As a marketer, you and your team are responsible for ensuring proper handling of personal data. But it’s not easy. Even as you’re working to maintain compliance with Europe’s General Data Protection Regulation (GDPR) the US then introduces the California Consumer Privacy Act (CCPA), and now Nevada has amended its data privacy law. Similar to the CCPA, Nevada’s SB220 provides consumers with additional data privacy rights. But what does that mean for your organisation if you’re based in Europe and generating leads from the US?
How the Laws Work, an Overview*
The CCPA offers transparency for California residents by giving them clear insight into how their data is collected and transacted. The GDPR offers similar protection for citizens across the EU; it replaced individual data protection laws with a single framework for Europe. The Nevada statute is an amendment to an existing Nevada online privacy law; it makes the state’s regulations similar to, but not quite as stringent as, those of neighboring California’s.
The Key Facts*
The CCPA:
- Protects consumers who are California residents.
- Defines personal information as anything that identifies, describes, relates to, or can be reasonably linked with a consumer or household.
- Regulates for-profit businesses and their service providers that operate in California and that fulfill several monetary conditions.
The GDPR:
- Defines personal data as information that directly or indirectly identifies a person.
- Focuses on protecting data subjects—any person residing in the EU who can be identified directly or indirectly.
- Deals with any individual’s personal data. Doesn’t include households. Only anonymised data is exempt.
- Targets data controller and organisations that process personal data on behalf of controllers.
The GDPR applies when a data controller or its processor is:
- Established in the EU.
- Or when non-EU controllers process the personal data of EU residents while offering commercial goods and services or monitoring their behaviour.
The Nevada Data Privacy Law
Nevada’s amendment, NV SB220:
- Empowers Nevada residents with the right to opt out of having their data sold to third-party data brokers from websites.
- Authorizes the attorney general to issue penalties for companies and organizations who violate such requests.
* “CCPA vs. GDPR: Similarities and Differences Explained” by Danielle Kucera, senior product marketing manager, Okta
The Cost of Non-Compliance
In February 2022, the Belgian Data Protection Authority fined IAB Europe 250,000 euros. The organisation ruled that IAB Europe’s Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions.
For companies across Europe, that fine underscores the importance of GDPR compliance. But it also illustrates the reason for monitoring compliance with Nevada’s Data Privacy Law, CCPA, and any other regulations.
Under the CCPA, the California attorney general's office can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after providing notice and a 30-day opportunity to cure.
Under the GDPR, the EU's data protection authorities can impose fines of up to up to €20 million or 4 percent of worldwide turnover for the preceding financial year—whichever is higher.
Nevada’s Data Privacy Law carries a fine of $5,000 per violation.
How Marketers can Avoid Non-Compliance and Fines
- Review your policies and update where appropriate.
- Do a test run of your website experience and data collection procedures.
- Educate and inform throughout your organisation and ecosystem.
- Stay informed of new or amended compliance (privacy) regulations. New laws are proposed, and at various stages of consideration, at the state and federal levels in the United States. In the Asia-Pacific region, a variety of regulations are also reshaping the way governments there protect data rights.
