Everything Marketers Need to Know About Consumer Protection & Consumer Rights

National Consumer Protection Week and World Consumer Rights Day make March a crucial month for consumer protection and consumer rights awareness. On the occasion of these events, let’s look at what you should know about these two aspects from the GDPR and CCPA perspective.

Consumer data is now the most crucial resource for organizations across the world. But despite implementing stringent measures to protect customer data, breaches and leaks are not unheard of. Besides such security threats, many organizations adopt unscrupulous practices to acquire customer data unethically or sell it to third-party vendors without the consent of customers.

Governments have taken decisive steps to curb data frauds and leaks and give power back to consumers. Two of such regulations and compliances are the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). These regulatory compliances were introduced by the European Union (EU) and the state of California, respectively.

As March celebrates National Consumer Protection Week (March 1-7) and World Consumer Rights Day (March 15), let’s understand what you, as a marketer, need to know about consumer protection and rights.

What Is the General Data Protection Regulation (GDPR)?

GDPR came into effect on May 25, 2018, and it applies to any organization that collects and processes the data of EU residents and citizens. Note that the organization need not be based in the EU region.

The purpose of the introduction of GDPR is to enable customers to have control over how organizations collect and use their data. Not complying with the regulation can entail organizations a fine of 4% of the annual revenue or 20 million euros, whichever is higher.

GDPR provides a set of rightsOpens a new window to EU citizens or residents (known as data subjects) to let them decide how their data is managed. Marketers should know the following eight rights consumers have under GDPR:

1. Right to Information: It provides the data subject the choice to know how a business is collecting and using their personal information and the purpose behind it.
2. Right of Access: The individual can get access to their personal data and acquire copies of it.
3. Right to Rectification: The data subject can ask the organization to edit or modify their personal data.
4. Right to Restriction of Processing: This allows the data subject to withdraw previously given consent to process their personal data. The reasons could be the accuracy of the personal data or unlawful data processing.
5. Right to Erasure: Also known as the right to be forgotten, this right enables the data subject to ask the organization to delete their personal data.
6. Right to Data Portability: The individual can ask the organization to transfer the personal data back to them or to a third-party controller. In such cases, the data should be transferred in a structured and machine-readable format.
7. Right to Object: The data subject has the right to object to the processing of personal data on the grounds of their personal situation.
8. Right to Automated Individual Decision-Making: The data subject has the right to object to a decision arrived at using automated processing. In such instances, the organization may have to review the request manually.
    

Besides these rights, the organization must perform a data protection impact assessment (DPIA) before processing personal data and inform users whenever a data breach takes place.

Learn more: The 2020 Data Governance Guide for BeginnersOpens a new window  

What Is the California Consumer Privacy Act (CCPA)?

CCPA was introduced on January 1, 2020, and it quite less strict compared to GDPR. While CCPA applies to businesses that serve Californian citizens, companies must satisfy a few criteria such as, they should have annual revenue of $25 million, out of which at least 50% of revenue is generated from the sale of Californian consumer data. The business should also be collecting and managing data of 50,000+ Californian customers.

Marketers should be aware of the following consumer rights under CCPA:

1. Right to Notice: Also known as the right to be informed, businesses are required to notify customers about the categories of customer information they are collecting, while or before collecting it.
2. Right to Access/Disclosure: California consumers can ask businesses to disclose the personal information they’ve collected in the past twelve months. Companies should also provide the sources and purpose of information collection.
3. Right to Opt-Out: Customers can ask businesses to stop selling their personal information to third-parties. CCPA defines saleOpens a new window as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating customers’ personal information.
4. Right to Request Deletion: California residents can request the organization to delete their personal information collected from them in the past twelve months, but this right has certain exceptions. The organization can retain the information to detect security incidents, exercise free speech, or for legal reasons.
5. Right to Equal Services and Prices: Businesses can’t discriminate consumers by charging different pricing or denying the sale of products or services. However, businesses can offer financial incentives to customers for providing personal information by acquiring their consent beforehand.

Learn more: 7 Ways to Be CCPA Compliant and Improve ROI in 2020Opens a new window  

3 Tips to Comply With GDPR and CCPA

Although GDPR and CCPA share some similarities and differences, marketers can implement the following practices in their data collection process to stay out of legal troubles.

Before we look at the tips, make sure to audit your email list and remove the entries that don’t have any opt-in details. Send a new opt-in campaign for other subscribers to update their preferences.

1. Update Your Privacy Policy
 

Long before CCPA and GDPR came into existence, the California Online Privacy Protection Act of 2003 (CalOPPA) made it mandatory to post your privacy policy. If you haven’t updated it yet, do it now.

Since CCPA and GDPR require businesses to update the privacy policy, you need to do so if any part of the information is shared with or sold to a third-party entity, etc. Also mention the third-parties with whom the information has been shared. 

Your privacy policy should also include how customers can contact you. Keep in mind to make the privacy policy less verbose and jargon-free.

2. Redesign the Opt-In Process
 

GDPR dictates that the user consent to opt-in to your newsletter or subscriber list must be gained explicitly and should not be assumed while they are filling in a form. For this, marketers need to ensure that the opt-in boxes must be kept unchecked by default. If you use a drop-down menu, keep the default field nil and let users choose whether to opt-in or not.

To boost opt-ins, you can amplify your content marketing efforts. Also, don’t forget to link your privacy policy on your opt-in forms and let subscribers know how they can easily unsubscribe.

3. Create a Documented Process to Collect Information
 

In the pursuit of improving personalization, marketers collect data points that aren’t needed right away. Now, as per GDPR and CCPA, upon request, you need to disclose the purpose behind collecting specific data points. To avoid such instances, document how you collect customer information so that you can justify the purpose. For this, you can use the marketing funnel logic. For example, for top-of-the-funnel users, collect the bare essential customer data points, whereas, for qualified leads, collect as detailed information as possible.

Learn more: 5 Key Elements of Customer Data PrivacyOpens a new window  

Closing Thoughts

Although the introduction of these regulations may seem restricting when it comes to approaching customers, it has provided marketers with better opportunities to personalize their approach. Of course, marketers not following these compliances are walking on thin ice because one mistake can cost a fortune. For example, GoogleOpens a new window and British AirwaysOpens a new window were fined 44 million and 183 million pounds, respectively, for failing to comply with GDPR.

If you are not sure, it’s always better to consult with legal personnel or firm to identify and sort any potential issues before legal actions rear their ugly heads. Another way to ensure you aren’t breaking any laws is to follow the Federal Trade Commission’s (FTC) Bureau of Consumer ProtectionOpens a new window . They address concerns raised by consumers, and this could give you a fair idea of what to do and what to avoid.

How do you plan to implement better data security measures at your organization? Tell us on TwitterOpens a new window , LinkedInOpens a new window , or FacebookOpens a new window .