Preparing for the latest data regulatory wave

When you think of all the things it takes to run your business and all the issues that demand your attention each day, where does data policy and regulation rank? Your top 5? Top 10?

It’s probably not even on your list unless you also run a tech giant like Google or a digital marketing agency. Fair enough — but you should know that a bumper crop of new state laws, and a sea change in how data privacy is viewed, mean your business needs to get serious about its data handling post-haste.

The European Union and California were the trendsetters, as usual, becoming the first in the world to approve laws regulating how businesses collect, store and use data from their customers.

Starting in 2023, that list will expand to Colorado and Virginia, while California will implement a revised law with even tougher enforcement provisions. And that doesn’t include the dozens of other data privacy bills still under consideration at statehouses around the country.

One of the hardest, most aggravating things about this growing patchwork of data privacy law is that every law is bespoke, with different guidelines for who must comply and what types of data are covered.

For example, the EU’s General Data Protection Regulation, or GDPR, applies to any “data controller” collecting the information of EU citizens. This list could include for-profits, not-for-profits and public institutions.

Meanwhile, California’s data law, known as the CCPA, applies only to for-profit companies with gross revenues of $25 million or more (among other criteria). Colorado and Virginia’s laws will apply to companies and organizations of all sizes, but only those controlling or processing the data of at least 100,000 residents per year or deriving a certain percentage of revenue annually from the sale of that data.

Does your head hurt yet? Mine does just from typing that out.

Thanks to the borderless nature of the World Wide Web and the wide variety of personal information covered, you can easily imagine a situation where a business is required to comply with one law but not another.

Some industry watchers believe it’s only a matter of time before the patchwork becomes so arduous that a comprehensive federal data law is passed. It’s a nice thought, but even if it does happen, it will be far down the road, after dozens of states have their own laws on the books. Even then, the state-by-state nature of the minimum wage shows that some states may set stricter requirements for businesses, resulting in a patchwork all the same.

Unfortunately, you can’t just bury your head in the sand and hope this blows over like previous tech trends. Considering that non-compliant companies can face fines, injunctions and other legal actions, you’d best be prepared for what’s coming.

Not sure where to start? Here’s what we’re currently recommending to our clients:

Know your markets. With more data privacy laws going on the books each year, it’s important to understand where your customers are and how you’re using their data. For example, do you market to or do business in a state with data privacy laws? If so, how many customers do you reach there? Do you store or sell their data?

Get a site audit. Depending on the applicable laws, you may need to have special links or disclosures on your website, just to name a few things. A good digital agency can analyze your site for compliance with GDPR, CCPA and other data laws and keep it in good standing as new laws emerge.

Connect directly. This is a long-term goal, but know that the data privacy wave is more extensive than regulatory law. For example, Google is phasing out third-party cookies, while Apple’s iOS 14 makes it more difficult to track users; both developments mean companies can no longer rely on data sourced from other platforms to do business.

Work on getting closer to your customers through marketing tactics like social listening and ask directly for their information — you’ll get better data and be less likely to run into data compliance issues or angry customers over the long run.

John Osako is president and COO of Informatics Inc., a digital agency based in Cedar Rapids. Contact him at