Heads up B2B Digital marketers! Legislators around the world are rushing to protect both consumers and business people from loss of privacy. The recent Adequacy decision by the European Union (EU) endorses a framework that keeps European’s data private, even from government agencies. The EU-U.S. Data Privacy Framework (DPF) was created in cooperation by the U.S. and the EU and is also endorsed by two countries not part of the EU: Britain and Switzerland.The European Court of Justice (CJEU) rejected the DPF predecessor: the EU-US Privacy Shield. That Privacy Shield had been enhanced by President Biden’s October 7, 2022 executive order and the Data Protection Review Court established by U.S. Attorney General Merrick Garland. These enhancements are included in DPF.
What does this mean for B2B digital marketers?
By self-certifying as complying with DPF, a company can safely bring data from the EU, Britain, and Switzerland without risking lawsuits and legal action. The deadline for self-certification is October 10, 2023. For many organizations this means modifying privacy policies, actions, and notices. California companies must also continue to obey the California Consumer Privacy Act (CCPA) that applies to B2B as well as B2C organizations. Organizations in the Golden State should also be aware that the California Invasion of Privacy Action (CIPA) has recently been interpreted to include data collected by chatbots.
Marketers that self-certified under Privacy Shield will need to also self-certify under DPF. Those that are new to EU certification can skip Privacy Shield and go directly to DPF.
How does DPF relate to GDPR?
Many B2B marketing organizations comply with Europe’s General Data Protection Regulations (GDPR). The DPF is not part of GDPR but rather a way that the EU expects other countries and regions to comply with GDPR Section V.
EU is not all of Europe and definitely not all of EMEA
The European Union contains 27 member countries and 19 non-member countries. While the UK and Switzerland are among the non-members, they are committed to DPF. (Scotland is part of the UK but considers itself still a member of the EU.). The UK, however, may face delays as legislation must be passed to be compliant.
Many marketing organizations divide the world into Asia-Pacific, EMEA (Europe, Middle East, and Africa), North America, and Latin American. These divisions do not map exactly to the continental boundaries. When adhering to international regulations governing data privacy and anti-spam compliance, marketers must ensure that the laws of each country and even each region, state, or province are obeyed. As examples, marketers should be aware of Canada’s CASL and Germany’s double opt-in requirement..
While this may seem onerous, penalties are high. The good news is that organizations that observe the DPF can rest assured that their data collection from the EU countries plus Britain and Switzerland is compliant, noting the possibility of delays for Britain.
Alas, the European Center for Digital Rights (NOYB), may hinder this progress
NOYB is challenging DPF on various grounds. The organization claims that there is little improvement over Privacy Shield which it also challenged. Among other objections, NOYB cites the fact that these agreements allow for bulk actions by data importers and finds the appeals processes lacking in strength.
Observing International Privacy and Anti-Spam Regulations can have positive effects
While avoiding legal penalties and lawsuits is the stick that causes B2B marketing organizations to observe relevant international regulations, many compliant companies find that these actions bring positive effects including acquiring and retaining customers and employees. People want to work with and for organizations that care about the concerns of individuals. Costs can also be lowered because many tools in the marketing stack are priced based on the size of the prospect database. Internal data quality controls depend on both the number of records and the number of fields in the database. So there is benefit in removing fields that privacy regulations disallow and removing records of people who are not true marketing targets.
RightWave is publishing this information as a courtesy to B2B marketing organizations. RightWave is not a law firm and is not offering legal advice. Readers should consult with a qualified legal professional to determine the correct course of action for their organizations.
For B2B Marketing organizations, RightWave provides a variety of services including managing Marketing Automation (MA) systems including Eloqua, HubSpot, Marketo, Pardot, and others as well as the Salesforce CRM, database quality governance, analytics, and more. RightWave can help implement subscription/permission management programs in customers’ MA systems. Readers can contact RightWave for more information.
- Swarz, Bruce. “Adequacy decision for the EU-US Data Privacy Framework”), European Commission. July 10, 2023
- Del Sesto, Jr., Ronald W.; Spies, Axel; and Guo, JiaZhen. “How to Comply with the new EU-US Data Privacy Framework”, Morgan Lewis. July 24, 2023
- Mole, Ariane; Boardman, Ruth; Morrison, Robbie. “Third times a charm? The new EU-US Data Privacy Framework”, Bird & Bird. July 12, 2023
- Office of Privacy and Civil Liberties. “Redress in the Data Protection Review Court”, U.S. Department of Justice. Updated July 30, 2023
- Briefing Room. “President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework”, The White House. October 7, 2022
- No cited author. “New Trans-Atlantic Data Privacy Framework largely a copy of “Privacy Shield”. noyb will challenge the decision”. NOYB. Published between July 10 and August 25, 2023
- No cited author. “Will the EU-U.S. Data Privacy Framework (EU-U.S. DPF) serve as a data transfer mechanism under the EU General Data Protection Regulation (GDPR)?” Data Privacy Framework Program. Published between July 10 and August 25, 2023.