The General Data Protection Regulation (GDPR) imposes obligations in terms of processing and securing personal data, and this has become fundamental for companies in their digital transformation. If they fail to comply, they are exposed to major financial penalties that can impact their brand image.
Compliance is becoming all the more essential as GDPR has brought in its wake other regulations abroad, including the CCPA (California Consumer Privacy Act) which came into force in California early 2020. Eventually, companies will have to comply with the regulations of each country in which they do business.
New directives imposed by France's CNIL, growing local regulations... what should companies expect and how will they manage this multi-compliance?
France's CNIL increases GDPR controls
Apart from a few new features (traceability of consent, privacy by design, risk analyses....), 90% of the main principles of GDPR have existed in France since 1978. Despite this, the CNIL (Commission Nationale de l'Informatique et des Libertés) noted that it was difficult for companies to comply with this regulation on the day it came into force, and granted a period of tolerance - suggesting that it would only sanction companies that had not started the process of compliance. But today, the supervisory authority no longer hesitates to sanction offenders. Since May 2018, European regulators have imposed over €114 million in fines. In December 2018, Uber and Bouygues Telecom were fined €400,000 and €250,000 respectively. For its part, Google had to pay €50 million in January 2019, followed by Sergic (€400,000), Uniontrad Company (€20,000), Active Assurances (€180,000) and most recently, Futura Internationale (€500,000).
Cookie compliance: a new recommendation to consider
In a context of growing domination by GAFAs and in the era of hyper-personalisation, GDPR has also turned the advertising world upside down, of which the collection of personal data, and in particular cookies. The CNIL has also announced that in 2020, it will place the issue of cookies at the centre of its reflections with a new recommendation.
Therefore, companies will be obliged, for certain purposes, to obtain users' consent before writing or reading cookies and other tracers. Simply continuing to browse a site will not constitute proof of consent and a user may refuse to be tracked, without being blocked from accessing a site.
In terms of data collection, the context will no longer be the same, particularly with users who do not have a customer account. If a user accepts more often, when creating their account, to share their data, it's not the same for a user who simply browses the website. Collecting consent and exploiting their data will become much more complex.
Faced with the upheaval caused by the Coronavirus epidemic, the CNIL decided to postpone this communication, but the impact of GDPR and this recommendation on the collection of cookies will push brands to implement effective solutions, such as the CIAM, to encourage the creation of customer accounts and ensure the collection of consents.
Many initiatives similar to GDPR are emerging around the world
Another major data protection law came into effect on 1 January 2020: the California Consumer Privacy Act (CCPA). This California data protection law regulates how companies around the world can handle the personal information of Californian consumers. The CCPA is the first law of its kind in the US. Although the scope of this new legislation is somewhat different from GDPR, it gives consumers more or less similar rights to control and opt out of the use of their data. It also requires "businesses" under certain conditions (excluding public bodies and associations) to keep data secure, to be transparent about the types of personal data collected, and to handle users' requests for deletion of personal data.
But these two major laws are just the tip of the iceberg and many other countries are developing similar laws or are on the cusp of doing so!
While in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is being implemented, a dozen US states have introduced bills to provide users with greater transparency and control over personal information. In Brazil, a general law on personal data protection (LGPD) is also planned for next August and in China, the government has announced changes to the regulations on data use for 2020. Finally, last December the government of India presented the first version of a law that is supposed to give people more control over the use of their data.
Any company intending to develop internationally will have to comply with all these local regulations, and very quickly, in order to retain the trust of its consumers.
CIAM, a response to GDPR and other new regulations
All of the new recommendations, including cookie consent and local regulations, are driving brands to turn to CIAM (Customer Identity and Access Management), which enables the creation of unified, data-rich customer profiles that are highly secure, while meeting compliance requirements, including user control of data.
CIAM solutions facilitate the creation of customer accounts by providing fast and secure access via modern authentication methods. They also ensure that companies can collect and centralise identities by assigning a unique identifier to each user, regardless of the point of contact, and enable them to collect and manage customer consents. With CIAM, brands can keep track of all of their customer information and respond to requests from users in the context of exercising their rights; they can also respond to audit requests from the supervisory authorities - providing them with proof of consent and traceability of consent.
The time for resistance and denial is over! Today, it is important for companies to consider regulatory compliance as an opportunity, a full dimension of their business, and this on an international level.
Brands that want to develop and maintain trusting relationships with their customers must therefore quickly take up the subject and integrate CIAM into their strategy, for optimal compliance, effective identity governance and enhanced data protection.
1] Study by the British law firm DLA Piper published on 20 January 2020