Is Your Business Compliant with the Latest Privacy Laws?
If you have been following the evolution of privacy policies in the United States, you may be aware that on January 1, 2023, the California Privacy Rights Act (CPRA) went into effect, adding another tier of obligations to organizations impacted by the 2018 California Consumer Privacy Act (CCPA). Specifically, this latest legislation extends CCPA consumer privacy rights to employees and carries major implications for the IT providers in the B2B sales and marketing space.
Effective business leadership requires a more dynamic understanding of the trajectory of these privacy policies as they’ve evolved over the past decade. This article offers an in-depth look at how consumer privacy laws are evolving, how they may impact IT solutions providers, and how TSRM Group can serve as a critical resource in helping their clients achieve compliance with this flurry of new legal obligations.
Trends in Privacy Laws over the Past Decade
Transformative innovations in data processing and computing power have altered life as we know it, giving civilization several opportunities and capabilities unfathomable just a few decades ago. But those possibilities have also given rise to a myriad of potential abuses, particularly as it involves personal user information and privacy.
Personal information is generally defined legally as “information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information.” Since the early 1990s, decision makers around the world have been working to protect it.
While privacy protections in the US up to this point have “lacked bite” according to experts and observers, state-led initiatives — like the CCPA — are quickly altering that perception. Familiarizing yourself with newly adopted privacy protections is just one piece of strategic business thinking.
This rough timeline highlights a handful of the most important data privacy laws enacted over the past several decades:
- 1995 EU Data Protection Directive
- 1996 US HIPAA Health and Medical Privacy
- 2003 State Data Breach Notification Laws
- 2012 EU Right to Be Forgotten
- 2018 General Data Protection Regulation (GDPR)
- 2020 California Consumer Privacy Act (CCPA)
It’s important to note that privacy rights, as a field of law, is currently more developed in the European Union than it is in the United States. We can see how this has shaped the evolution of data privacy laws over the past several years. The 1995 EU Data Protection Directive imposed obligations on all organizations that targeted or collected data on citizens of the EU.
The following year, the United States enacted the Health Insurance Portability and Accountability Act (HIPAA), which helped to streamline the secure and protected sharing of private health information. To address growing numbers of data breaches throughout industries, California became the first US state to enact data breach notification laws in 2003, paving the way for other states to follow suit.
The 2012 Right to Be Forgotten was a draft law acknowledging the legal concept that people should be able to de-link their names and misdeeds from online search results. This right was ultimately enshrined in the 2018 General Data Protection Regulation (GDPR) and was accompanied by a broad slew of other data protections.
Since GDPR only applied to EU user data, businesses selling to customers outside of the EU did not need to abide by its obligations. But that changed for many organizations in 2020, when California passed the California Consumer Privacy Act in 2020, which mirrors the GDPR in several ways and has various regulatory obligations with staggered effective dates. Once again, California has paved the way for a regulatory cascade, with other states now following suit.
The CCPA, CPRA, and the New Obligations for IT Service Providers
The CCPA gives consumers the right to demand from businesses any data collected on them, as well as the sources of that data and the purposes motivating its collection. But since the rise of B2B (business-to-business) marketing comes into focus, it’s clear that employee data also represents significant value to service providers. Those protections are now being delivered through the California Privacy Rights Act, which went into effect on January first and will gain governmental enforcement provisions in July of 2023.
It’s important to note that the CCPA law applies not only to California businesses, but to any organization dealing with data on US citizens and meeting ANY of the following criteria:
- Generating over $25 million in revenue annually
- Receiving the information of over 50,000 sources annually (consumers, households, devices)
- Generating at least 50% of annual revenue from the sale of personal information
All organizations meeting this criterion now have a responsibility to do the following:
- Determine what personal information is being collected on employees
- Develop a privacy notice to be shared with all employees and job applicants
- Review all service provider contracts that involve the sharing or processing of employee personal information, and
- Establish internal mechanisms for receiving, analyzing, and honoring data requests from employees.
These changes impose a daunting task for IT services providers, since they rely so heavily on user data to define the best suited sales and marketing channels. While it may seem like cold comfort to point out that privacy laws aren’t designed to stifle the use or sale of personal information (simply regulate it) this distinction makes all the difference.
By pushing for better privacy regulations, these laws help to protect and maintain critical degree of trust between businesses and their consumers.
TSRM, Your Partner in Marketing and Sales Enablement
TSRM Group provides top-tier, customized sales enablement in the IT sector (channel sales enablement, digital marketing, telesales, lead nurturing, sales strategy, sales staffing) without using this problematic third-party data, meaning that our processes are already in compliance with the latest legal requirements for handling of personal data by large organizations.
We work with IT solutions providers and integrators selling to businesses of all shapes and sizes, including state and local governments, healthcare providers, and a myriad of high-profile enterprise clients. These long-lasting relationships mean that we are well acquainted with the legal obligations of data privacy laws including the GDPR, CCPA, CPRA, and more.
And not only do we assist our partners in the IT sector with the ecosystem of tools and services to succeed, but we also manage the development and integration of sales and marketing efforts, taking a leading role over the very obligations for tracking and management of data required by the CCPA and CPRA.
If you want an industry leading partner capable of handing the sensitive digital information required for peace of mind when dealing with digital marketing, list sourcing, and more, then look no further than TSRM Group. Contact us today to boost your organization’s competitive advantage and put you back in control.
0 Comments