Tag Archives: CASL

Privacy Report 2020

1 Reply

data privacy
The second decade of the 21st century is shaping up to become known as The Privacy Decade. Recent legislation, both internationally and in the United States, is primed to change the parameters regarding what information about a person you can or can’t collect, and the limitations on what you can do with that information. One thing these regulations have in common is that they don’t restrict their data privacy requirements to emails sent from within their borders. If your emails are sent to subscriber inboxes within any of these states, you are deemed culpable for those violations and can be subject to hefty fines. Unlike previous legislation, such as CAN-SPAM and CASL, these new laws are not aimed specifically at email but are intended to address privacy issues across all devices, platforms, and services. They all do affect email because email involves the gathering of private data in the form of email addresses and, in some cases, names and locations. Each of these laws comes with its own set of restrictions, some more draconian than others.

More Restrictions

While some people might not care if everyone knows where they are every hour of the day, most of us value our privacy and like to have some say over what a company may or may not know about us. Accepting this and working with it is the best tactic for any email marketer. Try to game a subscriber’s private data was never a good idea, but all signs point to more restrictions and greater penalties for doing so as every country gets into the act. While there are no plans for upcoming legislation in this Congress, states such as California and Vermont have created their own stringent privacy laws and 2018 saw the passage of data breach notification laws in several states.

GDPR Arrives

The legislation that started the privacy protection ball rolling was the European Union’s General Data Protection Regulation (GDPR). This regulation set a high bar for an individual’s rights to access any data about them that a company gathers, as well as the right to have that data deleted (for more on GDPR, see our three-part series on the subject). It covers a staggeringly wide range of data—everything from a person’s email address to the geolocation featured in many digital cameras. It extends to any person living within the European Union, regardless of their nationality. If you send email to a person in the EU, you need to be GDPR compliant. Full stop.

California Picks Up the Torch

Taking its cues from the GDPR, the state of California came up with its own privacy regulation. Passed in 2018, the requirements of the California Consumer Privacy Act (CCPA) goes into effect January 1, 2020, and features many of the same restrictions as the GDPR, including the right to obtain one’s data from a company and the right to be forgotten. No other state has, as yet, passed such a strict law, but it looks like Washington State is set to follow suit with their Washington Privacy Act, which is also modeled after the GDPR.

As strict as the CCPA seems, it’s got nothing on the GDPR. The California law applies only to for-profit businesses, so nonprofits can breathe easy. Additionally, for-profit businesses need to have a gross annual revenue exceeding $25 million for the law to take effect, and your active email list must exceed 50,000 subscribers. It also only applies to tax-paying residents of California.

Brazil Follows Suit

In August of 2018, the Brazilian government signed into law the Brazilian General Data Protection Act (Lei Geral de Proteção de Dados Pessoais or “LGPD”). Like the GDPR, after which it was modeled, its scope is global, with companies in any country facing fines for violating its rules. As with the CCPA, the Brazilian law goes into effect in 2020. One notable difference between the GDPR and the LGPD is the latter’s inclusion of terminology pertaining to “non-discrimination”). It also addresses credit and health records with more specificity. Originally, the law had provisions for the establishment of an independent data protection authority, but the President rescinded that in a line item veto. The LGPD is more punitive than California’s law but less so than the GDPR. The maximum fine under the LGPD is 2% of a company’s Brazilian revenue up to 50 million in Brazilian Reals per infraction (about 13.4 million in U.S. dollars). Compare that to the GDPR’s 4% of an organization’s annual revenue or 20 million Euros (about 22.6 in U.S. dollars), whichever is greater.

And Then There’s India

Also getting in on the post-GDPR drive for stronger privacy controls, the Ministry of Electronics and IT (MEITY) in India has been hammering out its own privacy regulations—a process they started back in 2010. Following the 2017 Indian Supreme Court ruling declaring that privacy is a “fundamental right,” the MEITY finally got on the ball and drafted the Personal Data Protection Bill 2018 (PDP Bill), which contains many of the same features as GDPR, but with a few curveballs that already have companies crying foul. The main one is the requirement that all “personal data” on people residing in India must be maintained at a facility within India (although the bill doesn’t define what constitutes personal data—they’re leaving that up to the government). India isn’t the only country mandating such a restriction. China and Vietnam have similar restrictions, but neither of those countries could be considered free. Their governments exert a great deal of control over every aspect of data transfer and Internet use.

India, on the other hand, has a free market economy—some might say too free. It also has an online market second only to China in size, with close to 500 million Internet users. Restrictions making it harder for companies to conduct business aren’t welcome, and this requirement is already meeting with criticism and opposition. When the MEITY requested feedback on the bill, they received nearly 600 recommended changes, from both businesses and governments, including the United States.

Perhaps this is why, since its introduction, the government has had a few opportunities to pass the PDP Bill, but decided to wait until June 2019, after the new government is in place.

Congress Changes Its Tune

In 2009, U.S. Senator Patrick Leahy of Vermont tried to get his Personal Data Privacy and Security Act passed, but the bill never reached the floor. It was too much, too soon, and nobody had any idea yet the extent to which sites such as Facebook and Google would use personal data. Still, data privacy restrictions would be a hard sell in Congress, even today, if not for the increasing number of states tackling the problems on their own. All fifty states have laws concerning the reporting of data breaches, and 35 states have laws regarding the disposal of data. To complicate matters, the laws in each state are different. Some state laws apply only to business, while others only restrict the government, leaving private businesses to do what they want with your data. Some are quite stringent, while others are written in such general terms as to be virtually unenforceable.

Mostly in response to California’s legislation, the U.S. Chamber of Commerce and several other business-based groups are lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws.

Email’s Role in All of This

Unlike CAN-SPAM and CASL, this recent legislation doesn’t focus exclusively on email. In the case of GDPR, it regulates everything from website visits to in-camera geolocation. They all affect email marketing, although how much depends on your subscriber list. If your list is exclusive to the United States, and your gross revenues don’t exceed $25 million, then you can go about business as usual. None of the recent legislation will have that much impact on your email efforts. There is a lot more legislation on the books now concerning data breach notification, but that’s of more concern for the IT department than the marketing department.

If you have international subscribers or own a business that brings in over 25 million a year, we recommend you follow the rules of the GDPR. It is still the strictest of the current laws, so if you are in line with it, you should be fine for the others. For everyone else, there are a few things you can do to avoid problems. They include the following:

Make Your Terms Clear

Spell out in the clearest possible language exactly what you plan to do with the data you collect and make sure you include a statement to the effect that you will not use this data for other purposes or sell it to other companies.

Leave Boxes Unchecked

If you do any business in the European Union, this isn’t simply a suggestion, it’s the law. It’s less important in the States, but, like the single- vs. double-opt-in controversy, each approach has its supporters and detractors.

Respect the Privacy of Your Subscribers.

Email marketing is a double-edged sword. On one hand, we all like our privacy, but on the other, we also prefer receiving emails about things we are actually interested in. As an email marketer, the only datum you actually need is the email address, but, by itself, that makes for generic, “batch-and-blast” emails. Personal data helps improve the engagement and the receptiveness of your subscribers to your mailings. But don’t abuse it. Just because you can send an email saying “Hey Jill! I noticed you just visited our website fifteen minutes ago” doesn’t mean you should. It makes you look like a stalker, so avoid it.

The Ground’s Still Shaking

One thing is certain: This story is far from over. Right now, most of the fretting over the new laws has been a waste of time. How much they affect you is extremely variable. New legislation is cropping up in countries around the world every day and, as time goes on, it appears more and more likely that some national legislation in the United States will be enacted to bring the various states back into line. When that happens, we’ll take a look at this subject again.

Go to Goolara website

Privacy, ESPs, Protecting Your Data, and the Law

Leave a reply

Who's watching your data?The NSA revelations of last year, the enactment of the Canadian Anti-Spam Law (CASL) in June, and recent European Commission meetings have brought issues of privacy and national data control to the forefront of the minds of IT professionals and technology users around the world. Although many countries, such as Egypt, UAE, and Malaysia, still have no data privacy laws, most industrialized nations are looking to beef up their data protection regulations as soon as possible. In some cases, this is the result of Edward Snowden’s revelations about the NSA. Brazil didn’t worry much about its data protection policies until President Dilma Rousseff found out that the NSA was tapping her phone. Then the Brazilian Internet Law (Marco Civil da Internet) was quickly passed.

Another trend we’re seeing is the shift in data policies and country borders. In Russia, for instance, a new law was passed by the Duma requiring that the “systematization, accumulation, storage, updating and retrieval of personal data of citizens of the Russian Federation, [must be] held on databases located in the territory of the Russian Federation.” This law takes effect in 2016. Even countries, such as Germany, that already have stricter than average data privacy laws, continue to tighten their laws with new legislation.

International privacy laws

Where’s My Data?

Where once there was very little legislation governing things such as email lists and opt-in verification, countries and states are looking to get tough on data breaches and information mis-use, but this gets a lot harder to do when you don’t know where the data resides.

As anti-spam laws become more stringent, countries such as Canada require that businesses keep subscriber records secure, well-verified, and up-to-date. Recent trends indicate that, if anything, this trend toward great accountability is growing. New York Times Business Correspondent Danny Hakim recently observed that the words “cloud computing” did not appear in the European Commission’s general data protection regulation when it was introduced in 2012, but they do now. “The European Union wants to regulate the cloud even if that makes its use more complicated,” Mr. Hakim wrote. Not everyone in the European Commission supports these regulations, but it demonstrates the extent to which governments are willing to become involved if businesses don’t do a better job of securing their data.

For this reason, a stronger emphasis is being placed on the use of location specific data sources. After all, it’s hard to comply with the laws when you don’t know exactly where your files reside. Armed with this information, country and state authorities can better determine where the problems in the information chain occur, and companies can avoid potential problems by keeping control over the information, rather than turning it over to third parties.

Hopping Off the Cloud

One side effect of this is a decreased interest in cloud-based solutions. In Germany, for instance, cloud grew only three percent in 2013, compared with nine percent the previous year. Oracle, a company that relies heavily on cloud-based solutions, saw a dip in its orders between 2013 and 2014 everywhere except the Americas. In an NPR report, Cisco senior vice president of security Christopher Young acknowledged that this was an issue, especially outside the U.S. “[Y]ou can go to Latin America, you can go to Europe, to Asia, and there’s many examples of customers asking those questions.”

This is quite a change from two years ago, when all the chatter on Internet was about doing things “in the cloud.” Companies bent over backwards to promote their “cloud-based” solutions. Now, we are seeing a shift away from this everything-in-the-cloud approach to a more thoughtful approach. For the low security needs, people still use cloud solutions, but when data security and national laws enter the picture, on-premise (“on-prem”) platforms clearly have an edge.

Keeping the Borders Closed

As Symantec pointed out in a recent article on their site, “[a benefit of] an on-premises delivery model, particularly for organizations with regulatory requirements, would be the twin needs of identifying and securing an organization’s sensitive information. On-premise deployment of these technologies offers capabilities that meet the needs of finding sensitive information where it lives and allowing appropriate access to authorized users. …[On-premise email solutions] permit complete control over the custody of data. … This is a critical consideration in a variety of situations.”

Locked Countries

Hey You, Get Off of My Cloud

On the Journal of International Law and Politics New York Forum (JILP), an Australian author explaining why Australians should use Australian-based cloud system inadvertently explains exactly why people are opting for on-premise systems: “[W]hen you take advantage of locally (in an international sense) based service here in Australia, you’re getting an extra layer of protection. [These] solutions will be governed by Australian law (and not the laws of some other nation)….You’ll never be at the mercy of a foreign government or foreign agent or the changing winds of their security policies – and as an Australian citizen using Australian-based cloud solutions you’ll have a voice in the rules, regulations, and laws governing the security and protection (as well as the enforcement of) those policies moving forward.”

While the JILP author is correct that a cloud-based system within a country’s borders affords that extra layer of state protection, it doesn’t address the problem that comes with any cloud-based system, and that is, you never really know where it is. The service might say it is local, but it could be anywhere. If asked where you data is, the best you can do is wave your hand and say, “It’s out there somewhere.” On-premise has no such limitations. When asked where your data is, you can point directly at your servers and say, “It’s right there.” This kind of locality is hard to beat.

spies in the cloud

Compliance is Not Negotiable

The key here is compliance, legal compliance, that is, and in email marketing, compliance is non-negotiable. As Bill Claybrook points out on TechTarget: “Compliance is viewed as a big obstacle toward widespread cloud adoption, and rightly so. It is driven by law and legislation so there is no choice but to comply.” He also points out that “Some regulations stipulate where sensitive information can and cannot reside.” If that information must reside in the country of origin, then an on-premise email marketing system will settle the matter.

At Goolara we offer both solutions—hosted and on-premise—so we don’t have a dog in this fight. We see the advantages of each system for different purposes. For many companies, particularly those with minimal or shaky IT departments, a hosted solution is usually a better choice, but a company with a strong IT Department and tight security is better keeping things in-house. If you are not sure which solution is best for you, give us a call. We can assess your needs quickly and accurately and give you our recommendation based on your individual business factors.

Go to Goolara website