This article, which was originally published on Cognism’s blog, is Cognism Compliance Officer Megan Bennett’s guide to key data protection rules and regulations.
As we move into the next decade, countries around the world are following the lead of the EU and bringing in stricter data compliance laws, with harsh penalties for companies who fall foul of them. If you’re working in B2B, it’s essential that you know what you can and can’t do with your data.
Current data compliance laws
The most well-known data compliance law, particularly in the UK, is the General Data Protection Regulation, or GDPR. It came into force in May 2018 across the whole of the EU and EEA.
The GDPR’s aim was to give citizens more control over their personal data, as well as set out ways that companies must process and protect the data they hold about their customers.
GDPR rules around processing personal data do apply for B2B companies. But they can still carry out marketing activities such as cold calls or emails if they can prove ‘legitimate interest’.
Penalties for not adhering to the GDPR are severe, with the maximum fine being €20 million or 4% of annual worldwide turnover for the preceding year—whichever is greater.
Elsewhere in the world, in Canada, there is CASL, which stands for Canadian Anti-Spam Legislation. CASL concerns email marketing and applies to all emails sent to Canadian residents as part of commercial activity.
The primary feature of CASL is that recipients must give companies consent before they can email them. Implied consent can be used to send unsolicited B2B emails if the person’s email address is publicly available (e.g.: on company websites) and unaccompanied by a statement that confirms they do not wish to receive email marketing to their business email address.
If the person’s email address isn’t publicly available, B2B companies must ensure they only contact customers or prospects who have consented.
It’s another provision of CASL that a clear unsubscribe option is included in all marketing communications.
The penalties under CASL can be severe. The maximum fines are $1 million for individuals and $10 million for corporations per violation.
In the US, the CAN-SPAM act has been in force since 2003, governing commercial emails. CAN-SPAM dictates that marketers cannot be dishonest when sending electronic messages. It also requires them to provide an unsubscribe function in their emails and act on it within ten days. There are no exceptions for B2B marketers.
CAN-SPAM is enforced primarily by the FTC (Federal Trade Commission). The FTC has the power to impose penalties of up to $16,000 per email that violates CAN-SPAM.
New and future data compliance laws
With the GDPR, the EU set a standard for data compliance which other states and countries now want to follow.
On 1st January 2020, the California Consumer Privacy Act, or CCPA, [came] into effect in the US state of California [the final regulations were approved in August 2020]. It applies to any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that either:
- Controls or is controlled by a covered business.
- Shares common branding with a covered business, such as a shared name, service mark, or trademark.
In addition, parts of the CCPA apply specifically to service providers and third parties.
CCPA is similar to the GDPR in that it requires companies to identify all personal information they hold on their customers, as well as how they sourced that information. They must provide and publicize unsubscribe links on company communications, as well as delete personal data if the customer demands it.
B2B marketing activity is covered by the CCPA, although B2B companies do not have to comply with some parts of the act until 2021. The maximum penalty granted under the CCPA is $7,500 per violation, if the violation is found to be intentional.
Maine and Texas
In the wake of the CCPA, other states are considering bringing in their own data privacy laws. In Maine, a new law regulates what broadband providers can do with their customers’ data, including their browsing histories.
At the same time, in Texas, a new law requires companies to notify residents if they suffer a security breach which could lead to theft of personal information. A similar provision exists in the GDPR.
In Brazil, the LGPD will come into force in August 2020 [The Brazilian senate has agreed on an extension until January 2021, and sanctions derived from the law can only be made from August 2021]. The new law regulates companies that hold data on citizens of Brazil, whether they have a physical presence there or not.
Like GDPR, the LGPD governs how companies can keep data on their customers. This law does not apply to B2B activities. However, it’s a good illustration of how countries are tightening up their data privacy laws. The direction of travel is towards tighter regulations everywhere.
Why data compliance laws are spreading around the world
The introduction of the GDPR across Europe in 2018 showed the world that you can legislate to protect data privacy. It has normalized stringent privacy and data protection rules while promoting best practices in marketing communications.
In addition, anything that reduces the number of irrelevant calls or emails received by consumers will be seen as a good thing. It’s no surprise then that other countries and states have been inspired to tighten their regulations too.
California is leading the way in the US, although it currently looks like the rules will vary between individual states. This makes it very difficult for B2B companies to keep track of everything. They will need to employ increasingly complex compliance mechanisms to keep on top of new legislation. In practical terms, businesses will choose to align themselves with the most stringent laws, rather than adapt their policies to every state.
What are the risks of non-compliance?
Rules around data protection vary from country to country and state to state. So too do the penalties and fines for breaking them.
It’s vital for B2B companies to stay informed and updated about the regulations that apply to their industries and the territories they do business in. If you don’t, you could face hefty penalties, as two companies in the UK are finding out to their cost.
The Information Commissioner’s Office (ICO) signaled its intention to fine the hotel giant, Marriott International, £99.2 million for breaking GDPR rules around a data breach. Personal data relating to around 7 million UK citizens was compromised as part of the breach, which happened in 2014 but wasn’t discovered until 2018.
While the breach happened to a different company, Starwood, Marriott acquired Starwood in 2016. The ICO found that Marriott did not do enough due diligence around their acquisition of Starwood and had not done enough to secure its systems.
The ICO intends to fine British Airways an even larger amount: £183.39 million. This relates to a cybercrime incident in September 2018, where some visitors to the BA site were directed to a fraudulent mirror site, which was used by criminals to harvest personal details. The ICO found that BA did not do enough to safeguard its customers’ data.
If those eye-watering fines aren’t enough to get you thinking about how your company protects customer data, I don’t know what will!