Industry Insights

Bracing for 2023 Privacy Laws: Most Businesses Aren’t Ready to Comply

Post by
Kate Reinmiller
Bracing for 2023 Privacy Laws: Most Businesses Aren’t Ready to Comply

By 2023, 75 percent of the world's population will be under consent-based privacy laws. In the US, this includes four new state laws from Colorado, Virginia, Connecticut, and Utah, as well as updates to California’s CCPA law (CPRA). 

One thing is clear: regulations are taking effect, and businesses are not ready for them. And these new laws are just the beginning of a trend that combines commercial interest, individual freedom and national security

Consumers will have new rights to opt out of sharing personal data. This is the area where most businesses are lacking, because data leaks far more than they realize. It is an invisible threat with huge consequences for businesses that don’t take it seriously.  Getting it right however, creates a new opportunity to build trust with your customers and maintain your brand's reputation.

If you look at your current data practices, I can almost guarantee there will be holes. Data leakage usually occurs unintentionally. You may be unaware of first party data trickling out through tags, pixels and beacons on web pages. You may not realize a software patch you recently deployed impairs the transmission of consumer opt-outs. Or your vendors may be careless in their policies. Consumers frequently know before you do, but by then it’s too late. 

There are two clauses in the CCPA that many businesses are not following, and legally should be. The good news is that the new state laws generally seek to be interoperable. In other words, as more states follow suit, they’re likely to have many similarities. 

By tweaking your data practices to adhere to the following two clauses, you’ll not only protect yourself from legal action, but also be more prepared for future data privacy laws.

1. Selection and use of opt-out methods

A critical clause in the CCPA states that businesses must provide two or more approved methods for opting out of the sale of personal data. The term “selling” will be replaced with “sharing” in the updated CPRA to remove any ambiguity on this subject. When looking to see who is following the rules and who isn’t, a good place to start is with blue chip companies. 

In Q2, We conducted research on the opt out methods used by the Fortune 100 and found that only 52 of the companies use two or more methods, and only 33 of them used two or more approved methods. This has already likely changed since Sephora was issued a fine for non-compliance in late August.  If the big players with ample resources aren’t getting it right, it’s a strong indication that most other companies aren’t either. 

That’s not to say these companies aren’t trying to do the right thing. What they’re doing isn’t up to code, especially when you add in how ineffective these methods can be. 

There are five common methods used by US enterprises to opt-out of data sharing:

  • Industry consortia
  • Web forms 
  • Consent Management Platforms (CMPs)
  • Offline methods 
  • User-enabled browser tools 

Industry consortia are the most technically reliable, but California has suggested they may not be sufficient. Web forms are effective when consumers ask company representatives to take certain actions, such as access to or deletion of data. Unfortunately, web forms fail roughly 50 percent of the time when they are used to trigger actions on web browsers, due to mistakes in configuration and implementation. CMPs can usually capture opt-out consent from site visitors, yet consent fails over one-third of the time when transmitted to third party vendors. We call these failures dark signals

User-enabled browser tools like Global Privacy Control (GPC) are now mandated by California. Attorney General Rob Bonta’s recent enforcement actions demonstrate the consequences of ignoring this signal. Sephora was fined $1.2 million in part for failing to heed this signal.

So how do you protect your business and your customers? Do your due diligence and identify your blind spots. Make it as easy as possible for your customers to opt out and use methods that reflect how you interact with them. Providing a 1-800 number is questionable if you’re sharing data about non logged in visitors online. It is extraordinarily difficult for a call center to connect unauthenticated customers to online profiles.

Once you’ve chosen the best methods for your customers, consider using a technology to audit your methods and identify weak links. That way, if data is leaking, you can do something about it.

2. Outsourcing or partnering with service providers

A recent addition to the CCPA regulations suggests businesses should regularly audit their partners’ data practices to ensure that shared data is used in a lawful manner. This means businesses can no longer turn a blind eye to the unethical practices of their partners (or partners' partners), or rely on contractual agreements that pass along liability.

We’ve seen cases where data was maliciously used by partners four or five times removed. These bad actors behave like credit card skimmers on gas pumps. In this case, they skim personal data rather than money, because your consumers’ data is useful to malware providers and even your competitors.   

Rick Arney, co-author of the CCPA and CPRA, told us: “It’s time for businesses to truly put their consumers’ best interests first, and this new clause stops businesses from shirking their duties. That’s why it states that companies must comply with “not just the letter of the law, but the spirit of the law” too.” 

The law is clear: If you share the data you’re entrusted with, you are on the hook for how it is used internally and externally. If you do not audit your partners’ systems, you can't claim you didn’t know they were violating the CCPA. This supersedes indemnification clauses in your business contracts. Fortunately, software can automate monitoring for you.

Why you can’t afford put this off any longer

If following the law and avoiding regulatory action isn’t reason enough to put these changes into practice, consider your business reputation. We’re in the era of the consumer, governed by trust, and the use of personal information plays a big part in your relationship. 

According to the 2022 Adobe Trust Report, 69% of customers will stop buying from companies who use their data without permission, and 68% will do the same if their data preferences are disrespected. The general population is more savvy about online advertising that many give them credit for, and they know when their personal information is being used without their consent. 

Surveys suggest that companies are more aware of their lack of data security than we might think. According to KPMG, 62% of business leaders say they should do more to protect data, 33% say consumers should be concerned with how their data is used, and 29% admit their company sometimes uses unethical data collection methods. The era of excuses is over.

Being at the forefront of consumer protection is an opportunity to be a leader and improve your brand's reputation.  And it doesn’t take much.  Small steps are better than none and are acknowledged by enforcers. Colorado Attorney General Philip Weiser stated “our number one priority is those who are wilfully non complying with the law. That is where our blood is going to most boil.”

Connecticut State Senator James Maroney, who wrote Connecticut’s privacy law, made a similar point when he said their attorney general is not looking for “foot faults or little fouls.”  

The intent is not to harm businesses. The laws are here to protect consumers. 

The arrival of CAN-SPAM in 2003 after email users demanded more privacy was a huge shift. Now opt-out provisions are expected. The same thing is happening with privacy in digital advertising. Embrace the changes now to ensure and your consumers will thank you for it.