What is data protection and data privacy?
The concept of the right to privacy emerged in 1948 when the Universal Declaration of Human Rights was adopted by the UN. This states that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”. By 1978, the first marketing email had been sent out to 400 recipients and in 1994, the first banner ad appeared on the internet. By the year 2000, many banks started offering online banking services. In 2006, Facebook was created and social media took off exponentially, becoming an integral part of our everyday lives.
Currently, 137 out of 197 countries have put some level of legislation in place to secure the protection of data and privacy. Some of the biggest names on the planet have been subject to fines as a result of violations such as Google, Whatsapp, and Facebook, with one of the biggest ever data protection fines being awarded to Amazon for $877 million in 2021.
In this blog, we’ll examine three of the major data privacy laws in the world, the GDPR, CCPA, and LGPD. We’ll give you a short summary of the law, what happens if you don’t comply and how the Purple Platform can enable you to collect data from visitors to your venue compliantly.
Europe: General Data Protection Regulation (GDPR)
What is GDPR?
Perhaps the most well-known data protection law in the world, the GDPR was created by the European Union and came into effect on the 25th of May 2018. The legislation imposes legal obligations on any organization that gathers and holds data related to people in the EU and EU citizens, even if the organization itself is not EU-based.
The GDPR provides a framework for data controllers (and processors), through, seven principles, which include minimizing how much data is collected and timeframes for storing data. It also imposes specific rules, such as the 72-hour reporting requirement for data breaches.
The GDPR also clearly imposes rights on data subjects (individuals) with regard to the information an organization collects about them, for example, the right to be informed about the data being processed. In some circumstances, the data subject may need to give unambiguous consent to process the data, such as opting into your marketing email list whereas there are other situations where data can be processed without consent (such as life-threatening situations or on public interest grounds).
What happens if you don’t comply with the GDPR?
Fines for non-compliance are substantial. Less severe infringements could result in a fine of up to €10 million ($9.8m) or 2% of the firm’s worldwide annual revenue from the preceding financial year. For more serious infringements, including going against the principles of the right to privacy and right to be forgotten, fines can be up to €20 million ($19.7) or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
North America: California’s California Consumer Privacy Act (CCPA)
What is the CCPA?
The California Consumer Privacy Act of 2018 (CCPA) aims to give consumers more control over the data that businesses collect about them and includes new privacy rights for California consumers. These rights include the right to know what data is being collected about them, the right to delete it, the right to opt-out of the sale of their personal information, and the right to non-discrimination for exercising their CCPA rights.
In order to comply with the CCPA, websites need to inform their users at the point of data collection about the personal information it collects and for what purposes. Websites should feature a “do not sell my personal information” link to opt-out of third-party data sales and should the consumer request the data you hold about them, this should be provided free of charge.
What happens if you don’t comply with the CCPA?
If your business is non-compliant with the CCPA, consumers can file a private right of action giving the business 30 days to put the violation right. The business then has to show that the “violation has been cured and no further violations will occur”. If the business fails this, the consumer has the right to file the right of action with the Attorney General. The Attorney General can take civil action and impose an injunction and a penalty of $2500 per violation. If the violation was deemed intentional then this could rise to $7500 per violation. This is considered to be per consumer, therefore if 1000 of your customers were affected, your business would be fined $ 7.5 million!
South America: Brazil’s Lei Geral de Proteção de Dados (LGPD)
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) came into effect in 2020 and affects any business or organization that processes the personal data of people in Brazil, regardless of whether that is where the business or organization is located.
The LGPD specifies that you can only process personal data for legitimate, specific, and clearly communicated purposes. Similar to GDPR, the LGPD principles include transparency and data minimization, in other words, tell your customers what data you are collecting, and what you will use it for, and only collect the data you need. Businesses are required to appoint a DPO (Data Protection Officer) in order to comply with the law.
What happens if you don’t comply with the LGPD?
If you fail to comply with the LGPD, you may face fines of up to 2% of your company’s annual turnover, up to a maximum of 50 million Brazilian Reais, about €8 million or $ 9 million. There are other corrective actions for violators, including publicizing the infringement and blocking or deleting the processing activities or personal data that caused the issue. This means the offending data controller could lose the entire associated email list and the database related to the incident could be suspended for up to 6 months.
How the Purple Platform can help businesses collect and manage data compliantly with major data protection laws
Captive portal for visitor consent
Purple’s customizable splash pages allow for links to terms and conditions at login as well as optional opt-in checkboxes for marketing materials and communications or an opt-out box for personal data sales for those that need to be compliant with CCPA.
MyData portal for complete data transparency
Through Purple’s My Data Portal which can be found on the Purple website, data subjects can view the data that the business has collected about them through the Purple Portal completely free of charge and withdraw consent should they wish.
Automated WiFi marketing
If you’re collecting customer contact data through the Purple Platform and a customer opts out of marketing communications then this would prevent you from emailing them through our automated WiFi marketing tools. Even if you’ve got an integration on the Purple Platform to an external CRM system, you can map the data there using Purple’s built-in software in order to update your database with this information which keeps your database compliant.