Unstick Your Consent Management ProcessesMay 15, 2023
New state data privacy laws in the U.S. have much in common with the EU's GDPR legislation, which went into effect in 2018. Which is good news, in that it gives those of us serving primarily U.S. constituencies with an already-in-place model from which to build.
One of the biggest consistencies between emerging state laws is that businesses will have a 45-day window to honor an audience member's request to view the data you've stored about them -- or to request you delete that data entirely.
A few key takeaways:
- You are responsible for providing the vehicle by which a person can request access to or deletion of their data. This includes providing a form for manual requests, as well as enabling cookie opt-in banners.
- You must honor requests for deletion of the audience member's data from whichever channels they note.
- You have to be able to provide the paper trail confirming you've honored audience requests.
This is challenging for a few reasons: It requires you to have ongoing knowledge of the legislation transpiring throughout the U.S. states, which is changing regularly and includes a pending federal law. It requires you to understand all of the places you own audience data. And it requires you to have an operational process in place to ensure erasure happens in each of those places. For your sake, that process would preferably be automated and scalable.
To add complication, consider this use case from Ketch, in which a person invokes their right to have their data deleted. The identity marker they provide so that you can find their record is an email address -- which is all they are required to provide. However, some of your systems may not recognize that person based on an email address alone. Resulting in shenanigans.
In the example above, the company housing constituent data would have a challenging time using one piece of information to identify an audience member and subsequently honoring their request in an automated way.
Similarly, a person could invoke their right to erasure by using the Global Privacy Control Signal, which is considered in most states a valid way to submit this request and must be honored by the organization receiving it. This could also easily turn into a manual process if your systems aren't set up to easily operationalize.
There are several tools to make this process easier:
- Ensure your internal systems are set up to recognize a user's request to opt out when they use Global Privacy Control to do so. Doing this will require the support of a web developer who can ensure your backend recognizes the opt-out code, which is supplied automatically in certain browsers like Firefox and can be manually added to browsers like Chrome. Tools like OneTrust or a consent management system (see next point) can support you in both setting up your cookie opt-in banner and in enabling cookie blocking per user request so that your backend process these incoming signals without manual intervention needed. For organizations that collect user information, the GPC signal can be incorporated into your forms and passed through to your backend systems to allow for seamless permission integration.
- Consider a consent management platform that can automate opt outs throughout all of your systems. Ketch provides one of the most intuitive platforms I've seen on this front and, in the use case they present above, would support you by creating the identity resolution infrastructure to recognize Bob's email address and match that with their Hubspot Visitor ID.
Need support determining how you're storing user information and whether you're in a position to honor audience requests?
>> Book 1:1 help to formulate your action plan or discuss an audit.
>> Contact me about ongoing support with your consent management strategy.