Data Privacy: How to reconcile marketing strategy with regulatory requirements

As of September, there is a new law for data protection in Switzerland, the revDSG. On this occasion, Zbynek Zapletal provides a useful overview of the data protection regulations, the changes and their impact on marketing activities in his guest article.

Consumers are now more aware than ever of the value their data represents to businesses and how companies can use it. In this context, a number of data protection regulations have been enacted around the world. Their goal? To ensure that every user has the right to protect and access their personal data. This can be a tricky issue for marketers, and even more so for those dealing with different types of data in different countries.

What is Data Privacy?

The term data protection refers to the rules that apply to the use of users' personal data in the course of a professional activity. Each country has its own regulations, so it can be difficult for companies to comply with them. However, all these regulations have the same basis, namely:

- Consent: Users must be informed in clear form about how their data may be collected, stored and used. They must give their express consent to the collection, storage and use of this data.

- Legal conditions: The regulations define the consequences and legal obligations for companies that collect and use this type of data.

- Rights of users: Users have access to their personal data at any time and may request its modification, correction, deletion or restoration.

- Data security: Every company must inform the authorities as soon as possible if it has been identified as having suffered a personal data breach.

What kind of data are we talking about?

Any type of personal data is subject to data protection regulations. Thus, any data that allows a person to be identified, directly or indirectly, falls within this legal framework. These personal data are:

- Name, first name, e-mail address and phone number
- Any kind of socio-demographic data (profession, gender, age...)
- Any kind of geolocation
- Data related to the way a user uses the Internet (IP address, behavioral data...).

It should be noted that data that has been passed on at the initiative of the user is also affected. The same applies to internal company data (all data relating to the company's employees).

Who is affected by data protection?

Any company that collects, stores or uses personal data about its users is affected by data protection. Most regulations are designed from the user's perspective. This means that they apply to companies that use personal data of users located in the region to which these regulations apply. In other words, even if a company is not located in a region where a particular regulation applies, or its data is stored in another country, it is
the company is nevertheless affected, its users should be located in this region. Therefore, it is important to know the various regulations and comply with them.

What regulations are in place to monitor data protection?

The following explains the various personal data protection regulations that should be known in order to best adapt marketing activities to the regulations.

The DSGVO/GDPR (General Data Protection Regulation) applies in Europe. This is a regulation of the European Union that came into force in 2018 and is enforced by the respective competent national authorities.
It requires that companies, among other things,...
- require users to ask for their explicit consent when collecting their personal data
- have a register explaining how this data is collected, stored and protected at all times
- allow users to modify, correct, delete or retrieve their personal data.

In California, it is the CCPA (California Consumer Privacy Act) that must be complied with. This regulation, which went into effect in 2020, is very similar to the GDPR, but specifically regulates how companies store and share the data of California residents. These users must be informed about how their data is being collected, and they must have access to that data at any time to request its deletion.

In Brazil, the LGPD (Lei Geral de Proteção de Dados), which came into force in August 2020, regulates the concept of data protection. This law, which is also directly based on the GDPR, defines how companies collect, process and share the personal data of users residing in Brazil.

The rules on data transfer outside the EU

If a company needs to transfer data to countries outside the EU, it is necessary to comply with the regulations in force in the countries. In France, for example, the CNIL (Commission Nationale de l'Informatique et des Libertés), in Germany the BFDI (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit) and in the UK the ICO (Information Commissioner's Office) no longer have to grant approval for data transfers outside the EU since the GDPR came into force if they are based on ...
- Standard Contractual Clauses ("SCC") established by the European Commission,
- a code of conduct approved by the EU,
- an internal regulation approved by the EU for a specific company or
- be based on a certification approved by the EU.

It is important to note, however, that both the company exporting personal data and the company importing it must check exactly what the specific regulations of the country in question are.

What changes are on the horizon? And how will they affect the market?

As the concept of data protection is constantly the subject of new laws and regulations, it is crucial to anticipate upcoming changes in this area.

revDSG: a new law for data protection in Switzerland

In Switzerland, companies must comply with the new data protection law revDSG from September 1, 2023. This law is also aligned with the GDPR to maintain the free flow of data between Switzerland and the EU and to ensure the protection of users' rights.

- It contains the main principles of the GDPR
- Users must be informed about the collection of their personal data (not only about sensitive data, as already mentioned in the law)
- Companies must create a data register
- In addition, they must inform the data protection officer immediately if a security breach is detected
- The principles of privacy by design and privacy by default are introduced by the law.

Data transfer between the USA and the EU

In early October 2022, the U.S. President announced that a new regulation for data transfers between the United States and the European Union will be introduced to ensure that this data is as well protected as under the GDPR. This new regulation replaces the two previous draft frameworks "Safe Harbor" and "Privacy Shield", which were declared invalid by the European judiciary.

This regulation...
- Establishes a new privacy review court under the authority of the U.S. Department of Justice
- provides that the United States shall limit access by its competent authorities to the data of Europeans to what is "necessary" and "proportionate."

Navigating the numerous privacy regulations in place around the world can be challenging for marketers, who must ensure compliance while delivering a good user experience and optimizing campaign performance.
To achieve this balance, a powerful Consent Management Platform (CMP) is essential, as well as advanced tracking across all platforms and monitoring of results through analytics.

* Zbynek Zapletal is Director of Programmatic & Tech Development DACH & CZ at Gamned Suisse SA.

More articles on the topic