Kenneth Sanford Discusses the GDPR, Apple Op-Ed & CCPA
In 2019, data is the thing. I know it’s been said for a while, but few can deny the way it is now a fixture in conversations around digital trends and transformation. The appearance of the GDPR in 2016 has awakened the awareness in many to reflect on their current use of data, and how that will change as time moves on. When the GDPR crossed the threshold from being implicit to fully enforceable on May 28, 2018, we started to see more and more headlines on the use of personal data, governance, and how brands could find a way to thrive under the new data regulations.
For the first time in our digital history, data science and practice have become mainstream conversations among consumers, marketers, and digital professionals alike, and have quickly ascended to the top of the list for most promising career opportunities in the US for 2019. To put it simply, organizations have been collecting data for years without entirely knowing how they’re going to use it. The people who are able to organize existing data and architect future collection to meet the regulatory requirements are becoming invaluable. In the end, it’s data’s pure, unadulterated currency of insight that makes it so powerful for brands.
While I consider myself far from an expert on the world of data and regulation, as a marketer, I am always looking for that next foothold to increase my knowledge base. For this reason, I was eager to speak with an established expert in the field, Kenneth Sanford, Data Science Consultant and Adjunct Professor of Business Analytics at Gatton College of Business and Economics. We discussed some of the most recent headlines in the data conversation, and he gave a preview of where brands can start when orchestrating their own data strategy.
France Hits Google With First GDPR Penalty for Big Tech
I knew I couldn't be the only one who was waiting to see which of “the Four Horsemen” would be the first to take an arrow for violating the rules of the GDPR. Earlier this month, we saw it happen with France’s data protection regulator, CNIL; penalizing Google under the new privacy law to the equivalent of $56.8 million USD. CNIL based their fine on the fact that Google didn’t meet the country’s standards for providing consumers with enough information about its data consent policies, nor were they offering adequate information on how consumers’ data was being used.
Google is appealing, but even so, this fine seems to be a pittance considering how substantial GDPR fines can be. For Google, that penalty could have been in the billions if it had reached the maximum fine under the GDPR, which is 4% of annual global revenue. To put this fine into perspective, it works out to be less than one-twentieth of one percent of Google's revenue last year. Less than a parking ticket for someone with an annual salary of $50,000.
Having been one of the first few experts we discussed the GDPR with on CMSC Media, I opened my interview with Ken to discuss this recent headline and get his thoughts: "A French regulator has essentially asserted that Google has not been 'transparent enough' in complying with the consent regulations put forth in GDPR and has leveled a small fine ($50 million Euro). While this amount is a rounding error for Google, they have now appealed this result. The entire tech community should thank and support Google for standing up to this first shot at GAFA. As GDPR is, at best, a moving goalpost, these charges are a weak first attempt to bully Google and others. Again, GAFA and all data-first companies are likely the very best at dealing with the first round of GDPR regulations and the governing bodies recognize this with their purely symbolic first fine.“
Apple CEO Tim Cook States His Position
Shortly before the news broke of Google’s fine from France, Tim Cook, Apple CEO, wrote an op-ed in Time Magazine stating his position within the data wars, stating: “In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control, and the vanishing ability to control our own digital lives.” His suggestion for achieving this is to call on Congress to pass federal privacy regulations based on four principals, “the right to have personal data minimized, the right to know what data is being collected and why, the right to access and delete that data, and the right to data security.”
While I agree consumers should have mindfulness over the use of their own personal data, I hesitate to lay any responsibility on them in fear that it may absolve larger corporations from their responsibility for the ethical use of data. I know it's not a black and white argument, but if consumers were free to access and delete their data, would they also be provided with a list of all the places they would find it?
His sentiment, while laudable, has raised a few eyebrows when weighing the data conversation against Apple’s business model. As Kenneth explains here: "It seems a bit self-serving as Apple has had such little success monetizing data in the same ways that Amazon, Facebook, and Google have. Apple continues to struggle to build data products for their news, health, and other personalization services. Apple's use of individual user information is essentially able to be baked into product improvements, and forgotten by their systems. So his comment seems to align more closely with Apple's business model than the other GAFA companies."
Did the GDPR Cross the Atlantic?
When I was researching the GDPR, one of the biggest questions I had was if this was just the tip of the iceberg and could we expect more regulations just like it to pop-up around the world? While some said yes, many said it might be a while before the United States sees anything like it. Then, lo and behold, along came the announcement of The California Consumer Privacy Act on June 28th, 2018, one month to the day of the GDPR coming into effect. Set to go into effect in 2020, the CCPA may force big changes for those companies that deal in personal data. One of its main markers of difference, when compared to the GDPR, is how it hones in on those companies that already make a profit off of selling consumer information.
I was curious to hear from Kenneth about the differences he felt were important to note when looking at the CCPA in relation to the GDPR, and how he felt it would shake-out next year when it comes into effect: “The California act applies to fairly large companies who collect data on their customers ($25 million revenue (and other criteria), so most of these companies will have already addressed basic GDPR concerns. As California has so many other problems to deal with, and with how much of its economy is dependent on data-first companies, I would be surprised if the law claims many victims.”
How to Create a Data Strategy
In reading all these headlines, and the many more we’ll see pop-up in the next year, I am sure digital professionals of all kinds are left hoping for two things; to responsibly leverage the insight a smart data strategy can offer, and to not become a cautionary tale in the media while they figure it out. Even though there are qualifications for brands to exist in the scope of the GDPR, no one should assume a false sense of safety from it as their MO.
Knowing how much experience Kenneth has in helping brands of all sizes create their most effective internal data strategy, I asked him to share his thoughts on how organizations can develop it to satisfy both governance requirements, and their need for deep, valuable insight: "This is a very common problem for many small and medium-sized companies. At what point should they invest in building internal competencies around data. One of the challenges is that a critical mass of data-aware people must exist in a company should the decision to be made to internalize these efforts. If this is lacking, resources will be pulled in too many directions, and nothing will get done. The alternative approach is to use external consultants. This approach has the benefits of bringing external learnings and organization, but often suffers from a lack of context around data. And of course, when a consultant leaves, so does the insight about data.
My recommendation is to bring in external analytics leadership to lead strategic direction and planning, and hire analysts and data scientists that can implement these objectives. This way, the insight stays with the company and the expertise of more seasoned leaders can share their cross-industry analytics experience."
It is not all puppies and butterflies. If you can believe it, as the GDPR went into effect, some organizations were simply blocking access for EU residents to their websites. I am not sure if it’s still happening, but I would say, at the very least, it sent a swift, clear message to those in the EU on where these companies stood on being mindful and respectful of their data rights.
Needless to say, the depth and breadth of knowledge that can come from a well-orchestrated and governed data strategy could be like striking gold for businesses. However, there is a lot that goes into a successful data practice. As the need for data expertise—both internally and externally—proliferates, I hope proper practice will become the norm globally, not just within the region various regulations apply to.