Participants in the lead generation industry know that compliance with the myriad legal frameworks that apply to their operations is not only necessary but also increasingly complex. One area where lead generators in the U.S. have traditionally operated relatively unencumbered—until recently—is with privacy laws.
Until implementation of the California Consumer Privacy Act (CCPA) in 2020, no comprehensive federal or state privacy law existed in the U.S. Yes, certain industries were subject to unique privacy regulations (GLBA for financial services, HIPAA for healthcare, FERPA for education, etc.), and regulations existed to protect the privacy of children, but no broad-spectrum privacy framework was in place.
The world has changed.
Where are we today?
Under CCPA, businesses of a certain size must now provide comprehensive privacy notices to California consumers. California consumers also receive a number of rights, including the right to access their personal information, request that it be deleted, and, importantly for lead generators, restrict the sale of their personal information.
In recent Senate testimony, California Attorney General Xavier Becerra acknowledged that his agency will initially be focusing on identifying businesses that do not have adequate privacy policies, “do not sell” links on their websites, or correct restrictions on the use of personal information in their contracts with service providers. The industry is trying to keep up with various tools offered by the IAB, Google, Facebook, and others to partially assist with CCPA compliance, but each requires lead generation participants to carefully review and implement them.
On top of the CCPA, lead generators must also consider data broker requirements in a few states. Although requirements vary between them, California and Vermont have both instituted data broker registries. Nevada requires websites that sell personal information to data brokers to provide consumers with opt-out rights. Calls have been made for a national data broker registry, with the Data Broker List Act of 2019 introduced in the Senate last year and later bills likewise proposing data broker registries. It is likely only a matter of time before comprehensive data broker legislation passes at the federal level and/or in additional states.
Responding to legislative and consumer calls for privacy protections, tech companies are creating new ways for consumers to mask their online actions and to limit the information that third parties collect about them online. For example, Google has announced that beginning in the next two years it will phase out the use of thirdp arty cookies in Chrome. Safari and Firefox both already block third party cookies by default. Recent changes to Safari allow consumers to obtain a privacy report on tracking tools that the browser prevented from running. These features make it more difficult for lead generators to track the effectiveness of their campaigns, target ads to consumers to drive them to their landing pages, and obtain needed information to build comprehensive profiles.
Where are we going?
In November, California consumers will consider the California Privacy Rights Act (CPRA) ballot initiative. CPRA builds on CCPA in a number of respects, but most significantly for lead generators, it (1) provides additional protections for a new class of sensitive personal information, (2) creates a California Privacy Protection Agency dedicated to enforcing California’s privacy laws, (3) removes the cure period for enforcement, and (4) would require disclosures related to automated decision-making. If CPRA passes, it will come into effect on January 1, 2023.
This year, Washington almost passed a comprehensive state privacy law modeled on the EU’s General Data Protection Regulation (GDPR). Due to last-minute negotiations in conference committee that were not completed prior to the end of the legislative session, the bill did not pass. However, the Washington Privacy Act has been reintroduced for the 2021 legislative session and will be closely monitored.
Like the CCPA, the WPA as proposed would only apply to businesses that satisfy certain size thresholds, and it would exempt personal information processed under other frameworks such as GLBA, HIPAA, and FERPA. Given that the WPA is modeled on GDPR rather than CCPA, it would provide consumers with additional rights beyond those given under the CCPA and set out additional back-end requirements for businesses.
At the federal level, Congress continues to consider various legislative proposals for a national privacy law. The most recent serious contender is the SAFE DATA Act which was proposed by a group of Republican senators and combines proposals from a number of prior bills. Among other things, the law would increase transparency requirements for businesses, give consumers more control over their data, place restrictions on the collection and use of sensitive data, require businesses to conduct privacy impact assessments on certain data processing activities, and impose data security requirements.
The SAFE DATA Act preempts state privacy and data security laws that purport to regulate entities covered by the federal law. It does not preempt state data breach notification laws. The law would also expand the FTC’s jurisdictional and enforcement authorities and require it to adopt privacy regulations and establish a data broker registry.
What should lead generators do?
In the modern era where data is a business’s most valuable commodity, consumers are demanding greater control over the personal information they provide (knowingly and unwittingly). As pressure grows on legislators, regulators, and businesses to protect personal information and provide consumer choice, the lead generation industry will be called upon to respond.
As of today, lead generators should be taking a close look at their privacy policies and ensuring they have procedures in place to comply with CCPA’s numerous requirements. They should also analyze whether they meet the varying definitions of a data broker and take appropriate action if they do. If a lead generator acquires data from a third party, it should conduct due diligence on that third party and its data collection practices to establish a reasonable basis for believing that they are collecting and sharing data in a compliant manner. Likewise, businesses that rely on lead generators should conduct their own due diligence on their lead generation partners.
Lead generators also need to begin future-proofing their operations now by making smart investments in privacy-by-design to be ready when the next set of privacy regulations comes down or the next tech company implements a new privacy feature. One can reasonably anticipate what privacy regulation in the U.S. will look like in the future by looking to present privacy regulations such as CCPA, GDPR, and in other countries such as Canada, Australia, Brazil, and South Africa.
Businesses will need to be nimble and structure their systems to apply different sets of rules based on the data subject’s location or else prepare for the effect of applying the most restrictive rules across the board. This will require investment in data structuring, privacy management tools, and systems for automating responses to consumer requests. Privacy will need to be at the forefront of future planning.
Some view privacy regulations simply as a burden on businesses that collect, use, and share personal information, especially those businesses whose business is data. Certainly, there has been and will continue to be substantial costs associated with privacy compliance, but opportunities also exist for businesses that manage their operations in a compliant way to stand out from the pack and truly perform. Personal information gathered from the consumer who genuinely wants to provide it and is interested in the product/service is a lot more valuable than personal information harvested from unwitting individuals. Privacy regulations may begin to shift the value proposition from quantity to quality, and both consumers and the industry will be all the better for it.