New Data and Privacy Regulations in the U.S. Will Impact Brands — Are They Ready?

As governments enact new data privacy laws and set forth regulations to protect consumers, some brands remain unprepared to meet the new requirements — unsure of what they must do to remain compliant and where to begin. With challenges spanning internal questions about data previously collected, how to continue interactions under the new regulations, and who within the organization should own the responsibility, it is no surprise that many brands have yet to form a cohesive strategy to adhere to and thrive under the laws that have been enacted and the ones to come.  

Additionally, even brands headquartered in the U.S. that sell to European customers can be subject to international regulations. It isn’t enough to know the privacy laws in their own backyards; those brands need to understand what might affect how they interact with customers abroad. 

Loyalty360 spoke with supplier members and customer loyalty strategy experts about how new data and privacy regulations in the U.S. impact the way brands can gather and leverage customer data, how some organizations may face challenges with the location, nature, and classification of the data previously collected, and establishing the right roles and teams to monitor privacy laws and ensure that the organization remains compliant.  

Article contributors:  

  • Wanda Kauffman, Director, Technology Solutions and Privacy Lead, CIPM (IAPP), The Lacek Group  

  • Chris Mills, CRO at Talon.One 

  • Cassie Preston, Director of Client Services and CRM, Baesman 

  • Christopher Sandstrom, Director of Strategy and Growth, Comarch 

  • Greg Sbardella, Senior Director of Customer Success, Enterprise, Jebbit  

  • Nicolle Schreiber, VP of Vendor Management, Data Privacy, Security and Compliance, Kobie 

New Regulations Make a Big Impact 

As new data and privacy regulations in the U.S. impact how brands can gather and leverage customer data, companies and marketers must work to develop a clear understanding of these regulations, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These new regulations can significantly affect customer loyalty strategies, and brands need to thoroughly evaluate their readiness to operate in this new normal of data collection. 

“Brands and marketers understand that consumer loyalty is vital to a brand,” says Lacek’s Kauffman. “Data security and consumer privacy are critical to every successful consumer loyalty solution. Privacy laws and regulations reflect the value individuals place on their personal data and online privacy.”  

Kauffman goes on to explain that trust in a brand is what dictates whether individuals are willing to engage with a brand and share their personal data. The cost of violations in privacy regulations goes beyond financial to brand reputation and loss of loyalty. 

Kobie’s Schreiber sees data and privacy regulations as an ever-changing landscape for both domestic and international companies. This means brands and marketers often struggle with ensuring they are up to date with laws and regulations.  

“Many of the larger marketers have data privacy individuals on staff or consultants on retainer to provide oversight and ensure compliance,” says Schreiber. “Unfortunately, many medium and small companies do not have these types of resources and must rely on trade journals or best practice whitepapers to guide their strategies.” 

As brands shift to first-party data collection practices and seek to be compliant, the challenge to engage new customers has grown in a competitive landscape. As a result, some customer loyalty professionals have directed efforts to elevate relationships with existing customers.   

“The new regulations put a spotlight on the importance of capturing first-party data to help power marketing strategies and drive personalization,” says Jebbit’s Sbardella. “With these new regulations, it’s becoming increasingly harder to acquire new customers. Companies are looking ‘inward’ at their current customer base and driving the most value from that cohort — which is creating more focus on loyalty.”  

Forced To Act 

The focus on privacy and privacy regulations in the last 12 to 18 months has forced brands to act, providing more ways for consumers to control how their data is used. Technology companies can be leveraged to provide ways for consumers to indicate their preferences surrounding personal data to help brands stay compliant. However, domestic and international regulations differ and provide a challenge for some brands to correctly interpret. Getting a clear vision of the role(s) of the data controller and data processor is crucial. 

Baesman’s Preston has observed that states like Colorado, Connecticut, Utah, and Virginia have followed California’s lead and have begun enforcing rules and regulations modeled after European GDPR regulations. At least another 10 states have introduced legislation to strengthen privacy laws. This is in sharp contrast to how the U.S. has historically allowed brands to collect personal information without express consent.  

“Fundamentally, the environment has always focused on consumer data protection, but more than ever in the last 12-18 months, regulators have suggested changes that put privacy regulations in the hands of the consumer,” explains Preston. “Technology providers have accepted the challenge and produced a multitude of ways for consumers to manage their preferences as it relates to how their data is used and shared. This means that privacy elections when browsing for new shoes, or opening an email from your favorite brand, has come into the forefront of the consumer experience.” 

As domestic regulations and laws have continued to evolve, Kobie has witnessed a heightened concern with clients. Schreiber stresses that, at a minimum, research on potential business impacts needs to be conducted as a result of the 2023 consumer privacy laws that have or will go into effect. Brands interested in global expansion must gain a heightened awareness of and a deeper understanding of the roles and responsibilities of the data controller and data processor. 

“The increased focus on privacy and data usage in loyalty programs will only continue as organizations adopt or evolve their opt-in/opt-out consent and transparency,” says Schreiber. “Data security experts we have consulted have indicated an overall slow adoption of new practices and policies related to CCPA and GDPR as well as a general ‘wait-and-see attitude’ — an attitude Kobie does not embrace. We are working proactively to ensure compliance with existing and emerging laws including consent and transparency in our use of loyalty data.”  

From his perspective, Sbardella doesn’t believe marketing strategies have been significantly affected yet but notes a much bigger importance being placed on capturing first-party data. He elaborates, “Within that, there are two phases of being more data-focused. One is a state of ‘I know I need to capture first-party data and enrich my database,’ and the other is ‘I need to capture and activate first-party data’ — which is the more mature side of the coin.”   

With the upcoming deprecation of cookies, Talon.One’s Mills is seeing more and more clients focusing on building out their zero- and first-party data strategy. Loyalty programs, in particular, are a great source of Recency, Frequency, and Monetary (RFM) data — some of these data points include, for example, Segment, Relationship Type, Spending Attitude, Total Online Amount, or Subchannel Preference. Brands can also integrate customer preference forms on sign-up or use gamified elements like quizzes and polls to further boost their user data.   

“JCPenney has a great approach to building out its zero-party data,” shares Mills. “The retailer uses online quizzes to better understand users’ lifestyle preferences and shopping habits and this supplements existing transactional data. It’s a win-win situation for customers, too, as those who participate in the quizzes gain loyalty points which they can put toward a future purchase.” 

No Easy Feat 

Some brands have faced significant challenges as they navigate the new laws and data privacy regulations. The protection of consumers’ personal data is critical, but as Kauffman explains, some organizations may lack awareness of the location, nature, and classification of the data they’ve collected previously. Furthermore, some businesses may view data privacy as a component of their IT security or disaster recovery plan.  

“Because data privacy touches so many areas of the business, it is imperative that data privacy is embedded more broadly within the organization and included within data strategy and corporate training programs,” Kauffman says. “Ensure your marketing teams are consulting with your privacy experts when doing business with initiatives involving personal data. Some requirements within the regulations have a certain amount of ambiguity creating uncertainty about how to develop compliant processes.”   

For Schreiber, the challenges brands face center around the understanding of what needs to be changed or updated for their business, the data they collect, and the role of all handling the data. This is coupled with internal prioritization to ensure enough time and resources are available prior to regulations or laws being implemented. 

Preston echoes the challenges of leveraging internal resources to implement required changes. She highlights how consumer messaging and actions requested are often influenced by new privacy regulations. Consumers must elect what they want to share with any given brand and how that data is used. This ultimately translates to interjections into the shopping experience — whether it’s a simple disclaimer on an email, or an ecommerce website popup modal asking consumers to allow cookie tracking.  

“Implementing these changes often requires IT support and other internal partners,” says Preston. “Legal requirements and regulation deadlines can help brands get these types of adjustments prioritized within their business, but it can be difficult to get on ever-growing IT roadmaps. At the end of the day, it’s important that consumers get what they need and want to manage their privacy settings with a brand, but it shouldn’t impact shopping experiences.” 

Here, There, Everywhere 

Since the launch and introduction of data and privacy regulations in the U.S. and Europe, some major impacts on customer loyalty programs have been felt — or will be soon.  

For Talon.One and its clients, all eyes have recently been on the implementation of the EU Omnibus Directive — a little-known law that’s having a huge impact on promotions and pricing history.  

“In a nutshell, the law is designed to prevent businesses from artificially inflating an item’s original price and misleading consumers on how much a product is discounted,” explains Mills. “Any announcement of a price reduction must now also indicate the lowest prior price from the last 30 days, such as using a cross out or strikethrough on the previous price.”  

The Directive has a widespread impact because it focuses on protecting the rights of EU consumers and that means all businesses — regardless of where they are headquartered — need to follow and apply the Directive if they are targeting EU consumers for their sales.  

Mills continues. “For retailers, the Directive introduces added complexity when managing their promotions — from increased documentation needed to track historical pricing information to UI updates across product pages to make sure prices are accurately displayed. Keeping a record of pricing history is of paramount importance, so you can both correctly display the lowest prior prices and retain them on hand in case of any dispute. This requires considerable documentation and even, potentially, re-configuration of your data warehouse to retain historical SKU-level pricing data.”   

Savvy consumers are aware of at least some of the changes the new regulations require of brands. Ensuring good stewardship of their data can be challenging for some brands to convey.    

Kauffman affirms that it isn’t just businesses and regulators that are paying attention to data privacy. Consumers are increasingly aware of their rights regarding their data, and they are paying attention to ways in which the brands they engage with are responding to data privacy and management of their data.  

“Consumers are more willing to use their purchasing power on brands that manage consumer data responsibly,” says Kauffman. “Studies show that consumers say they would not do business with a company that used or shared their data without their permission.”   

Sbardella recognizes the shift in the power dynamic from the brand to the consumer. “The consumer is now in control of the messages/marketing he/she receives so brands have to accommodate that power shift. This stresses the importance of having first-person data on consumers so brands can drive efficiencies within their marketing spend but also be more personalized in their messages — which is a consumer expectation at this point.” 

Comarch’s Sandstrom has been watching the impact of the data and privacy regulations closely. He reports that, surprisingly, prioritizing data privacy and transparent communication has strengthened customer loyalty, outweighing initial concerns about sign-up rates and opt-outs.  

“For example, a major retail client in the loyalty technology industry saw a pretty radical increase, about 25%, in sign-up rates by implementing a privacy-centric approach and offering customers more control over their data,” says Sandstrom. “Embracing responsible data stewardship has become a catalyst for loyalty and sustainable business growth, fostering deeper trust and enhanced customer experiences.” 

Who Will Take Responsibility for Consumer Data Compliance? 

Some brands would do well to consider adding a new role/team for their organization that would oversee the collection, storage, and use of consumer data. Whether it’s a data protection officer or a privacy team, council, or committee, brands must act. If a brand looks inward, it must thoroughly evaluate which roles/business units should be involved in an internal privacy team, council, or committee. 

Preston believes it’s good practice to have a resident expert on privacy laws. “Similar to how brand marketers function today, pulling together a group of individuals across the organization to be aware of and act in the best interest of their customer can keep the brand compliant with privacy law, and overall help that brand to create meaningful customer relationships.” 

Schreiber points out that a data protection officer, while mandatory for companies collecting or processing EU resident data, is not required for the U.S. However, there is a growing need for a dedicated or semi-dedicated individual to monitor and review laws, policies, and best practices.  

“For any organization looking to add a privacy council or team, there should be representation from Legal, Technology, Security, and Operations with a variety of roles including an Executive Sponsor,” says Schreiber. “While the team or committee will collaborate on requirements or potential impacts, there needs to be a single point person to ensure objectives of the team are outlined and met to enable risk awareness and mitigation as it relates to data handling, laws, regulations, and consumer protection needs.”  

Kauffman agrees that building a strong privacy program starts with establishing the appropriate governance of the program that serves as a guide to enable compliance with privacy laws to support the organization’s business goals. Elements of a comprehensive privacy program include a privacy mission statement, defined program scope, selecting an appropriate privacy framework, developing an organizational privacy strategy, and structuring the privacy team.  

“While there is no standard organization structure for privacy, it isn’t uncommon for the privacy function to exist within legal, regulatory compliance, privacy and data protection, information security, corporate ethics, information technology, or other areas of the business,” finishes Kauffman. “Things to consider when determining how to position data privacy within an organization include evaluating what areas have a strong influence on the business, if there is a global scope, where the initiatives can be adequately funded, and where privacy is most supported.” 

Recent Content

Membership and Pricing

Videos and podcasts

Membership and Pricing