Data collection and privacy: Understanding the legal limits

This article is part of a VB special issue. Read the full series here: Building the foundation for customer data quality.

Data is critical to running a modern business — enterprises simply can’t survive or thrive without it. 

“Today’s information society and economy is sustained and propelled forward by the use of data,” said Joe Jones, director of research and insights at the International Association of Privacy Professionals (IAPP). 

But with increased and evolving regulatory scrutiny, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), businesses have a fine line to toe. On the one hand, you need data to run your business and cater to existing and prospective customers; on the other, you don’t want to misuse it for risk of hefty fines, customer mistrust and negative business outcomes. 

“Piecing together the alphabet soup of proliferating regulations and translating it into clear and consistent requirements is a top priority and challenge for organizations,” said Jones.

GDPR just the start

Data is so critical to modern organizations because it allows them to analyze consumer behavior, identify market trends and deliver customized advertising (among other benefits), Jones pointed out. Enterprises can quickly and efficiently understand their target market and inform strategic decision-making. 

But the ubiquity of new technologies and the risks associated with them have stirred curiosity, generated controversy and resulted in sharper regulatory scrutiny.

In parallel with the GDPR — now in its fifth year — roughly 25 states and Puerto Rico have introduced or are considering about 140 consumer privacy bills this year. These include the Virginia Consumer Data Protection Act (effective Jan. 1); the Colorado Privacy Act (effective July 1); the Connecticut Personal Data Privacy and Online Monitoring Act (also effective July 1); and the Utah Consumer Privacy Act (effective Dec. 31). 

That’s not to mention the longstanding HIPAA requirements and regulation around financial services — in fact, a bill proposed by U.S. Congressman Patrick McHenry (NC) would further limit data collection by financial institutions. 

“As with most issues in the financial system, we need to balance fostering innovation with protecting consumers,” McHenry said in favor the proposed legislation, H.R. 1165. 

Steep fines, increased litigation

Furthermore, companies that do not meet data privacy laws can face millions in fines: Even the smallest of GDPR infractions can cost up to €20 million (or roughly $21.7 million). But many of the world’s biggest companies have been slapped with even heftier fines. These include Meta ($1.2 billion), Amazon ($781 million), Instagram ($427 million) and WhatsApp ($247 million) to name a few. 

“The GDPR and its regulatory enforcement structures have cranked into gear over the past few months,” said Jones.

More than 5% of use cases that now reach the Court of Justice — EU’s highest court — are about the GDPR, Jones pointed out, which is “a sure sign of the GDPR’s maturing litigious environment.”

Every organization impacted by data collection rules

Moving forward, any organization that processes and uses data — from adtech, to financial services, to cloud services — will invariably find themselves covered not just by the GDPR but by sectoral rules, rules on platform liability, rules on cybersecurity and other countries’ privacy rules, Jones pointed out.

This “patchwork of laws creates a web of compliance for companies functioning in a global manner in collecting data,” said Heather Dunn Navarro, associate general counsel for product and privacy at digital analytics company Amplitude. And going forward, she pointed out, “regulations are inevitable.”

That’s not to mention the fact that consumers are increasingly aware (and wary) of organizations collecting and using their data — and the majority simply don’t like to be tracked. 

In a KPMG report on consumer sentiment, 86% of respondents said data privacy is a growing concern. Furthermore, according to the IAPP’s Privacy andConsumer Trust Report, 64% of consumers indicated that companies that provide clear information about their privacy policies enhance their trust. 

“Consumers move with their feet,” said Jones, “and organizations are becoming increasingly aware of the business benefits in designing-in, integrating and projecting privacy-preserving and enhancing techniques.”

Get ahead of legislation

Ideally, further clarity promised from the EuropeanData Protection Board should guide organizations that collect, share and use data, said Dunn Navarro. 

One way organizations can navigate privacy regulations is to benchmark their programs against those that are strictest, she said (GDPR is the best bet). While this might over-limit what organizations can collect, they can start with that base and gain an understanding of where they can flex and adjust as needed. 

Critically, every organization should have a dedicated team — whether internal or external — that can help them stay abreast of all these emerging and evolving regulations and the changing legal landscape, said Dunn Navarro. This helps inform their understanding of customer rights in all regions where companies are doing business (and providing the right notice on collection and processes to comply with those).

For instance, in her role as associate general counsel for product and privacy, she works across the organization to ensure it is properly handling its own data. That includes working closely with product and engineering teams to ensure they are designing and building compliant products and features. 

Privacy always first

Building a “privacy first” culture should be the focus of every organization going forward, said Dunn Navarro. 

“Data is touching every part of your business, every part of the company is collecting and handling data,” she said. “To ensure you’re staying compliant, you need awareness across the company, support across the company.”

Employees must be trained so they are aware of their role in data privacy and are aware and mindful of privacy laws and risks. Also, organizations should always respond to consumer requests and inquiries around data collection and use. 

“Having diligence internally around when you actually need to use [data] or how to use it is one of the challenges as companies mature,” said Dunn Navarro. “Companies collecting and handling data really need to invest in privacy and security and have strong operations that will allow them to adjust to changes as they arise.”

Privacy “alive and kicking”

Jones agreed that “compliance beyond checkmarks” has become an increasingly common and critical governance shift for organizations. 

The use of privacy performance metrics, third-party audit and accountability tools and privacy-enhancing technologies are all increasingly being considered and used by organizations to better manage their privacy practices.

The good news, Jones said: “Privacy is not dead, it is alive and kicking.”