Deregulation on federal level driving changes on state level
With all the news on Net Neutrality last month, you may have forgotten that earlier this year, Republicans killed federal privacy rules adopted by the FCC that would have required your Internet Service Provider to obtain permission before collecting and selling certain types of personal data (such as web browsing and app usage data). While the general perception is that such deregulation means fewer privacy laws, the practical impact may be more regulation.
Following the repeal of the FCC privacy rules, at least 21 states and the District of Columbia filed state versions of the FCC privacy rules as a direct response. Two states passed those bills into law, while others deferred the issue to 2018 or passed bills to study the issue further. And even though bills in a number of states died at the end of their 2017 legislative sessions, it is likely that many will reintroduce those in 2018.
The broader application is that deregulation on the federal level is causing states to take more action, which causes a number of problems. While state versions may all address the same topic, they are not identical. They are similar but contain differences unique to each state, such as different notice requirements, disclosures, consent or use requirements and enforcement mechanisms. Even using similar but different terms to describe the same principle creates problems regarding uniformity.
Lack of uniformity amongst states means more complexity. And more complexity results in greater uncertainty, risk and cost.
The state reaction to the repeal of FCC privacy rules is just one example of how federal deregulation trickling down to state levels can create major headaches for business.
The mother of all data breach cases: Equifax
Major data breaches almost seem to be yesterday’s headline with the prevalence of the problem. Yet the Equifax data breach may finally push us over the edge in demands for regulatory action. Let’s review how bad the Equifax case was and still is:
- Data thieves stole private information on over 145 million Americans from Equifax.
- Data stolen was the most sensitive kind: personal and permanent information including names, addresses, social security numbers, dates of birth and drivers’ license numbers.
- Equifax discovered the breach on July 29, 2017, yet didn’t announce the breach until September 2017.
- Equifax executives sold millions of dollars of stock days after the breach was discovered and before the public announcement.
- Equifax claimed that top executives of a company whose business is protection of personal data didn’t know about the breach.
- Equifax was notified in March 2017 by the Department of Homeland Security that there was a critical vulnerability in its software.
- Equifax relied on a single employee to alert the company (he didn’t) to the risk of a data breach affecting 50 percent of all Americans.
- Equifax sent customers needing more information about the breach to a fake phishing site.
- That fake site clearly disclosed it was a fake in its headline and contained a tongue-firmly-in-cheek link to Rick Astley’s “Never Gonna Give You Up” music video.
- Equifax is profiting from its screw-up: Concerned consumers are purchasing third-party credit monitoring services that frequently utilize Equifax services. So money spent due to Equifax’s problem is paid back to Equifax.
Yes, all of the above really happened. It seems it can only be a matter of time before cases like this force legislators on both sides of the aisle to take regulatory action tightening privacy and data protection laws.
Categorizing personal information to include marketing info
But it’s not just highly sensitive personal information that lawmakers are seeking to protect. While protection against breaches that cause economic harm or risk serious personal threats such as identity theft is justified, proposals are reaching beyond financial and health data.
States have introduced legislation that imposes reporting and notice requirements upon a data breach of personal information. But broad definitions of “personal data” have included what is typically considered to be marketing data, including search history and location information.
The argument against the broad regulation of consumer data is that there are different risks and expectations of privacy for credit card numbers compared to shopping history for a phone case or search history for coffee shops.
Yet broad regulation impacting all such information has been pushed through by state legislators, sometimes only being stopped by a governor’s veto.
Location data is being targeted
Location data that so many local search marketers rely on for targeted campaigns has, in turn, become a favorite target for privacy activists. Recent legislation specifically calls out geolocation information derived from mobile devices as requiring express consent before it may be collected, used or disclosed.
Several states introduced similar legislation in 2017 requiring affirmative express consent after clear and prominent disclosure as follows:
- Notice that the geolocation information will be collected, used or disclosed.
- Information about the specific purposes for which such information will be collected, used or disclosed.
- Provision of links to access other disclosure information.
Failure to comply is deemed to be a violation of and subject to enforcement provisions of the state consumer protection laws. It is likely that some states will reintroduce bills that were vetoed or that died in committee, while others have carried the bill over to 2018.
Europe is redefining consent
Europe has already passed sweeping privacy regulation, titled GDPR (General Data Protection Regulation), which takes effect in May 2018. For example, the personal data subject to protection is defined as “any information relating to an identified or identifiable natural person.” That’s as broad as it gets.
The GDPR also makes major changes to rules surrounding transparency and consent before personal data can be used. Consent will be an especially complex issue for businesses to figure out, as conditions for obtaining consent are much tighter. Issues will include the form of consent, the specificity of consent and what downstream matters that consent applies to.
Some of the restrictions include prohibitions on making services contingent upon consent and on obtaining consent for multiple purposes. Consent must also be separately given, as opposed to being one clause in a lengthy terms and conditions agreement. Further, the ability to revoke that consent must be as easy to do as it was to give it.
The impact on local search
The above are all factors that seem to be culminating toward significant movement and changes in privacy regulation that will have a dramatic impact in the marketplace. Below are seven ways in which privacy will become a disruption to the local search and marketing industry:
1. The cost of marketing data will rise
Increased privacy regulation means all businesses will have to spend more resources to comply. It also raises the exposure to liability and increases risk of public enforcement and of private lawsuits. Potentially, there could also be a decrease in the supply of marketing data if consumers respond to the notice requirements and consent requests by not giving permission to collect or use their profile information. All of these changes would make collecting, acquiring, using or buying marketing data more expensive.
2. Targeted marketing becomes harder
If the supply of marketing data is throttled, accuracy declines. For example, if fewer people share their location, getting a sufficient volume of leads from targeted marketing will require casting a broader net.
The effectiveness of targeted marketing is further hurt by the ability to determine those target audiences. Less data regarding behaviors that predict specific purchase or online actions makes forecasting less accurate. Attribution would likewise be harder to pinpoint.
3. The competitive edge shifts back to larger companies
I’ve written recently about how having the right data is the new competitive edge over traditional economies of scale. Good data means that smaller businesses can more equally compete against larger companies.
But tougher privacy laws benefit larger businesses that have resources to adjust to mandated changes. Also, they will have better access to data as it becomes more expensive and potentially less available.
4. Google and Apple will become even more powerful
Google and Apple have great leverage over user privacy choices via their mobile operating systems. They embed many functions and apps that have a huge user base and that are critical to local search into those systems such as maps, media and search engines. Consumers frequently treat these apps and functions as essential services and defer to Google or Apple terms for access and use.
Android and iOS also serve as a gateway to third-party apps and control how users grant app permissions or consent to collection and use for data such as location.
5. Brands who control first-party data will hold premium ad inventory
Brands have direct contact with consumers and sufficient reach such that they are able to offer advertising solutions to third parties, especially those related to the brand’s product or service.
For example, Honeywell offers a software upgrade for its WiFi thermostats that will optimize thermostat settings. The offer to help save its customers $71 to $117 a year off of their energy bills means many opt in. Users get customized reports with insights into energy use, comparison to similar homes and tips to help track and improve energy efficiency. Those “tips” will likely include some referrals to vendors such as insulation companies, solar energy vendors and HVAC contractors or other marketing offers.
Brands are well-positioned to reach their customers within the confines of privacy regulations, and targeted audiences they can reach should demand premium ad spend.
6. The GDPR bleed-over effect
The GDPR will affect local businesses and marketers even if they don’t have European customers. Larger companies that already have to deal with tighter European regulation may find it difficult to segment different policies for American and European customers. As a result, they may adopt uniform privacy policies companywide.
7. Regulatory hurdles used as a competitive barrier to entry
The other potential consequence of larger companies voluntarily adopting stricter privacy policies is that they would be less resistant to privacy regulations that mirror those internal policies. In other words, they may not oppose legislation, or even publicly support legislation, undercutting the position of those who are against it.
Some may even push for those regulations knowing that it may give them an advantage over competitors who haven’t adopted such privacy policies. Regulation that raises the cost of doing business or requires some catch-up changes may serve as a barrier to entry for new startups or others seeking to add business outside their core service area.