If brands want to build truly open and honest customer relationships, data privacy laws need a rethink. Last year, I wrote about Acxiom’s continued drive for a national data privacy law, and called for all of us – businesses and individuals – to be mindful of the data we create and share daily.

I think the world certainly is paying more attention to these issues, but still not as much as we should be. We’ve seen a growing sentiment in the marketing industry that says “good enough is good enough” when it comes to data privacy.  That is simply not true. The more you look at the facts, the clearer the dangers of such a stance become.

This year, I want to highlight some of the reasons behind this sense of complacency, so I can dispel some myths, add a very real sense of urgency to the conversation, and amplify Acxiom’s privacy rallying cry once again.

A global need

While some of our colleagues have been in the thick of data privacy concerns for decades, especially in regulated industries like financial services and healthcare, others are just now seeing widespread interest in data rights. In travel and retail, for example, “Forget me,” (essentially, the right for consumers to be deleted from a covered business’ marketing database), is gaining traction as consumer awareness rises.

But this isn’t just a cross-industry issue – it’s cross-border, too. Data Privacy Day is observed internationally, not just here in the US, and there are different flavors of data privacy in different regions. In Europe with the GDPR, for example, we have the “right to erasure.” 

In the US, California led the charge in passing state legislation around citizens’ right to deletion with California Consumer Privacy Act (CCPA). Virgina, Colorado, Connecticut, and Utah followed with their own state legislation. At Acxiom, we extended the rights given to Californian citizens, nationwide,which we announced on last year’s International Data Privacy day.  It does not stop there.  California now requires covered businesses to notify all downstream recipients of personal information of a consumer’s deletion request; not just service providers or contractors.   

Time to get a better understanding of customers

Here’s one major reason why many brands have been less than proactive about data privacy measures, like “forget me”: it’s not an easy thing to manage. In order to forget me, first you must know me. So brands have to be able to accurately and completely recognize the individual – and there may be multiple incarnations of a single person in the data. Fun fact: you may know me as Jordan Abbott, but to the DMV, I’m James Abbott.  (Jordan is my middle name). 

The challenge of knowing WHO to forget highlights the need not just for privacy laws, but for tools and technologies to help brands follow them. Or, to put it another way, as individuals we need rights and the ability to exercise them fully.

Say I want to make a deletion request, where do I start?  As it stands today, there is not a  national registry identifying the various companies that might have personal information about me and how to contact them.  The creation of such a registry would be a positive step, and it’s something I have advocated for since at least 2018, alongside a national privacy law.

Acxiom is of course extremely committed to speeding technical solutions to market – like the identity solutions brands need to understand the individual person across channels and platforms.

Sophisticated data management, coupled with a robust identity solution, is only going to become more important in this evolving regulatory climate. That’s why we’re working to innovate in step with – and even ahead of – regulatory requirements, so that brands can manage these requests efficiently and effectively. 

As data privacy shifts from a compliance checkbox to a strategic imperative, the solutions that enable it – like identity and data management – have become tools not just for maximizing the value of brands’ data assets, but for building better, more trusting relationships with customers.  

A question of supply and demand?

So why does this feeling of “good enough is good enough” persist? One of the contributing factors on the brand side may be the fact that there haven’t been the kinds of earth-shaking fines levied here in the US … yet. But it’s only a matter of time before we see the first examples, like we have in Europe where regulators issued a record €2.92 billion in fines in 2022. 

It’s also worth noting that the amendments to the California Consumer Privacy Act expressly set up a dedicated agency, the California Privacy Protection Agency (CPPA),  whose sole focus is the enforcement of the CCPA. They will be able to conduct audits (announced or unannounced), and levy administrative fines of up to $7,500 per violation. (And it remains unclear what counts as a single violation – could a violation be assessed on a per record basis)?

On the “demand” side of the equation, there’s also the fact that there have been relatively few requests for deletion submitted under the CCPA since it went into effect in 2020. Again, you have to look beyond the headlines and beyond the present moment. As the deletion request process becomes more streamlined and less of a burden for the individual, we can expect these to grow. 

The bigger demand-side factor for me is the generally positive perception of the use of data for personalization in marketing. As I wrote in the foreword to a recent report, US Data Privacy: What the Consumer Really Thinks 2022, the public is increasingly aware of data’s role in society, and 79% of American consumers are open to engaging in the data economy.

The lawyer who cried wolf

I don’t want to be the lawyer who (always) cries wolf, but there are further signs that data privacy rights will be enforced at greater levels in the near future.

As an example, the FTC is considering new regulations regarding “commercial surveillance.”  Just the use of that term, which is pejorative, seems to communicate the FTC’s attitude toward personalized marketing.  Similarly, the CPPA will be solely focused on the enforcement of CCPA rights. And I expect a number of additional states to pass similar laws this year (considering the vacuum at the national level). I’d bet good money on at least five states joining California, Connecticut, Colorado, and Utah.

Good enough isn’t good enough

I’ll close by grabbing my megaphone and shouting my annual refrain again. As an industry, we need:

• Greater mindfulness of our data sharing practices on both sides of the value exchange – what’s good for consumers and brands. 
• A continued commitment to respectful practices and an ethical approach to data.
• To finally pass a much-needed national US privacy law.  

Good enough isn’t good enough. We need to see proactive commitments that keep us ahead of this evolving story – because it’s evolving at speed. As the months pass, we may be fighting another kind of complacency that says “soon enough is soon enough.” It’s not.  Whether you’re a lawmaker, a brand, an individual, or a service provider like Acxiom, the time to act for all of us is now.