The definition of enhanced privacy and data protection on this website is that not only are there privacy and data protection laws and regulations, but there are also technology companies that are providing additional ways and measures to enhance the privacy and data protection for users and customers. Through these products and services, it is getting more difficult to collect and gather data for various online marketing control purposes.
On the other side this, safeguarding of the data is important especially while using mobile and smart phones where users always have their digital life with them. This sensitive and personal data needs to be protected for potential harmful and unlawful gathering and harvesting, that can lead to cyber-crime activities or can be found in a data breach.
Privacy Laws and Regulations
To protect the users and their personal information several laws and regulations from various states and governments were issued. The most impactful are the General Data Protection Regulation, the Californian Consumer Privacy Act, the Lei Geral de Proteção de Dados Pessoais and ePrivacy regulation which have been implemented to achieve an overhaul.
The European Union proposed two new regulations, which are the Digital Market Act and the Digital Service Act. These laws and regulations provide a tighter playroom for data collection and gathering, which are described in this chapter.
GDPR – General Data Protection Regulation
The General Data Protection Regulation has two clear objectives: It aims to protect personal data and at the same time ensure the free movement of data within the European internal markets. The European Union started to enforce the General Data Protection Regulation on 25. May 2018 and made a big leap toward digital privacy and data protection.
The basic premise is that the users know what is getting collected from them and that they control what happens with their data, «privacy by design» and «privacy by default». The regulation protects all European citizens around the world.
Companies who use online marketing activities to reach out to new leads as well as customers need to comply with these regulations. Within web activities, the dominant change has been the cookie banners and walls.
To gain access to the content of a site, users have to give or deny consent to the data collection through cookies. Within email, the user also has to give consent to receiving email communication from a company or business.
Website operators must inform users about the purpose and legal basis of the data processing and the storage period of their data. This must be done for each separate data processing operation on the website.
Here are some examples of data processing operations:
- collection of server log files,
- use of cookies,
- use of tracking tools,
- use of marketing tools,
- use of social media plugins,
- provision of a contact form or newsletter,
- data processing in the online shop.
CCPA – Californian Consumer Privacy Act
It’s not only the European Union that has been addressing privacy and security risks with laws and regulations. In the United States, the first modern regulation that came soon after General Data Protection Regulation is the California Consumer Privacy Act from 1. January 2020.
The major difference is that the definition of what constitutes private data is broadened compared to the European counterpart. This creates a whole set of new questions, including how an organization handles the information and data internally.
Especially organizations who use email for standard correspondence. The users or employees have a right to know about what personal information is being collected and how it is being used, stored and shared.
This regulation gives more options and power to the consumer in regards to the protection of their personal information. There is also a special treatment for selling personal information. Users can use this option and opt-out of any data selling to third parties.
The user has a non-discrimination right in this regulation, in the case of an opt-out. With a request of to delete a user’s data, all email conversations and addresses need to be erased.
LGPD – Lei Geral de Proteção de Dados Pessoais
This regulation from Brazil has been enforced since 01.08.2021 and is also based on the General Data Protection Regulation guidelines. It also covers how data is gathered, processed, and stored.
This regulation protects Brazilian users not only within the country but also from any organization or individual outside the nation who is processing data, the same as General Data Protection Regulation with EU citizens. When privacy and data protection tools are used, determining the origin of a user is difficult.
ePrivacy Directive – References and Format
The ePrivacy Directive from 2002 (European Commission, 2006) is the currently valid version. There has been a new proposal for the directive as it became outdated due to not addressing smartphones or tablets, nor the big social media companies and their services.
The main points of the proposal are to include the new players, to strengthen the rules, communication on content and metadata, simpler rules on cookies, spam protection and more effective enforcement. This proposal is still in review as of the start of 2023.
Digital Marketing and Digital Service Act
The European Union has presented two further draft laws that also make it more difficult to obtain data, process data and analyze data. These laws create the same possibilities and chances for small and medium sized companies as right now only big corporations have had them.
The Digital Markets Act is about creating a competitive and fair market alongside the gatekeeper platforms. In particular, it focuses on the aggregation of personal data from various services and the ability to uninstall preinstalled apps and software. These changes, in turn, hinder the collection and analysis of data for companies with online activities.
And in the Digital Services Act, it specifies that the gatekeeper platforms must provide a way to turn off profiling-based content. This will further complicate the aggregation of customer data and personalized communications.
Fines in the event of a data breach or other violations
For a company that is involved in any online activities it is mandatory to comply with all of the regulations, as failing to do so can lead to several fees and punishments hitting the company or business. By conforming to a privacy policy such as General Data Protection Regulation, most other regulations can then be adopted very quickly. Other regions and countries will follow the European Union and in the United States, the Californian example.
There are two stages of fines for data protection incidents within the General Data Protection Regulation, the first is up to € 10 million, or 2 % of global revenue and the second is up to € 20 million or 4 % of global revenue, whichever is higher. Then there is also the compensation for damages to consider in the case of a fine. These fines can hit anybody that doesn’t comply with the laws and regulations, from individuals to small businesses and giant corporations.