A Direct to Consumer roadmap is built on feedback. This feedback often comes in the form of first-party customer data. The goal is to gauge where your consumers’ interests lie outside of your product, and build a roadmap to guide your company toward new categories. With customer information so readily available, it’s easy to grab it and go, but there is an important step in the roadmap that cannot be missed.
Personal Data Protection
You have to be mindful when it comes to personal data, and each area of the world has a different take on the issue. In the EU, they have the General Data Protection Regulation (GDPR), which was implemented into EU law in 2016. The GDPR monitors and regulates data protection and privacy in the EU as well as the transfer of personal data outside the EU.
In the United States, there is no single legal regulation for personal data protection. So, when working Personal Data Protection into your DTC roadmap keep these three things in mind:
1. Data protection and data security are not the same thing.
While you need both to remain compliant, data privacy and data security are different. Data security looks at protection of data of the company as a whole. This includes employee data but on a much larger scale. Data protection zooms in on the individual data carried by each person connected to the company. It encompasses both employees and consumers, and enforces the right of the individual to know their data is being collected and stored in a lawful manner.
2. Personal data protection looks different in each state.
The Federal Trade Commission Act (15 USC § 41 et seq.) is the closest thing the US has to the GDPR. While personal data protection isn’t the main goal, the FTC does use its authority to protect consumers as a way of enforcing fair trade – stopping companies from doing things like producing misleading advertising or making inaccurate privacy policies.
Depending on where in the US your company operates, there may be other data privacy laws you need to be aware of. Within the past two years, both New York and California have enacted their own data privacy regulations: The California Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act.
3. Consequences of non-compliance are serious.
The consequences for a business with no personal data protection in place vary. If you are doing any business within the EU and are in violation of the GDPR, you may find yourself subject to a massive lawsuit and fines of up to one million euros. Violating the United States’ Federal Trade Commission Act will also land you with lawsuits and fines, albeit on a smaller scale.
Money aside, failure to comply with personal data protection laws will hurt your credibility as a company, which is a bigger loss than a one-time fine. A loss of credibility can mean losing your customer’s trust, thereby threatening the viability of your company. At the end of the day, consumers want to give their business to companies they can trust and respect. Personal data protection is a way of showing that your company respects its consumers, creating a loyal bond that will pave the path to success in your DTC roadmap.
Need help getting started? HRO Resources can guide you to the right cybersecurity resources and insurance coverage to protect your data and your business.