Over the past five years, data privacy and security have become key issues for consumers, businesses, and governments around the world. From device manufacturers like Apple promoting enhanced device privacy requirements to social media giants like Facebook undergoing scrutiny for lax data sharing policies, we’re seeing brands in every technology sector responding to increased scrutiny when it comes to their consumer data sharing and protection practices.

With the enforcement of the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and more new laws in this vein likely, it’s more important than ever for brands to think seriously about data privacy and security, and whether their current practices and technologies are up to tomorrow’s challenge.

Data Privacy vs. Data Security

While data privacy and security aren’t the same thing, they do complement each other and are both essential to providing a safe and trustworthy digital experience.

• Data privacy requires brands to ensure that personally identifiable data entrusted to them by consumers are only used by the brands in question—and not shared with other parties without consumers’ informed consent.
• Data security, on the other hand, requires companies to protect the integrity and confidentiality of the user data they hold by preventing hackers and other unauthorized users from gaining access or using the data for malicious purposes.

The fundamentals of data privacy depend on good data security practices—after all, it’s hard to promise that the information will only be used for the stated purpose if it’s been grabbed by hackers. And while it’s possible for a company to have good data security practices but poor data privacy practices (or vice versa), doing one or the other well isn’t enough in today’s increasingly strict regulatory environment. Modern companies need to understand what’s at stake and take their data-related obligations seriously, especially when it comes to consumer personal data.

Why Data Privacy and Security Matter

For brands, the principles of data privacy and security can—and should—go hand-in-hand to create a reliable and positive experience for customers.

Today’s consumer trusts apps, websites, and other digital services with a wide range of personal information, including home addresses, credit card numbers, product preferences, and more, all because they hope to benefit from solutions that make their lives easier, more efficient, and more manageable. But that willingness to share data depends on a belief by consumers that the brands they patronize can be trusted to keep the information they share safe and confidential.

Studies have shown that 68% of consumers have concerns over how brands approach data security, an unsurprising statistic considering the sheer number of media reports concerning data breaches and security failures. The first half of 2017 alone saw 1.9 billion data records become compromised, and the years since have seen major breaches involving Marriott and British Airways, among many others.

Data Privacy/Security and the Law: GDPR, CCPA, and Beyond

The real-world need for enhanced, reliable data privacy and security practices on the part of businesses and other organizations collecting consumers’ personally identifiable information had pushed legislators around the globe to take action. And the new rules set down by EU’s GDPR and California’s CCPA are already changing the data privacy and security landscape.

First enacted in 2016 and enforced beginning in May 2018, GDPR mandates that companies collecting personal information from European Data Subjects comply with new disclosure obligations, and respect requests from the European citizens with regards to their personal information. Those requests can include data disclosures, adjustments, and even the blanket deletion of their personal data, depending on the circumstances.

GDPR was quickly followed by CCPA in the United States, which was enacted in June 2018 and began to be enforced on January 1, 2020. CCPA focuses on the rights of consumers to opt-out of the sale of their personal information and also requires companies that collect such data to provide new data rights, similar to the rights that exist under GDPR. In addition, CCPA sets down even more stringent rules on data collection for children, requiring an opt-in for the personal information of individuals under the age of 16 and blocking the collection of information about individuals under 12 without their parent or guardian’s consent.

The fines for noncompliance with both of these laws can be steep. (In fact, as of January 2020, $126 million in fines have been levied against companies who were found to violate GDPR.) Because of these potential penalties, both GDPR and CCPA have pushed organizations to build or maintain digital services that have strong data security capabilities deeply embedded. A number of states, as well as the federal government, are currently drafting laws along the lines of CCPA. As a result, strict privacy protections are becoming the norm in today’s data-centric world.

Final Thoughts

As new laws follow GDPR and CCPA, companies around the globe will increasingly need to rethink their approach to data privacy and security, not only to comply with these new rules, but also to successfully meet ever-increasing consumer awareness and expectations around their personal information.

Looking to dig deeper? Check out exclusive insights into today’s privacy-focused marketing landscape from Braze General Counsel Susan Wiseman in “The Road To Privacy Compliance Is Steep.”