Skip to Main Content
CDP Get Ahead

Get Ahead of Data Privacy Legislation

Data privacy laws are quickly unfolding—and they are moving targets. We know a little, not a lot, but every bit of insight can make a difference when planning for what’s to come. Let’s explore what we can expect, what’s safe to speculate and, most importantly, what we can do to prepare for the fast-evolving future.


There is a provision in the California Consumer Privacy Act (CCPA) that delineates companies as data sellers or not. If you share data with any other company, you may be considered a data seller—and sellers have more liability. If you are selling an individual’s data, you must notify them so that they may opt out. You must also notify them once you’ve sold the data. Right now, these measures are not enforced, but they will likely be in the future. This means now is the time to get ready.

What to expect:

The future may include a centralized Digital Privacy Agency, or some similar enforcement entity that audits how businesses share data and gain consent to share data. But we don’t know exactly what enforcement will look like.

What to do:

Since we don’t know the specifics of enforcement regulations yet, it’s best to have a flexible means for centralizing data and giving data access to regulatory bodies. Adopting an API management system is an easy way to govern and manage your data, as well as generate metadata to easily audit. If an enforcement entity is established in the future, that will put you in a strong position and make it easy to grant access for subsequent auditing (rather than sending files or having to ship hardware).

Data comes from multiple sources and is consumed by multiple end users and systems.An API or micro services-based system can string these sources together and create a meta dataset that reveals how that data has been accessed—when and to whom was it given. Plus, your data scientists will thank you.


API gateways can help address the data silo problem, but they don’t solve the cause. Many companies have embarked on a journey to cloud to unify data sets and break down silos. This move can decrease your natural liabilities by leaving fewer overall pockets of data that you potentially have to manage. Penalties in some laws are per infraction, meaning that data silos can be risky in and of themselves.

What to expect:

Future data privacy laws will be most concerned with data that describes a data “subject,” that means a person —and knowing where that data resides within your business. Businesses will need to have a centralized area on the cloud where all customer data is matched together against a single digital identity so that its source, location and access logs are known.

What to do:

It’s easier to desilo data than to desilo teams of people across an enterprise. A customer data platform (CDP) brings together customer data from across the business and allows people enterprise-wide to access it. This is as much an organizational challenge as it is technological. Cultural silos need to be bridged, momentum needs to be built.

Caution! We work with many entities that call themselves CDPs—but not all are the same. A software-as-a-service CDP will help you make sure that people in your organization who don’t know SQL or Python can still interact with one source of truth. However, we recommend embracing a hybrid model that uses SaaS to buy the functionality you need, and the cloud to cover the gamut of what you need beyond that. Take our CDP readiness assessment  to find out what’s right for you.


CCPA, GDPR and other data privacy laws aren’t initially targeting your business per se (they are focusing on the big platforms that have a lot of customer data), but that doesn’t make you immune. They might be written for big tech, but they apply to everyone. Most data privacy violations establish liability per violation. Compounding the data silo problem, this means violations that apply to the same data set can stack up.

What to expect:

Because the large digital platforms you have relied on to get data are the targets, they are (probably) going to adapt to privacy laws sooner than you do. As such, what data they share with you may change, where the data lies may change, and the fidelity and accuracy of that data may change. These platforms are creating offerings that are only available in the cloud to protect themselves from liability, without compromising their partners’ (that’s you) ability to get value from their platforms. If you are still on SaaS alone, it will be more difficult to catch up when these offerings become the market standard.

What to do:

Adopting the cloud  starts with applications and moves to infrastructure, not the other way around. The good news is that it’s much easier to make this move today than it was in 2010. The cloud can position your business to adapt to data privacy laws and policies—and it will save you years of change management if done properly. It’s a smart idea to make sure you are part of your organization’s conversation about the cloud. Enable those leading the journey to understand your interests and requirements when it comes to what data you need.

The future is brighter than you think

All of this talk about data privacy may be confusing, and it often sounds bleak, but it is a turn toward the right side of history. Data privacy legislation gives you a new reason to change your organization to be more customer-centric. Brands that are using data privacy to become trusted by younger generations are more likely to capitalize on the digital consumer of tomorrow. 

Be among those that view the changes as an opportunity to modernize your company to become the platform that represents the voice of the customer. Being open to change and preparing for an uncertain future will drive your business forward and impress your clients along the way. 

Max Kirby
Max Kirby
Director of Digital Identity