Editor’s note: Art Padilla is director of panels at ThinkNow, Burbank, Calif. This is an edited version of a post that originally appeared under the title, “The state of the union: privacy laws’ impact on the sample industry.”
The beginning of a new year not only brings celebratory toasts and resolutions but, in politics, preparation for the State of the Union address. Dating back to 1790, the State of the Union serves as a report card of sorts, as the president gives his or her take on the state of the nation and outlines the president’s legislative goals for the year. In the spirit of this time-honored tradition, I thought it timely to present an overview of the major changes impacting the online sample industry. I’ll focus on two key pieces of legislation – GDPR and CCPA – that have disrupted the current state of the sample industry and changed the way data aggregators handle consumer data.
Europe – Updates to GDPR
Facebook has become the poster child for poor mishandling of consumer data. Under intense scrutiny, Facebook founder Mark Zuckerberg has had to defend his company and its data collection practices in front of both U.S. congressional committees and the European Parliament. But Facebook isn’t alone. Many well-known companies collecting data on consumers, from cookies to search histories, e-mails to social posts and everything in between, have been criticized by regulators and are subject to enhanced privacy protection laws enacted to protect consumers.
The General Data Protection Regulation is the EU’s response to European consumers’ growing concerns on how their data is being collected and used by companies. The law, created in 2016 and implemented in 2018, replaced privacy legislation enacted in 1995. While it took some time for regulators to figure out how to effectively enforce GDPR and for users and companies to understand their rights and compliance requirements, the regulations are in practice today. Sample companies are now held accountable to highly scrutinized data collection practices while still attempting to fulfill sample requests for clients. All sample companies doing business in the European Union, either based locally or abroad, must abide by GDPR or at least have documentation that covers its specific rules. While the new law intends to protect EU consumers from data manipulation, critics say that this will end the EU’s internet innovation.
California – CCPA in effect
Inspired by GDPR, California became the first state in the U.S. to enact sweeping privacy legislation protecting its residents. The California Consumer Privacy Act, or CCPA, was passed with the intent to give California residents ownership of their data, control over what personal data is collected on them and the peace of mind of knowing that businesses will be held accountable for safeguarding their personal information. The regulations went into effect on January 1, 2020.
Under threat on penalty and fines for violations, businesses must now disclose what information they collect on consumers and for what purpose, and if that information is shared with third parties. Companies must also comply with official consumer requests to delete that data. Consumers can opt-out of their data being sold, and businesses cannot retaliate by changing the price or level of service. Businesses can, however, offer financial incentives for being allowed to collect data, i.e., incentives for participating in a survey. CCPA only affects sample companies based in California.
Critics say that the law has too many gray areas and believes that will reduce adoption and compliance within the business community. Facebook, based in Menlo Park, Calif., has eluded to not being subject to CCPA regulations, but others disagree. But it’s not just Facebook. California is the home of Silicon Valley and some of the world’s largest data companies, not to mention sample companies. Many of these sample companies are signing CCPA agreements to protect themselves from the gray areas and to position themselves to comply with the new rules.
The gray areas of CCPA give way to contractions in the law that have yet to be addressed. Companies located in New York, for example, can survey people in California and CCPA will not apply to them. Like GDPR, I expect there to be confusion around CCPA for months as regulators, companies and users work to understand the nuances of the law and how to create synergy among stakeholders in which everyone wins.