Data Privacy Regulations – Is Your Brand Safe?

Sep 13, 2023

Kobie recently weighed in with Loyalty 360  on the topic of data privacy regulations.

As governments enact new data privacy laws and set forth regulations to protect consumers, some brands remain unprepared to meet the new requirements — unsure of what they must do to remain compliant and where to begin. With challenges spanning internal questions about data previously collected, how to continue interactions under the new regulations, and who within the organization should own the responsibility, it is no surprise that many brands have yet to form a cohesive strategy to adhere to and thrive under the laws that have been enacted and the ones to come.

Kobie’s VP of Vendor Management, Data Privacy, Security and Compliance, Nicolle Schreiber, provided insights as to how we approach this with clients to ensure we are enabling compliance across the board.

1. Where do you think most brands and marketers fall in their understanding of data and privacy regulations such as CCPA, GDPR, etc., and their impacts on customer loyalty strategies?

Data and Privacy regulations are an ever-changing landscape for both domestic and international companies. Due to this, brands and marketers can struggle with ensuring they are up to date with laws and regulations.  Many of the larger marketers have data privacy individuals on staff or consultants on retainer to provide oversight and ensure compliance. Unfortunately, many medium and small companies do not have these types of resources and must rely on trade journals or best practice white papers to guide their strategies.

2. How has the focus on privacy and privacy regulations changed for your clients in the last 12-18 months? 

There has been a heightened concern with clients especially as domestic regulations and laws have continued to evolve. Last year and recent months have required preparation for the 2023 consumer privacy laws that have or will go into effect requiring, at a minimum, research of potential business impacts. For some clients, global expansion has been an interest which requires heightened awareness and deeper understanding of the roles and responsibilities of the data controller and data processor. The increased focus on privacy and data usage in loyalty programs will only continue as organizations adopt or evolve their opt-in/opt-out consent and transparency. Data security experts we have consulted, have indicated an overall slow adoption of new practices and policies related to CCPA and GDPR and an overall wait-and-see attitude – an attitude Kobie does not embrace. Kobie is working proactively to ensure compliance with existing and emerging laws including consent and transparency in our use of loyalty data.

3. Have your clients encountered any challenges implementing data privacy regulations into their loyalty strategies? If so, what are the most significant challenges you have seen?

The challenges have centered around the understanding of what needs to be changed or updated for their business, the data they collect and the role of all handling the data. This coupled with internal prioritization to ensure enough time and resources are available prior to regulations or laws being implemented.

4. Since the launch and introduction of data and privacy regulations in the US and Europe, what are some of the major (if any) impacts you’ve seen? For example, less frequent sign-ups, members opting out, more vocal concerns from customers – or has there not been as much impact as you may have thought?

Like many companies across many industries, GDPR and CCPA triggered some initial Data Subject Access Requests (DSARs) and deletion requests, but they were generally limited to the first few months of the new privacy regulations. While Kobie does receive some deletion requests through our clients, it has been minimal. Kobie is not aware of any lasting impacts on our client’s loyalty programs. There have however been impacts to contracting templates and legal oversight. Security requirements, enhanced Privacy Policies, and Data PrivacyAddendums (DPA) have all been expanded, updated, or added as part of contract packages with Clients and Suppliers.

5. What is your recommendation for brands looking into adding a data protection officer or a privacy team, council, or committee within their organization? What roles/business units should be involved in an internal privacy team, council, or committee? 

A data protection officer, while mandatory for companies collecting or processing EU resident data, is not required for the US.  There is however a growing need for a dedicated or semi-dedicated individual to monitor and review laws, policies, and best practices. For any organization looking to add a privacy council or team, there should be representation from Legal, Technology, Security and Operations with a variety of roles including an Executive Sponsor.  While the team or committee will collaborate on requirements or potential impacts, there needs to be a single point person to ensure objectives of the team are outlined and met to enable risk awareness and mitigation as it relates to data handling, laws, regulations, and consumer protection needs.