The Value of Compliance in First-Party Data
The present demand concerning first-party data collection from the user perspective is for organizations to be transparent about managing data. While the GDPR and CCPA are very clear in their guidelines – it comprises of two major things.
A. Giving people a complete understanding of where their data is going
B. The user’s right to choose what data to share and the right to transparency
Ameesh Divatia is Co-Founder & CEO, Baffle, Inc., in an interview he gave to Forbes Magazine focused on the importance of compliance as a priority for companies in 2023. He highlighted how five states—California, Colorado, Connecticut, Utah and Virginia—will enact new or updated data privacy laws, and many other states are considering laws of their own. This is in addition to industry regulations and national laws like GDPR. Each data privacy law has varying rigidity and nuances that make compliance complex and confusing.
Data is the differentiating factor that allows competitive businesses to thrive as compared to competitors. In 2023, there will be several trends that further reinforce data’s value. Let’s take a look at those trends and what companies should do in the coming year to address them.
Now, as more data privacy laws take effect in the U.S. and worldwide, companies that have not taken the appropriate steps to protect data are incurring significant fines. For example, in September, retailer Sephora incurred a $1.2 million penalty for violating the California Consumer Privacy Act (CCPA). Google and Meta are facing a $71.8 million fine for violating South Korea’s data privacy law.
Statutory Organizational Concerns When Using First-Party Data
One of the main concerns organizations have when addressing data privacy and cybersecurity is liability. Under regulations like the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), organizations that share data must enter into contracts with any third party.
There is somewhat of a shared responsibility model as between data controllers and data processors. The legal drawback? When organizations only use first-party data, and therefore forgo utilization of third parties, i.e., processors or service providers, it assumes all of the risk and liability.
But it is not all bad news. Control and transparency over data is a significant factor in regulatory compliance, especially when it comes to often-discussed issues such as consent. Under Article 7(1) (Conditions for Consent) of the GDPR, it states that “[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In fact, consent is one of the six lawful bases for the collection and processing of data under the GDPR. Pursuant to Article 6(1) (a) (Lawfulness of Processing) of the GDPR, “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes[.]”
Organizations, therefore, do not need to enter into contracts with third parties in and around data processing activities. This can provide an organization with a sense of security and transparency as to how its data is being processed. Nevertheless, it also means the organization stands alone on a sharp ledge in the event of an issue involving liability.
Most data processing agreements typically include indemnification provisions to at least widen the ledge a bit. So while the controller cannot avoid liability to the data subject or the regulatory authority, it can recoup some of those costs through an indemnification with its processor or service provider. If that data is not shared though in a first-party collection setup, the controller is then solely responsible for all actions, in actions, or issues regarding the data. Thus, like all issues around data privacy and cybersecurity, it is a balancing test that must weigh the legal costs and strategic benefits of using, or bypassing, third parties.
What We Can Expect
Forward-thinking companies look beyond compliance to protect data using methods that drastically lower the risk of the eventual breach with a data-centric approach. This approach results in a ‘fail-safe’ posture in which a breach is assumed, but the lost data is unusable, eliminating the prospect of embarrassing disclosure and punitive damages.
Companies will ease the burden of potential non-compliance and reap more rewards from processing their data. Addressing compliance means taking a proactive posture to avoid costly fines, lost business and reputational damage while gaining a competitive advantage over those who take a more reactive approach. This, also in addition to using the right first-party data tools for easy access to authentic first-party data.