As a marketer, you might have heard of GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf.. You might have had to deal with CPRA obligations. Maybe even the ePrivacy DirectiveA directive in the European Union that deals with the confidentiality of information and treatment of traffic data, spam, and access to device storage (such as through browser cookies). rings a bell?
One thing you’ve most certainly faced are the numerous consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. prompts that follow you across the web and your apps, asking for your permission for odd things like “sharing personal data with third parties” and “accessing information in device storage”.
The digital era brought in its wake huge, incomprehensibly complex machinery for collecting, handling, and sharing personal data of internet users. This machinery fuels the business of digital ads, of social media, of online news sites, of analytics vendors, and of many other endeavors that share a slice of this pie worth trillions of dollars.
As such, there’s always been an imbalance between the resources these huge companies have and the individual whose data is being exploited.
Human beings have a right to their personal data. They have a right to privacy. How those rights are respected and treated depends on the region and the legislation in place, but there’s certainly been a lot of movement in the legislative space to fix the imbalance in favor of the individual.
As a technical marketer, your job most likely revolves around handling personal data of your users. Consider yourself a steward of this information – tasked with safeguarding the privacy and integrity of the data. This is not just an ethical stance – it’s a legal obligation.
Data breachesA security incident that results in unauthorized access to confidential information. and data leaks that come from inappropriate handling of user data can lead to severe brand damage, loss of customer trust, and substantial financial penalties.
For these reasons alone, understanding the basics of data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. measures and the related legislation is absolutely vital for anyone working in the digital world.
Don’t miss this fact!
Data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. is not solely a legal obligation. You are ethically bound to respect your visitors’, end users’, and customers’ right to privacy.
General Data Protection Regulation (GDPR)
GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. is a pivotal piece of legislation in the world of data privacy and data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person.. Originating from the European Union, it is considered a global benchmark for data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. standards.
At the heart of GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. are several key principles that govern the collection and processing of personal data.
- Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently in relation to the data subjectAn identified or identifiable natural person whose personal data is processed by a controller or processor..
- Purpose limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is in conflict with those purposes.
- Data minimizationA principle by which only the minimum amount of data is collected to satisfy the purpose for which it was collected.: Personal data collection should be adequate, relevant, and limited to what is necessary for the agreed purposes.
- Accuracy: Personal data should be kept accurate and, where necessary, up to date.
- Storage limitation: Personal data should be stored so that the identification of data subjectsAn identified or identifiable natural person whose personal data is processed by a controller or processor. is possible only for as long as is absolutely necessary.
- Integrity and confidentiality: Personal data should be processed in a manner that ensures appropriate security.
- Accountability: The data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. is responsible for, and must be able to demonstrate, compliance with the other principles.
Under GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf., the data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. is the party that determines the purposes and means of processing personal data. As a technical marketer, your company would typically be a data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. if you collect personal data for marketing purposes, for example.
The tools and services you use to fulfill your data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. tasks would typically be data processorsThe data processor processes personal data only on behalf of the controller.. However, if these services define additional purposes (such as linking user data to their own systems), they would be joint or independent controllers of this user data with you.
GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. establishes six legal bases for validating the lawfulness of personal data processing. The most commonly used are legitimate interest and consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them..
Legitimate interest is a very flexible legal basis. It’s predicated on the idea that the personal data processing happens in a way that the data subjectAn identified or identifiable natural person whose personal data is processed by a controller or processor. would expect.
Example
If a visitor to your site subscribes to your newsletter, you don’t need an additional consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. prompt to ask the visitor if they’re ok with their email address being used for the newsletter. By voluntarily subscribing to the newsletter, it’s reasonable to expect the visitor understands their email address will be used for this purpose.
GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. establishes multiple rights of the data subjectAn identified or identifiable natural person whose personal data is processed by a controller or processor., such as the right to be forgotten. These rights and GDPR’s provisions in general are protected by fairly hefty fines – up to 4% of annual global turnover or €20 million, whichever is higher.
Deep Dive
Privacy laws around the world
There are many privacy laws around the world – over 70% of the world’s countries have some type of legislation in place. The bulk of these laws have been inspired by the EU’s General Data Protection RegulationGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf..
While you don’t need to know the bits and pieces of all these different legislations, the overarching point is that ignoring data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. principles is no longer a viable option in the global data market.
For technical marketers, navigating these international laws requires an understanding of local laws, depending on which markets your business operates in, implementing universal best practices, where you adopt practices that align with the strictest of privacy laws to ensure compliance, and being adaptable, since privacy laws are constantly evolving. Staying informed and adaptable is key.
Here are some of the most significant privacy legislations around the world:
United States
Unlike the EU, the United States doesn’t have a single, comprehensive federal privacy law. Instead, it employs a sectoral approach with various laws targeting specific industries.
Some of the most important laws in the U.S. include:
- The California Consumer Privacy ActA state satute in California, which expands California's consumer privacy laws and introduces many additional user data protection and privacy measures into California's legislation. (CCPAA state satute in California, which expands California's consumer privacy laws and introduces many additional user data protection and privacy measures into California's legislation.): This act grants California residents the right to know what personal data is being collected and to whom it is being sold or disclosed, along with the right to access, delete, or opt-out of the sale of their personal data.
- The California Privacy Rights Act (CPRA): CPRA extends the scope of CCPAA state satute in California, which expands California's consumer privacy laws and introduces many additional user data protection and privacy measures into California's legislation. by including organizations that not only sell personal data but also share personal data. It introduces additional protections for consumers, for example with regard to their data being used for targeted advertising.
- The Health Insurance Portability and Accountability Act (HIPAA): This act protects the sensitive patient health information from being disclosed without the patient’s consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. or knowledge. It applies to businesses in the healthcare sector.
- The Children’s Online Privacy Protection Act (COPPA): COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age. It mandates parental consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. before collecting, using, or disclosing personal data from children.
Lack of federal legislation and the powerful lobby of the U.S. surveillance sector have made it difficult to establish cooperation and interoperability between EU and the U.S. with regard to handling personal data.
In U.S. law, non-citizens are regarded as aliens and have greatly reduced protections when it comes to personal data. In the EU, in contrast, even those just visiting the region are entitled to the full protection of GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf..
Asia-Pacific
- China: The Personal Information Protection Law (PIPL), similar to GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf., regulates data processing activities and mandates consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. for data collection.
- Japan: The Act on the Protection of Personal Information (APPI) requires businesses to respect individuals’ rights regarding their personal data.
- Australia: The Australian Privacy Principles (APPs) under the Privacy Act 1988 govern standards, rights, and obligations around collecting, using, and disclosing personal data.
Others
- Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules for the collection, use, and disclosure of personal data in the course of commercial activity.
- Latin America: Brazil has the General Data ProtectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. Law (LGPD) and Argentina has the Personal Data ProtectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. Act. Both have established comprehensive frameworks inspired by GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf..
Consent
ConsentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is shorthand for “notice and choice” in the digital world.
It means that users are prompted for a choice – do they grant consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. to their data being used for specific purposes or not.
ConsentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is one of the six legal bases for lawful processing of personal data under GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf.. In other words, if you are in doubt whether you have the right to process certain user data, asking for explicit affirmation from the user is one way to ensure the legality of the data collection and processing.
However, consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is also ethically questionable and sometimes a downright dangerous basis to hang your proverbial data hat on. Considering the number of data processorsThe data processor processes personal data only on behalf of the controller. and data sharing activities that modern sites and apps work with, what users actually consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. to is likely to go over their heads.
A single decision based on a cursory look at the gobbledygook of a consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. prompt can have downstream effects that haunt the user for years. Add to this the fact that many companies try to tweak the UX to secure affirmative consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. any way they can.
GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf., for example, requires consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. to be explicit, informed, and easy to withdraw. All three of these are controversial and consistently toyed with in the world of UX patterns.
While you may be tempted to mess around with consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. UX to secure as much data as you can, you should err on the side of maximum data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person.. Remember that your visitors have a sacrosanct right to privacy – trying to game that with UX patterns will not be a durable strategy.
Deep Dive
ePrivacy Directive
The ePrivacy DirectiveA directive in the European Union that deals with the confidentiality of information and treatment of traffic data, spam, and access to device storage (such as through browser cookies)., commonly known as the “EU CookieCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time. Law”, is a legal framework that complements GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. for the electronic communication sector.
The ePrivacy DirectiveA directive in the European Union that deals with the confidentiality of information and treatment of traffic data, spam, and access to device storage (such as through browser cookies). is the main reason for the proliferation of cookieCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time. banners and cookieCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time. prompts on the web.
One of its key provisions is the requirement that all access to device storage (such as cookiesCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time.) that is not strictly necessary for the delivery of the service requires affirmative consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. from the visitor.
In other words – if a browser cookieCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time. isn’t even being used for personal data collection and processing (in which case it wouldn’t fall under GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf.), it would still be covered by the ePrivacy DirectiveA directive in the European Union that deals with the confidentiality of information and treatment of traffic data, spam, and access to device storage (such as through browser cookies). as it uses device storage.
Being a directive, ePrivacy is transposed in different ways in EU countries’ national laws. Thus, in some regions the interpretations are stricter, and in some regions they are more relaxed.
As a technical marketer, privacy audits might fall in your lap, too. For ePrivacy, you might need to assess the different types of device storage that your tools and services utilize, and make sure they are evaluated for whether they are strictly necessary for the service to function or not. Most likely your marketing tools will require consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. from your visitors before you can allow them to store anything in the visitor’s device.
Ready for a quick break?
You have our consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. to take a break now. We respect your right to relax!
Different flavors of risk
While much of data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. falls under legal obligations, there are other things to consider, too. If you choose to protect user’s right to privacy only because the law requires you to do so, your effort will most likely be underwhelming.
Legislation moves slowly. Companies are very good at finding ways to resume access to data blocked by legislation or technology, using legal loopholes and poorly scoped risk assessment exercises.
But consumers are aware. These days they understand much more about privacy and data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. that data-hungry companies like to think. As such, the risk of participating in questionable data harvesting practices goes beyond just legal risk.
There is the ethical risk of assuming that the user is OK with you collecting data from them even if they denied consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them.. Typically, the excuse is that the consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. was solely for device storage (ePrivacy, for example) and personal data (GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf., for example). However, it’s dangerous to make assumptions about the intent of consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them.. Users might say “no” to cookiesCookies are a way to persist information on the web from one page to the next and from one browsing session to the next. They are small bits of information always stored on a specific domain, and they can be set to expire (self-delete) after a given amount of time. and personal data, but they might say “no” to many more things – you just didn’t ask them explicitly.
There is the brand risk of negative public exposure, if it becomes known that you are collecting data from users with ethically questionable means. Many companies have been outed in public for their questionable activities regarding user data.
There is the data securityThe process of protecting digital data throughout its entire life cycle from corruption, theft, or unauthorized access. risk of inadvertently collecting sensitive information just because you didn’t pause data collection when consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. was not granted.
Laws like GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. are really about risk assessment. There is no laundry list of items that you always must follow without exceptions. Your company (and your legal team) need to assess the level of risk involved with all your decisions as a data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation..
Deep Dive
Data Protection Impact Assessment (DPIA)
Impact assessments are processes designed to help organizations identify and minimize data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. risks in their organizations.
DPIAs are particularly relevant under GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. in the European Union, but they are a useful exercise to take under any data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. framework.
The purpose of a DPIA is to systematically analyze, identify, and minimize the data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. risks of a project or plan.
DPIAs help ensure compliance with data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. laws, by demonstrating that appropriate measures have been taken to protect personal data.
A DPIA is required (for example, under GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf.) when data processing is likely to result in a high risk to the rights and freedoms of individuals. Examples include:
- Large-scale processing of sensitive data.
- Systematic monitoring of public areas on a large scale.
- Use of new technologies or novel applications of existing technologies.
Sometimes a DPIA is beneficial even beyond the legal requirement. It lets your organization anticipate, identify, and address issues at an early stage. DPIAs also demonstrate your organization’s commitment to data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. and help you achieve regulatory compliance proactively.
We (the Handbook authors) are not lawyers. We are not equipped to tell you how to run your company, how to act as a data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation., which laws to follow, and what risks are worth taking.
However, by reminding you about how serious the legislation is about data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. in almost all corners of the world, we hope to inspire you to think of Privacy by DesignAn approach where data protection and privacy measures are baked into the technological design of an app or service from the very beginning. from the vantage point of your visitors – all who are entitled to data protectionIn the context of regulation, data protection is the process of safeguarding any data relating to an identified or identifiable natural person. and privacy under the full protection of the law.
As a technical marketer, you will be cajoled, tempted, and even coerced by data companies to get more data at whatever cost. Data is incredibly valuable. But you must remember that the right to privacy is incredibly valuable to the individual, too.
Key takeaway #1: Right to personal data protection
Article 8 of the EU Charter of Fundamental Rights states that everyone has the right to the protection of personal data concerning him or her. While this is indeed only in the EU, it’s good to take it as a guiding principle regardless of where in the world you operate. This is the foundational principle behind GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf., and GDPRGeneral Data Protection Regulation is a set of data protection laws and rules that apply to data subjects within Europe. Its purpose is to give individuals vast protections for any personal data that is collected and processed on their behalf. has been the blueprint for many other privacy laws and regulations around the world.
Key takeaway #2: Consent needs to be informed
ConsentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. is a legal basis that is often used as justification for processing personal data. Users are asked, typically in a consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. prompt or a banner, whether they grant the data controllerA data controller determines the purposes and means of processing personal data. They decide the "how" and "why" of a data processing operation. the right to collect and process the user’s personal data. However, most users don’t understand what they are actually consenting to. They are faced with overwhelming options or complex legal (or technical) terminology, so it’s difficult to argue the consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. was informed and freely given. Often, sites try to manipulate users to grant consentData protection laws often defer to positive consent for collecting or processing data from the user. Requesting consent usually involves a consent banner or a consent pop-up where the user is asked whether the site or app can collect data from them. by using complicated UX patterns to mislead them.
Key takeaway #3: Privacy risks are gradient, not binary
Privacy laws and regulations often leave a lot for interpretation. They can’t possibly cover all possible use cases without ambiguity, so they might be broadly worded to allow organizations to justify their actions in a variety of ways. It’s thus important to assess the risks and privacy impacts of operations that deal with personal data. Sometimes, even though there is a risk, it’s deemed acceptable enough to proceed with the chosen approach. What’s most important is that these assessments are documented and that data collection is done within the boundaries of what the assessment covers.