There is no question that the collection, analysis, and use of personal data is very valuable for almost any marketer. In fact, many marketers consider the personal data they have collected to be one of their most important assets. Personal data, and the use and misuse, of such data has been a hot topic over the last few years. For example, when the world learned of Facebook giving the personal data of over 80 million unwitting users to Cambridge Analytica, how marketers were handling and sharing personal data suddenly seemed even more important than ever before.
A marketer does not have to be the size of Facebook, however, to be concerned with personal data that it collects and maintains. Virtually every marketer collects at least some form of personal data, such as employee records, customer names, credit card or bank information, and records of service or purchases. Even marketer-to-marketer companies who do not interact directly with individual consumers need to be cognizant of the collection and use of personal data as B2Bs often collect personal data such as employee data and personal information of company contacts. Personal information, such as IP addresses, can also be collected automatically when an individual visits a website.
There are an overwhelming number of laws governing the collection, storage, and use of personal data and the means and methods by which a marketer must notify individuals for whom personal data is collected. Failing to properly follow applicable laws can result in heavy fines or other penalties for a marketer. There are currently over 100 countries on six continents that have enacted some form of privacy laws to protect individuals whose personal data is collected and used by a marketer. In addition, over 20 U.S. states are currently in the process of enacting their own privacy laws. Two of the most overarching privacy laws are the European Union’s General Data Protection Regulation (“GDPR”), which took effect on May 25, 2018, and the California Consumer Privacy Act (“CCPA”), which took effect on January 1, 2020. Any marketer that collects personal information from an individual who is a resident of the EU is subject to the requirements of the GDPR, and any marketer that meets certain income levels ($25 million gross worldwide) or other thresholds and collects personal information from an individual who is a California resident must comply with the CCPA.
Although the GDPR and CCPA have differences, they are both similar in a number of key factors:
- Marketers must provide clear and concise disclosures to individuals from whom they collect person information at the time the information is collected;
- The disclosures must provide the individual with an explanation regarding what information is collected and how it is used;
- Individuals must have an ability to opt-out of the use of their personal information for certain purposes;
- Marketers must delete personal information upon request from an individual;
 These materials have been prepared for informational purposes only. This information is not provided in the course of an attorney-client relationship and is not intended to constitute legal advice or to substitute for obtaining legal advice from an attorney licensed in your state.