Jodi Daniels is the founder and CEO of Atlanta-based Red Clover Advisors, and a data privacy expert with more than 20 years of experience, including the launch of ad networks for Autotrader and Kelley Blue Book. Her knowledge of ad tech and user privacy can inform and improve our collective monetization efforts as we continue to navigate the GDPR and prepare for enforcement of the CCPA and other privacy laws.
"A strong privacy program is a must-have to do business today and it will only become more complex."Jodi Daniels, Red Clover Advisors
I always knew I was meant to be an entrepreneur — it was just a matter of when I was ready to make the leap from Corporate America.
I also realized that there's a gap for small- and medium-sized companies that don't often have someone focused on privacy full-time — or have anyone familiar with privacy. Red Clover Advisors was born from my desire to help overwhelmed smaller businesses navigate complex privacy laws.
I think GDPR compliance still presents the same level of confusion for many companies, especially ad tech or those relying on ad tech — who, for example, want to use legitimate interest as a legal basis. Everyone was hoping for guidance and a more definitive explanation of whether that’s allowed or not.
While there has been some guidance — for example, from the ICO — there have not been many penalties. So, with fewer-than-expected enforcement actions, I think the level of confusion has remained the same.
Enforcement of GDPR has not lived up to my expectations. Many investigations have been filed but the number of enforcement actions have been far less than I anticipated, based on what regulators told me directly.
I am still hopeful that it’s just a slower process, and that we will start to see some of the actions they keep talking about. I also believe that regardless of the regulators, there has been an increase in companies that (still) take GDPR very seriously — and that hold each other accountable — which is particularly important for B2B roles. B2C brands are also taking the GDPR seriously because EU consumers are pushing those companies to protect their privacy.
I absolutely wish there were common, consistent standards. It’s very confusing and complicated for companies to adhere to multiple jurisdictions, and CCPA is the first, but it will not be the last state law. Many companies are very concerned about how they will manage compliance for multiple states and countries. Many of my multinational clients struggle with how to balance and understand what are sometimes conflicting privacy laws.
For CCPA, it would be really nice to have a standard framework. It’s unlikely that we'll see a privacy law as restrictive as GDPR, as the US is a very business-friendly country, and GDPR is very focused on individual rights.
I am hopeful that we will see more commonality amongst privacy laws here in the United States
Many companies are realizing that even if they complied with GDPR, there's still work to be done for CCPA — and that CCPA is not the last state privacy law, so it makes sense to start thinking about privacy as a holistic part of their organization. They are now beginning to build the foundational work for a privacy program.
Given the current economic situation and pandemic — and also because I serve a lot of small and medium companies — the panic is probably 6–7.
Many companies that did nothing or stalled are now realizing they need to be ready by July 1. Many of the bigger corporate companies have been gearing towards that July 1 date and have been planning for some time.
The definition of data brokers under CCPA is still really unclear to many companies, especially if you compare it to Vermont. I’m hopeful we’ll see more enforcement action from the AG, unlike what we thought we’d see under GDPR.
Since the US is more litigious and fine-driven, I think some will tip more towards data brokers based on the data they are collecting, and using it in a manner that wasn’t intended and that will help set the precedent.
It’s like what we learned as kids: the one who does something wrong sets the rules for the rest of the class. I expect the same will happen here.
I see some positives to CPRA. For example, I think it's a good thing to have a separate enforcement branch, as the AG has a number of different responsibilities on its plate. If we're going to take privacy seriously, then having an arm dedicated to privacy is a good thing.
Carving out sensitive data is also good. There is so much data that’s collected and likely misused — like how we have health data and financial data now carved out under HIPAA and GLBA, which restrict what can and can’t be done with it. The ability to restrict and correct data is good for individuals.
The requirements for risk assessments and cybersecurity audits are also positives. If companies don't protect their data and they’re not aware of the risk, many won’t audit their cybersecurity systems. Forcing these companies to assess their risks will only strengthen privacy programs.
As for negatives, the restrictions on email pop-ups will be challenging, as will the transparency requirement for profiling and automated decision making. The same is true for onward transfer — what does restricting it really look like?
As we saw with CCPA, the details will matter most. If it passes, I hope we get clarity much sooner than we have for CCPA (as we’re still waiting on final regulations from the AG).
No, it’s not like GDPR and doesn’t have the same legal basis requirements.
There have been many tries but nothing yet. There will likely be additional state laws and we may have a bit of a patchwork privacy system. Having a privacy program and someone responsible for privacy will help companies manage differing state laws.
Even if you’re under the CCPA threshold, especially B2B companies, customers require their service providers to comply with privacy laws. Consumers are getting savvier and want to do business with those who take privacy seriously.
Plus, investors also are looking at company privacy programs and risks before investing, so taking it seriously now will help.
As for being too small, regulators might not find you, but your customers (B2B - same as CCPA) care and they might share your noncompliance activities with regulators themselves or take it to social media.
Plus it’s a law: do you really pick which ones your company should comply with?
Nope, not done. Privacy notices are dynamic and should always reflect what’s happening in your organization. They need to be updated at least annually (per CCPA) and anytime you want to do something it needs to align.
For example, if you want to send that email, does the privacy notice say it’s OK to do so? There might be new products, marketing activities, and vendors that should be documented and reviewed. That’s why data inventories should be reviewed throughout the year as well.
Most companies try to do the least amount of work possible — and then the next privacy law or customer agreement comes along and they're not ready.
They also forget about training, which ensures employees know their roles. For example, how will they manage individual rights requests — will those go to the customer service team or the website manager? Employee training is a critical component of a privacy program.
Privacy compliance is not just a cookie banner and a privacy notice. It’s so much more.
Companies that don’t require a full-time person for that function can consider a Fractional Privacy Officer — but a privacy pro should definitely have a seat at the table to build consumer trust.
"What most companies overlook is that opportunity to build trust — they look at privacy as this thing that they have to do but it's actually the foundation for their customer relationships. Customers expect companies to deliver a good product and service and protect their data."Jodi Daniels
Review how you’re going to manage this on an ongoing basis and avoid the “every time there's a new law” cycle. That's stressful and creates a lot of extra work and expense.
I also suggest you look at privacy from your users’ point of view, not just the company’s point of view. How do your users expect you to handle their data? Your customers’ best interests are also your company’s best interests.
The biggest challenge will be consumers flooding a company with individual rights requests. You could almost see that as a way to attack a company.
Other challenges could be the enforcement actions that come from CCPA. CCPA was really born out of the frustration of data sharing amongst digital companies. There is a significant focus on digital data and ad tech, so that customer-focused viewpoint will prove helpful.
I think there will also be greater scrutiny of privacy by consumers given the current pandemic. People want to know how their data is being used and who has access to it.
Phishing is already up 350% since the start of 2020. Companies need to be prepared for how they're managing a remote workforce, a return to the office — or even a hybrid approach — and how they're securing their personal data. There are some basic things companies can be doing now to protect their data: strong passwords, two-factor authentication, and training, just to name a few.
The individual private right of action under CCPA will be costly to companies. COVID + data breach = perfect storm.
Companies should look at privacy as not just a law they should comply with — not a “maybe we’ll comply, or comply a little, or just enough” — but as an opportunity to build trust with customers.
A strong privacy program is a must-have to do business today and it will only become more complex. Start it right from the ground up, have someone knowledgeable to help manage privacy throughout the year, and it will prepare your company for the next privacy law.
Jodi Daniels is the founder and CEO of Red Clover Advisors, a boutique privacy consultancy that helps companies build customer trust while complying with global privacy laws such as GDPR and CCPA.
Many thanks to Jodi for sharing her time and expertise.
Jane is the Senior Marketing Manager at Kevel. She enjoys discovering user-first ad platforms and articulating the value of Kevel's ad serving APIs.