laws on the books. CASL is primarily concerned with blocking spam or malware-ridden emails. In practical terms, the law focuses on making sure companies restrict their email marketing to a specific window of time. A consumer not interested in their products can simply not reply to their emails and wait for their permission to expire.
CASL lists two circumstances under which companies may send marketing emails to consumers:
- Implied consent. A customer requesting more information about a product or service implicitly knows the company retains their information for marketing purposes. The company may market to them for up to 6 months. If the customer actually makes a purchase, the period of implied consent extends to 2 years.
- Explicit consent. A customer that subscribes to an email chain or signs up for marketing updates is directly asking to be contacted. This explicit consent is valid until the customer asks to be removed.
PPL – Israel
Israel’s Privacy Protection Law (PPL) makes its stance on consent clear from the very first line. (Read an unofficial English translation here.) This law, already recognized for its robust standards, received several updates in early 2022. Looking closer at the most significant amendments reveals that several were likely influenced by the GDPR. These amendments include:
- Editing the definition of “data” to include any personally identifying information, and adding a new category to cover “data with special sensitivity” such as physical location, political opinions, etc.
- Introducing the terms “data controller” and “data processor” to replace former, less clear privacy management job titles
- Requiring organizations to appoint a Data Privacy Official (DPO) in some, though not all, instances. (Interestingly, even this limited requirement is the first time Israeli law has ever laid out DPO requirements of any kind.)
- Increasing the PPA’s ability to define and prosecute privacy violations
- Requiring organizations to register with data protection authorities only if their databases contain sensitive data of 500,000 or more people, or if their databases contain personal information from 100,000 or more people provided by third parties
Israeli authorities also plan to begin operating a do not call registry in 2023, further solidifying the concept of customer consent in Israeli law.
PIPL – China
China passed its first comprehensive privacy law, the Personal Information Protection Act (PIPL) in November 2021. (Read an unofficial English translation here.) Since Chinese users make up nearly 20% of all internet users worldwide, it goes without saying that this law can and will impact countless businesses.
The PIPL draws visible inspiration from multiple privacy laws around the world, especially the GDPR. Several principles outlined in the PIPL include:
- Businesses must have a clearly defined, rational purpose for collecting and processing personal data.
- Specific conditions, especially individual consent, must be met before companies can collect and process personal data.
- Businesses must appoint a specific person to manage data collection and processing.
- All personal information collected must be processed as minimally as possible for the business’s purposes.
- Sensitive personal information such as financial or health data requires explicit customer consent.
- Businesses subject to the PIPL must conduct regular privacy audits and risk assessments.
- Businesses that violate the PIPL may be subject to a suspension of services or fines of up to 5% of the previous year’s revenue.
- While not explicitly stated, the PIPL’s requirements for informed customer consent mean that any businesses with Chinese customers must provide a Chinese translation of their data usage and privacy policies.
LGPD – Brazil
Brazil’s privacy law is the only one on our list to have an acronym based on Portuguese rather than English. The Lei Geral de Proteção de Dados (LGPD), or the General Law for the Protection of Privacy, builds upon previous Brazilian privacy laws for a more robust approach to consumer protection.
Highlights of the LGPD include:
- Expanding the definition of “personal data” to include data that can be used to directly or indirectly identify a person, broadening the category of protected data significantly
- Exceptions to enforcement must meet specific standards (for instance, it must have been collected for reasons of public safety or national defense)
- Consumers have the right to:
- Know that their data is being processed, and how
- Access their data for purposes of correction, deleting, or transferring
- Know who their data has been shared with
- Know how to revoke consent and what will happen when they do. This is an interesting addition, as explaining the consequences of revoked consent provides more transparency to the consumer.
- Revoke consent at any time
DPDP – India
The Digital Personal Data Protection Act (DPDP) passed in India in August 2023 following several previous attempts at enacting comprehensive privacy legislation. The regulatory oversight of the Act is entrusted to the Data Protection Board of India, empowered to exercise a range of functions including rectifying data breaches and investigating individual complaints.
The DPDP introduces several new definitions into Indian law, most notably:
- “Data fiduciary”: an individual or entity that determines the purpose and manner of personal data processing (the GDPR refers to this position as a “data controller”)
- “Significant data fiduciary”: an entity processing large amounts of sensitive data. Relevant criteria also include processing children’s data, impact on rights, and potential implications for governmental integrity and public order. Significant data fiduciaries are subject to further obligations, including data protection impact assessments, audits, and the appointment of a Data Protection Officer.
- “Data principal”: any individual whose data is being collected or processed (known as a “data subject” under the GDPR)
- “Consent manager”: an organization registered with the Data Protection Board. The Board is required to provide a centralized platform to allow individuals to manage, review, and retract their data as they wish.
The Digital Personal Data Protection Act echoes the GDPR and other established privacy laws in its legal requirements. Highlights include:
- Privacy notices: Organizations are mandated to provide data principals with privacy notices before asking for consent. These notices must clearly explain the nature of personal data being collected, processing purposes, avenues for exercising rights, and how to submit complaints to the Data Protection Board.
- Valid consent: The Act emphasizes that consent must be voluntary, informed, specific, unambiguous, and unconditional. Consent must be obtained through a clear, affirmative action, and is only valid for the designated purpose. Data principals may revoke consent at any time, and data fiduciaries are required to make the process of revoking consent as straightforward as the process of granting it. Data fiduciaries are also obligated to inform downstream vendors and third parties of consent withdrawals.
- Role of consent managers: The aforementioned consent managers must be registered with the Data Protection Board and are responsible for managing individuals’ consents on their behalf. These managers are accountable to the data principals.
- Data principal rights: The law outlines several rights for data principals, including but not limited to:
- The right to personal data summaries
- The right to be informed of data processing activities
- The right to be informed of all third-party recipients of data
- The right to nominate a representative for situations where the data principal cannot advocate for themselves (for instance, if the individual is incapacitated or deceased)
Unlike other privacy laws, the Digital Personal Data Protection Act doesn’t explicitly restrict data fiduciaries from transferring data across international borders. Instead, the law grants the central government discretionary authority over imposing such restrictions.
Data Protection Law – Jordan
In August 2023, Jordan’s Lower House approved the 2022 draft law on digital personal data protection. The new law, officially titled the Data Protection Law, is now binding following its publication in the Official Gazette on September 17, 2023. The law will take full effect six months after its publication date.
The key provisions of Jordan’s Data Protection Law include, but are not limited to:
- The creation of a Personal Data Protection Council, which will play a pivotal role in setting protocols required for data protection and enforcing the law
- Explicit delineation of responsibilities for those overseeing personal data, data processors, and data recipients
- Significant penalties for violations
- Retroactive application, with exceptions for people processing their data for personal reasons
- A requirement for administrators to inform concerned individuals about the specifics of data processing, such as the purpose, timeframe, and processors involved
Expanding Privacy Awareness
Large-scale businesses with customers around the globe have felt the effects of increasingly restrictive privacy legislations. Legitimate interest, while not exactly a loophole, allows you to continue your marketing efforts without breaking local privacy laws or annoying your customers. But relying on legitimate interest requires a detailed understanding of privacy regulations. Take the time to ensure you’re interpreting these laws safely, both for you and your customers.
Are you managing your customers’ data correctly in your marketing strategy? Get in touch to start improving today.