Bar graph with lock above
See Forrester's overview of customer data platform providers

How a CDP Helps Businesses Comply with Data Privacy Regulations

February 3, 2023 7 minute read
As public sentiment and legislation supporting data privacy rise, organizations turn to customer data platforms for help
Bar graph with lock above

Up to $11 million or 2% of a company’s yearly revenue (whichever is greater) is how much an organization can lose if it violates the European Union’s General Data Protection Regulation (GDPR).

And that’s a lower tier fine. More serious violations can accrue fines of up to $22 million or 4% of a company’s yearly revenue (again, whichever is greater). In 2022 alone, for instance, the European Union levied a record €2.92 billion in penalties. 

The United States has also begun imposing fines for violations of its data privacy protections. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), for instance, levy fines of $2,500 on the low end, while the Colorado Privacy Act (CPA) can levy a fine of up to $20,000. The Virginia Consumer Data Protection Act (VCDPA), on the other hand, falls somewhere in the middle; the regulation can levy a fine of up to $7,500.

The figures may not seem alarming (particularly for multinational companies with head-turning profits), but remember: They’re per violation. Sephora offers a cautionary tale: In September 2022, the beauty retailer was hit with a fine of $1.2 million in the first settlement of the CCPA. (The CPRA, like the VCDPA, didn’t go into effect until Jan. 1, 2023. The CPA will go into effect on July 1, 2023.)

Naturally, no organization survives unless it’s financially solvent, so complying with data privacy regulations is a must for businesses today. We’ll look at other reasons why compliance matters, why getting it right is a headache, and why organizations are looking to customer data platforms (CDPs) as a solution.

Why compliance with data privacy laws matter

Besides avoiding financial penalties, there are at least three more reasons to comply with data privacy legislation.

  • Lower reputational risk. The link between a brand’s reputation and its revenue is well-known but always startling when paired with cash value. For example, in 2018, the Accenture Strategy Competitive Agility Index found that 54% of companies participating in the study and that experienced a material drop in trust lost out on $180 billion in revenue. More recently, Bob Dutile, Chief Commercial Officer at IT-solutions company UST, estimated that a data breach of about 250,000 records would cost a midsize company $8 million to $10 million, with roughly one-third of that amount attributable to lost revenue due to brand damage. Given those statistics, it’s no wonder that organizations are so keen to lower their reputational risk.
  • Consumer trust. Data breaches, the misuse of personal data (Cambridge Analytica, anyone?), and tactics like retargeting (characterized by some as “creepy”) all raise consumer distrust. And organizations that see a decline in customer trust lose 30% of their value in the short term, according to the Economist. Conversely, trusted businesses outperform competitors by up to 400% in terms of total market value. It literally pays to preserve customer trust.
  • Alignment with public sentiment. Today’s markets place a high emphasis on “disruption,” but the concept doesn’t carry over to data privacy, an area where public (and regulatory) concern has held steady. In 2019, for instance, the U.S. National Telecommunications and Information Administration found that 73% of Internet-using households had major concerns about digital privacy and security. And, since the passage of the GDPR in 2018, public awareness of the law has doubled in all European markets, according to a 2022 report from Acxiom and the Global Data and Marketing Alliance. These concerns and awareness have likely contributed to the ongoing rollout of data-protection legislation worldwide, such as Thailand’s Personal Data Protection Act, Brazil’s General Data Protection Law, and South Africa’s Protection of Personal Information Act. The trend isn’t likely to end soon, so compliance will continue to be a requirement for more and more organizations globally.

Compliance challenges and data privacy

As convincing (and legally binding) as data privacy concerns may be, the 2022 Acquia Consumer Experience (CX) Report found that a surprising 39% of marketers surveyed claimed that their organizations only implement customer-data privacy policies “to some extent.” While that response may ring alarm bells among privacy advocates, it could also signal what we regularly hear from customers: how challenging it is to meet today’s data-privacy standards.

The “golden record” dilemma

The fault lies partly in the remarkable growth of technologies that allow organizations to compile seemingly infinite amounts of data about customers. Companies today can gather information from sources as diverse as social media, mobile apps, e-newsletter subscriptions, SMS responses, website traffic, in-store and online purchases, and on and on. Ingesting this data to produce a so-called “golden record” — a single record that unifies all your data for a particular customer — leads to the second obstacle facing organizations: dirty data.

The problem with dirty data

Data that’s deficient, poorly secured, outdated, conflicting, or incorrect is labeled “dirty.” It comes about when phone numbers are transposed, fields are left blank, existing customers enter different email addresses, or any host of human errors. If left unaddressed, this dirty data can cause personalization efforts to go awry, organizations to make business decisions based on bad intel, and sales numbers to look better or worse than they really are.

Fuhgeddaboudit (if you can)

Dirty data can also make the “right to be forgotten” stipulation in data privacy regulations difficult to meet. Also called the “right to erasure,” the legislation — first introduced in the GDPR and mimicked by countries such as Argentina and the Philippines — obligates organizations to delete someone’s personal information from online searches and other directories if requested. 

So, if a customer or prospect reaches out to a company to have their personally identifiable information (PII) scrubbed, organizations must honor that request. Doing so often requires businesses to go into each of their systems to remove the data piece by piece, a time-consuming process.

How CDPs can help organizations with data privacy protections

A customer data platform excels at overcoming all those challenges. The enterprise software collects data from various channels and systems, pulling in zero-, first-, and third-party data to produce the longed for “golden record.”

It’s partly golden due to identity resolution technology, which polishes dirty data through a four-step configurable process that standardizes the data, validates and stitches it, and (of course) deduplicates it. The result? A unified, trustworthy record.

And for individuals who ask to be forgotten, that single record acts as a map for brands, helping them identify the upstream (like a CRM or order management platform) and downstream systems (such as email providers) flowing into the CDP. The platform won’t delete anything in the source or upstream systems, a responsibility that sits with the company. But a CDP will offer a more efficient (read: time-saving) method for businesses to identify the source systems where the requested customer data should be deleted.

For example, with a product like Acquia CDP, its identity resolution engine (IRE) uses non-destructive deduping and keeps parent and child records intact even when a deletion request comes in. Acquia CDP also allows clients to permanently delete data from the system so that they remain compliant. So, analysis can be performed on aggregated customer data, and if desired, machine learning can be trained on unified customer data. The data stays accurate even with the data of the individual removed.

A CDP to call your own

The advantages that a CDP offers organizations are clear, which is why more and more businesses are incorporating them into their tech stacks. The number of vendors who offer them is also growing, but they don’t all provide the capabilities described here and some aren’t even proper CDPs. Be sure to find a partner that’s been certified by the CDP Institute and review our detailed guide of the considerations to keep in mind as you hunt for a CDP to call your own.

We also invite you to explore Acquia CDP and would be more than happy to answer questions. Don’t hesitate to reach out.

Keep Reading

View More Resources