As we look back on the first Data Privacy Day (January 28th) of the new decade and the name of the game for digital media companies in the twenty-twenties is compliance. Of the myriad tech stories to surface in the last year––large scale data breaches, fake political ads, and deep fake videos, to name a few––many of them served as stark reminders that mistrust is at an all time high for tech company titans and the walled gardens they have built around their operations. Consumers are more concerned than ever about how their personal data and preferences are being managed—a mere 25% of consumers believe that most companies are handling sensitive personal data responsibly, according to PwC. In response to this growing sense of unease, we’re seeing national and state administrations, one by one, introducing meaningful legislation that will influence the way consumer data is amassed, stored, and used in the decade to come.

Unfolding developments in data regulation

Ever since the European Union’s General Data Protection Regulation (GDPR) was introduced in 2018, governments around the globe have utilised it as a prime point of reference as they come out with their own frameworks. While record-setting penalties against British Airways and Marriott were announced earlier in the year, these cases are still going through the process of appeal and it was only at the very end of 2019 that we saw the first fine issued under GDPR to the tune of £275,000. It’s a reminder that even with the threat of enforcement looming over them, it will still take time before industry leaders get on board and make substantial improvements to how they protect, manage, and use customer data.

Starting off this year in the United States was the California Consumer Privacy Act (CCPA)—a data privacy framework that bolsters the privacy rights of California residents, while introducing wider implications for local businesses as much as global, digital businesses looking to engage with Californians. Under the CCPA, it is the responsibility of organisations to know the origins and destination of any piece of consumer data, and to track the selling of personal information for any purpose. Should a company fail in their duty to protect the data of a California user, steep fines of up to four percent of their annual global revenue are on the table. Both the CCPA and the GDPR will be likely models for Canada this year as the country’s privacy commissioner works on a new set of online regulations and privacy rights that will cover data portability across platforms, proactive data security requirements, and online discrimination such as bias and harassment.

Similar regulations to safeguard consumer data are being drafted in emerging markets where digital transformation is moving at a sprint, forcing governments to act quickly to establish standards for data privacy. Thailand announced the Personal Data Protection Act that will come into force later this year, and India is moving to pass the Personal Data Protection Bill - 2019, which will grant the Indian government wide-ranging powers to regulate how websites collect and use personal data and also curb the spread of false information. Disinformation campaigns and hate speech spread over social media have become major issues in Asia—becoming particularly rampant during tumultuous events like general elections, and local authorities are struggling to effectively deal with malicious actors while educating the public on how to separate falsities from fact before hitting the “send” button. Though data privacy laws were not intended to directly address disinformation and harmful speech, they may help indirectly by limiting access to the data that is used by malefactors in micro-targeting specific audiences to maximise outrage.

Recently in China, the central government has been cracking down on app developers who illegally collect and use personal information without consent from users, lately publishing new rules to this effect. The recent guidelines make clear that offenders will be penalised for a range of infractions, including failure to clarify the purpose of data collection, absence of published service regulations, and collecting user data that is unrelated to the service being provided. Vietnam is facing similar problems in stopping personal data theft as internet use in the country grows steadily, and the Ministry of Public Security has begun drafting a governmental decree on personal data protection. What this all amounts to overall is that the rules are tightening around online entities everywhere, and whether companies choose to prioritise privacy rights or not will determine their relationship with consumers and regulators going forward.

Privilege, privacy and personalisation

The clear winners in the push for better data protection must undoubtedly be the users. Where digital privacy was once treated as a privilege, it is now seen as an essential right of anyone going online, and lawmakers have enshrined this notion in the rules that govern digital data use. However, the story doesn’t end here. Regulations like GDPR make it compulsory for companies to ask users to opt in before their data can be passed on and processed by third parties, but these rules haven’t fundamentally changed how the data can be used after consent is given, and they can be manipulated to induce “consent fatigue” that render protections useless. Data Privacy Day continues to be celebrated each year because the need is still there for consumers to be educated about the data they knowingly, or unknowingly, give away in exchange for online services, and so far, few governments and private institutions have been eager to step up to address the dearth in sorely needed digital literacy education.

Optimistically, more regulations mean that end users will have more control over their personal information and how it is shared; on the flip side, consumers may have to put up with a less personalised online experience when moving from site to site. The opportunity is here for a singular identifier that can be used across the web — one that can securely share relevant user data to new websites while securely storing personally identifiable information away from prying eyes. Emerging players like BigID are already racing to create this Universal ID of the future, and disruptive technology like blockchain could play a huge role here in enabling an efficient and transparent decentralised management system for personal data to be securely accessed across the entirety of the web. When such a solution emerges, it will be integral for maintaining consumer trust while offering a personalised online experience.

From an outside perspective, it may seem like marketers and digital media companies have come out of this wave of new data laws with the short end of the stick. This may be true for the ones that fail to meet the standards of data protections set for them, but for companies that do end up employing better practices for securing user data, the result will be increased consumer trust and more confidence in an industry that has taken many hits of late. Personalisation will be more important than ever, and marketers will need to develop and realise new compliant approaches to drive relevant and engaging advertising whether online or offline. This decade marks a period of change for the marketing industry, one that entails a shift in focus whereby openness, authenticity, and a commitment to privacy rights are at the forefront.

The current reality is that regulatory development is unfolding quickly to address the privacy concerns of lawmakers and the general public. And while each piece of legislation is meant to be localised in its scope, the Internet is by nature both boundless and decentralised by design––the implications of any new law will certainly extend beyond the geography set by its creators. As we continue to persist within the new “digital economy”, more brands and organisations looking to expand their business and reach globally, will need to contend with the new rules of engagement, ones underwritten by different regulators across regions. This Data Privacy Day is a milestone and a reminder that we are building a new culture of online trust and going forward will mean emphasising privacy and security without compromising the digital experience.

Visit our blog for more insights.