Source: Formatoriginal via Alamy Stock Photo
COMMENTARY
Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).
Businesses weren't ready for GDPR, and many still aren't. So, what now?
The Consent-Compliance Gap: How Businesses Are Falling Short
Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.
The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.
This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.
It's About to Get More Complicated
In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.
In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.
These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.
Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.
What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.
This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.
On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.
In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.
Compliance Is a Constant Effort in an Evolving Global Privacy Landscape
For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.
As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.
Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.
But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.