Almost exactly one year ago, Benoit Grouchko, co-founder and CEO of Paris-based Teemo, a technology company that specializes in location data, opened a letter from French regulators that shook him to his core: Teemo had just become the first company to get busted under the European Union’s Global Data Protection Regulation, or GDPR.
“It was by far the hardest time in our company because it was such an intense crisis,” Grouchko says. “We were very thoughtful about our strategy in becoming GDPR compliant. We worked with lawyers and we wanted to make sure we had done everything the right way.”
Obviously, that wasn’t the case.
Roughly two months later, however, Teemo became the first company to meet GDPR compliance. It has since expanded its operations to the U.S., where regulation is imminent. California’s Consumer Privacy Act, for instance, goes into effect on January 1, and affects any company that does business in the Golden State. Meanwhile, lawmakers from both sides of the aisle are also in agreement that something must be done in regards to consumer-data privacy.
Although U.S. regulation is looming, many companies aren’t sure where to start. “With GDPR, companies had two years to get ahead of it, but they left it to the last minute,” Grouchko says. “They weren’t shortsighted and I don’t think anyone is to blame.”
Companies instead were unsure how to navigate uncharted GDPR waters, Grouchko says. “The privacy-by-design mindset is all so new that companies didn’t know where to start,” he says. “We’re now seeing the same thing in the U.S.”
Teemo’s status of being the first to get busted and the first to become GDPR compliant has led many U.S. advertisers and agencies to reach out and ask where to start. To that end, Grouchko shares some best practices for U.S. companies who don’t know where to begin.
A different mindset
“Think privacy whenever you design anything,” Grouchko says in regards to best practices companies can start executing now. “If you’re building a product, start asking how data is being used and how to tackle that from a privacy standpoint.”
Teemo captures location data from third party apps, but French regulators said people who downloaded those apps had to specifically provide consent that Teemo could use their location data. In a nutshell, Teemo's solution was simple: Opting in should be just as easy as opting out.
Cleaning house
It’s no secret that most U.S. ad companies are sitting on mountains of data, but they’re not necessarily using all of it. “Make sure you collect as little data as possible, or just what you need,” Grouchko says. “If you don’t need it, trash it.”
Company CEOs should also make privacy a priority and designate someone internally to keep tabs on what needs to be done so someone can be held accountable should things go south, Grouchko says. “There needs to be a 360-degree owner internally,” he says, adding that this person can be someone who eats and sleeps regulation or someone who just keeps tabs on it, like a chief product officer. Educating the entire company about the importance of privacy regulation is also critical.
Avoid a wait-and-see approach
In the U.S., California’s privacy act (CCPA) is still being fleshed out, and trade bodies such as the IAB and ANA are pushing lawmakers to adopt a federal framework that would apply to all states. With so much left in the unknown, some might feel it would be best to see how things shake out before getting started—which is a terrible idea, Grouchko says.
At the very least, companies should go through their data and get rid of what they are not using, as well as providing some transparency for their users. “You want to have started this stuff a while ago,” he says. “You don’t want to wait for that. Whatever CCPA turns out to be, we’re going to be ready.”
In the end, Grouchko says hefty fines shouldn't be the primary fear among companies. “With GDPR, the fine would have been significant, sure, but once you get branded as not being GDPR compliant, no company is going to want to work with you,” he says.