As an increasing number of consumers adopt digital technologies, data privacy laws are evolving at an equally rapid pace. Europe’s and California’s privacy laws are leading the way, and the Federal Trade Commission (FTC) is actively enforcing data privacy regulations in businesses of all sizes across the United States. Protecting consumers’ data is not just the right thing to do—it makes smart business sense. But you’ve got to do it right. Let’s talk about a customized data privacy program.
Three giant reasons to invest in a robust privacy program
Investing in a data privacy program can seem to some stakeholders expensive and difficult, with limited or invisible return on investment. It’s true that creating and maintaining a robust privacy program will require planning and spending out of the gate. But the data shows that businesses with strong privacy programs reap tangible benefits; feeling good about doing the right thing for customers is just a bonus.
Here are some reasons why a robust privacy program will benefit your company:
- One-third of your customers are paying close attention to your privacy practices—and will leave if they don’t like what they see. Customers are more likely to spend with businesses that treat their personal data with respect. Everyone has a phone in their pocket, a computer on their desk, and all sorts of other smart devices in their homes. People are becoming increasingly conscious of their digital footprints and the risks that come with living a digitally connected life. A 2022 Cisco survey revealed that 32% of customers are “Privacy Actives,” meaning that they care about privacy, are willing to act to protect it, and most importantly, have already acted by switching companies or providers to better protect their privacy.
- The return on investment in data privacy is almost 3:1. Cisco’s 2020 Data Privacy Benchmark Study drew on data from 2800 organizations in 13 countries. It showed that for every dollar spent on privacy, the average company receives $2.70 in associated benefits.
“This research provides evidence for something Privacy professionals have long understood—that organizations are benefitting from their privacy investments beyond compliance. The Cisco study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust.” -Peter Lefkowitz, Chief Digital Risk Officer, Citrix Systems and 2018 Board Chairman, International Association of Privacy Professionals (IAPP) - You will spend less on privacy breaches. Marketing teams love to provide personalized customer experiences, and in order to do that, they need to know who their customers are. But collecting personal data, even for great reasons, can expose the organization to a potential breach. Privacy breaches have a far-reaching impact. They cost—not only a big drop in consumer confidence—but eye-watering fines. Facebook settled their Cambridge Analytica lawsuit for $5 billion and Equifax’s exposure of the data of 147 million people settled for $700 million. Even medium-size companies may have to spend big from breaches: the cost of an average data breach in the United States is a whopping $9.44 million. When you add in the exodus of customers due to loss of trust, costs climb exponentially.
Investment in a solid privacy program reduces the risk of breaches, huge fines, and the departure of disgruntled customers. It shows current and potential customers that you respect their data and that you care about sound business practices across the board. The financial and reputational risks of not having a privacy program far outweigh any imagined savings.
Threading the needle with the CPRA, GDPR, and FTC
Businesses have been working to set themselves up for compliance with Europe’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA). Under these laws, residents of Europe and California, respectively, have the right to the protection of their personal data.
The CPRA (and the CCPA, which the CPRA amends), gives individuals the right to know what personal information is being collected and for what purpose, the right to access, correct, or delete their personal information, the right to know what personal information is sold to or shared with other entities, the right to opt out of the sale or sharing of their personal data, the right to have their data “ported,” or sent from one service provider to another. They also have the right to limit use and disclosure of sensitive personal information.
Under the GDPR, individuals have the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights related to automated decision making, including profiling.
In order to comply with these laws, a business must create a privacy program with very specific and definite disclosures. Failure to do so can incur major fines from the regulatory agencies that enforce these laws; however, there is another agency with similar intent but conflicting practice. Enter the FTC!
The Federal Trade Commission (FTC) is the most active and strict privacy regulator in the United States. This agency protects consumers against “unfair or deceptive practices,” and in doing so, makes sure that companies do not make misleading statements about their privacy practices. The definitive statements required by the CPRA and GDPR can make companies vulnerable to scrutiny by the FTC because if any of their stated declarations is not 100% accurate, the FTC could file charges. While a definite and specific privacy policy may comply with the GDPR and CPRA, it may attract the hungry attention of the big, bad FTC.
Because threading this needle requires a steady hand, many businesses are turning to legal experts to help them avoid a painful jab. The trick is to draft privacy disclosures that are not so specific that they tempt the teeth of the FTC, but specific enough that they pass the exacting standards of the GDPR and CPRA.
Generate customized privacy documents with SixFifty
SixFifty’s Privacy toolset helps organizations comply with the GDPR and the CPRA—and all other state privacy laws in the United States. Generate the customized legal documents written by top legal experts and required by privacy laws around the world. Then rest assured that when laws evolve, we update our tools so your documents are always up to date. If you’d like to make better decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.