Perhaps one of the most important aspects of a subscription business is privacy – not protecting proprietary company information but protecting the personal information of customers. Subscription businesses must stay on top of the latest compliance requirements to stay out of trouble.
During Subscription Show 2021, Alex Reynolds, counsel for David Wright Tremaine LLP, spoke to the many different ways privacy affects subscription businesses.
“Privacy compliance is becoming way more complex these days. There’s a huge proliferation with laws in the U.S. and internationally,” said Reynolds.
Copyright © 2021 Subscription Insider. All Rights Reserved.
Why should subscription businesses care about privacy?
When thinking about privacy compliance, it can be helpful to compare it to security because it’s easy to confuse the two. According to Reynolds, “privacy” is what businesses must, can and cannot do with personal data. This includes statutory and contractual requirements, consumer and business expectations, and best practices or industry guidelines.
This stands in contrast to “security” which, according to Reynolds, is how businesses prevent the loss of, or unauthorized access to, personal data. This includes increasing legal requirements, contractual requirements, and consequences of loss or unauthorized disclosure. Security is often easy to understand conceptually, but harder to implement.
“Of course, security or breaches of security tend to be very big problems because when you have a data breach, you may have reporting obligations, especially where you have large databases that include a lot of directly identifiable information,” Reynolds said.
Privacy pertains to how an organization manages the personal information of its customers, whereas security pertains to how an organization protects that data. According to Reynolds, “personal information” includes identifying details like name, cell phone number and email address, but has recently been expanded to include device identifiers that can be associated or identified with people.
“In terms of understanding where personal information is within your organization, it’s about looking at the data itself, but also the source of that data. The source of it matters because, whether it comes from one source or another, it may dictate what kinds of obligations you have,” said Reynolds.
In many cases, businesses must track where data comes from in order to be compliant. Especially with organizations operating in overseas markets and in California – B2B, public, scraped and other data sources aren’t necessarily considered “public” and, therefore, could result in a breach of privacy if used in business operations.
To ensure privacy compliance with all laws, foreign and domestic, it’s important to understand a few key aspects of the law. While understanding the scope of an organization’s jurisdiction is important – like where the data comes from, the residency of the people, the legal jurisdictions of the company – there are many other factors to consider as well.
“Usually, data protection laws and privacy laws are going to cover a fairly standard set of categories or topics. The good news is that, when you’re looking at this area and trying to figure out what you’re supposed to do, you’re going to have a fairly consistent set of obligations,” said Reynolds. “But the devil is in the details.”
Every law will have a slightly different way of conceptualizing these rights. A common obligation, for example, is the lawful basis of processing. Consent, implied consent through interactions, and contracts are a few examples of how businesses can collect a person’s personal information and are important factors for running business operations. Another crucial aspect is what rights a business must give people.
“This causes a lot of heartache because there are a lot of operational considerations in effectuating these rights – like access to data, deleting data, opting out of a sale, opting out of disclosures to third-parties and the GDPR, and information required to locate someone in a database,” added Reynolds.
Many of these are becoming standard features of data protection laws in Europe. And while the U.S. has historically had a different view on privacy, Virginia, Colorado and California are all embedding these rights within their legal systems in some form or another by 2023.
So how does a company view these obligations from an operational mindset and implement them in day-to-day operations? Reynolds simplied it by thinking of it as a flow:
Sources > Your Company > Third Parties
Data is usually collected from one of two sources: consumers/audience and third parties. Understanding exactly where personal information comes from is the cornerstone for understanding what can be done with it in an organization.
Once an organization understands the source, the personal data can be used in business operations in several different ways: subsidiaries, processes, databases or products. This is where sharing data becomes complicated because companies don’t often only use the personal information collected just for themselves.
“Often it’s not just the company using that information. It’s multiple units within the company that are using the information. If you have a complex corporate structure, it’s a transfer of information between those databases. Many people are using different vendors to do the same things, so very quickly, you add a lot of complexity to something that’s conceptually simple,” Reynolds pointed out.
The personal data then flows from an organization out to third parties like ad agencies, vendors or partners. Understanding the relationship with these third parties is important for effecting agreements and contracts correctly and adhering to laws.
All of this happens against the backdrop of constantly changing regulations, making this process feel “a little bit scary,” said Reynolds.
The good news is that if companies can start by investigating their sources of personal information, they can create clarity around data protection issues and complete the analysis required for complying to privacy obligations.
Requirements subscription businesses should address
“Subscription businesses, like most businesses, are going to want to maintain a large database of contact information,” said Reynolds.
No matter what that data is, at some level, every subscription business will have directly identifiable information that qualifies for data protection under statutes.
“Usually, the most difficult aspect of this is figuring out what the lawful basis of processing is,” Reynolds said.
Collecting with sufficient consent is a huge friction point for many organizations, especially those operating in the U.S. and in Europe. “Consent” and collecting it are defined in a much more specific and robust way in Europe than in the U.S. What works in one market may not work in another.
“The thing the people tend to think of first when they’re thinking about privacy compliance is [updating their privacy policy]… But that’s only one of many considerations, especially where you’re subject to Californian or European law,” said Reynolds.
There are a few ways companies can stay on top of compliance: First, processing contact information carefully and ensuring proper processes for maintaining databases of contact information. Second, ensuring the sources of their leads and how they were obtained can be clearly identified. Third, being clear about how the “financial incentives” of a loyalty program are presented in conjunction with disclosures and privacy notices to customers. And finally, monitoring how marketing communications are used, knowing the many different channels for marketing are all regulated by different statutes and vary wildly based on country.
What subscription businesses should look for in 2023
Interestingly, the California Consumer Privacy Act (CCPA) is a principal driver of compliance in the U.S. And even though it’s well-known, it’s not necessarily well understood.
“[The CCPA] is an excellent example of how a state that wants to regulate privacy becomes a defacto law nationwide because so many businesses do business in California,” said Reynolds.
This is due in part to the difficulty of separating incoming data jurisdictionally (e.g., identifying IP addresses coming from California versus another state). While it can be done, it requires proper systems that may not be available or sustainable for all businesses. Additionally, starting on January 1, 2023, California, Colorado and Virginia each have laws going into effect that have high degrees of compliance obligations for most businesses.
“This increases the overall risk and the need to look at your operations and where your data is coming from,” said Reynolds. “I’m often asked ‘What about a pre-emptive Federal solution?’ and I don’t really see that happening in the near future because the pre-emptive solution is very polarizing and very difficult to overcome.”
Another driver of compliance in the U.S. is the Federal Trade Commission, known as the original privacy enforcer in the U.S. At the moment, it has very broad jurisdiction over U.S. businesses. But recent changes in the White House administration as well as FTC commissioners shows a shift toward increased regulations around data protection.
Catching up to Europe, in 2023, U.S. businesses can expect to see explicit privacy requirements for supplier contracts, thanks to the CCPA and the new laws in Colorado and Virginia. New “reasonable” security requirements will also take effect, creating a baseline level of security for how companies handle customers’ personal information.
Additionally, organizations can expect new principles of data processing – a new concept for U.S. businesses – which will require businesses to minimize the amount of data they collect and keep, for example. And the California Privacy Rights Act (CPRA) will update the CCPA and provide the right to opt-out of a sale and sharing; the right to limit the use of sensitive personal information, including certain behavioral characteristics included in some data sets (e.g., ethnicity, union membership, religious beliefs, etc.).
Key takeaway – know your obligations
The takeaway for subscription businesses? Stay in the know. Change is always occurring around the laws and regulations of privacy. In order to stay compliant, retain customers, and stay out of trouble, subscription businesses must dedicate time to learning about their privacy obligations.
