Going beyond cookie consent: 3 strategies to achieve data compliance

Data compliance doesn’t stop with cookie consent. Learn how to establish a logical and adaptable compliance framework for your brand.

Chat with MarTechBot

With new and conflicting global legislation, it seems no one can agree on the appropriate methods for data collection and the extent of data protection. In turn, data compliance has become more complex than ever before and global privacy regulations continue to evolve. 

Data is recognized as the most valuable resource for brands and marketers around the world. While the ethics behind collecting user data is universally shifting (i.e., third-party cookies), a company’s data compliance does not stop with cookie consent. Legislation like the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) can give users greater power over their data, but brands need to be prepared to quickly meet data subject access requests (DSAR).  

The volume of DSARs is increasing for companies worldwide. These requests, often submitted by individual consumers, require brands to share:

  • How an individual’s personal information has been collected and stored.
  • How it’s currently being used. 

DSARs can also require brands to take certain actions with an individual’s data such as:

  • Deleting personal information.
  • Updating incorrect data.
  • Opting out of future data collection.

With constantly evolving compliance expectations and regulations, trying to plan for the evolving intricacies of data compliance can seem daunting. 

The following three solutions cut through the compliance clutter and can help brands establish a logical and adaptable framework.

1. Keep compliance clear and simple 

Compliance is a complex and technical subject, so it’s not surprising many companies are over-engineering their internal processes and communication methods. However, compliance doesn’t just impact technical teams. 

A DSAR has the potential to touch sales, marketing, information technology and many more departments before landing in the compliance team’s queue. Additionally, the size of internal teams dedicated to implementing solutions is often grossly overshadowed by the magnitude of potential DSAR requests. 

Dig deeper: Why marketers should care about consumer privacy

Outlining and aligning on the compliance process facilitates shared understanding across all departments regardless of technical aptitude. It’s imperative to establish a clear vision and definition of your martech stack. Identify the system endpoint connections and how internal technology communicates with external systems — so that all the data pathways are clear.

When monitoring and controlling the DSAR request audit trail, it can be tempting to build out multiple data ingestion connections to meet various requirements. System connections such as APIs or native connectors as well as third-party connections for activation channels all have various technical requirements. By taking the time to establish a one-way connection and communicate this process across departments, brands can ensure all parties remain on the same page. 

2. Utilize the right toolset

Once a clear and simple compliance process is established, it’s time to focus on utilizing systems that are clearly in scope and to establish one for handling the majority of requests. With Google’s 2024 deadline for the deprecation of third-party cookie support rapidly approaching, marketers are frantically readjusting strategies to account for the loss of data. 

While there are a number of tools available for managing cookie consent, few tools offer a comprehensive user-consent compliance workflow or meet the requirements of the California Privacy Rights Act (CPRA) — to take effect in early 2023 — which outlines stricter amendments to the existing CPPA.

A third-party provider is often an ideal solution for streamlining data requests as the system to process requests per dataset should be customized to the needs of the brand. A strategic technical partner can design compliance workflows utilizing tools like OneTrust, a cloud-based security and governance solution, to implement a dedicated model for creating a curated backlog of requests.

Get MarTech! Daily. Free. In your inbox.

3. Empower your decision-makers

Marketers must recognize the additional research and build-time needed to infuse compliance into existing workflows. Bottlenecks can occur when the decision-making hierarchy isn’t clear.

Establishing a data governance team is a prime solution to ensure the decision-making process for varying data requests is understood and facilitated at the enterprise level. These risk-averse teams are often cross-functional, including experts from IT, compliance and legal departments. 

Data governance teams are connectors for the enterprise, ensuring the business remains compliant with new data privacy laws. These teams inform both technical and non-technical users on the importance of compliance as well as the effort required to design, build and implement technical solutions like DSARs.

The future of compliance

As of this summer, the CNIL, France’s data privacy watchdog, has ruled local use of Google’s Universal Analytics platform as a breach of European Union Law. The legal issue impacts the entire European Union with a specific focus on how user data is being transferred to the U.S. for processing by Google. 

While the EU-U.S. Privacy Shield sought to establish a compromise by introducing a replacement data transfer mechanism, the deal will not formally be adopted by the EU until the end of the year. Therefore, CNIL does not consider the standing agreement a valid legal framework to guide U.S. cloud services that process Europeans’ data. This legislative standstill has placed brands around the world in a complex situation as they work to define their marketing and compliance strategies for the new year. 

Subsequently, the American Data Privacy and Protection Act (dubbed the American equivalent of GDPR) is the first federal privacy legislation to advance out of committee. While there’s still a long way to go, this privacy legislation has bipartisan support and would greatly impact American consumer privacy — which has thus far been the responsibility of the states — on a federal level. 

Many are concerned about what this means for companies that have recently finalized CCPA and CPRA compliance programs as new legislation could potentially overhaul their privacy frameworks. 

Data privacy is more than a trending topic. The mounting global interest will soon spark universal action impacting the compliance operations of companies across markets and at all levels. A clear compliance process that uses strategic tools and consistently empowered decision-makers will ensure brands can continue to navigate compliance past cookies and beyond. 


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Hugo Loriot
Contributor
Hugo is Partner and head of the North American business for 55, the data consultancy which sits within The Brandtech Group and is one of Google's top global partners. After an initial 4 years at Google, his career has spanned multiple roles in the adtech and martech industry, where he is a widely trusted advisor to brands on all facets of how to deploy data to optimize their marketing and customer experience. Hugo is a recognized thought-leader and authority on all aspects of data management and privacy related issues for brands, with a knack for simplifying arcane and complex subjects without ever dumbing them down: he is a regular contributor to publications as diverse as AdExchanger and The Drum, and a frequent speaker at marketing and data-focused industry events.

Get the must-read newsletter for marketers.