Cognism's Guide to B2B Data Compliance in 2023
Big changes are on the horizon regarding B2B data compliance. And 2023 is the year in which B2B companies need to continue to uphold high standards and provide the best possible services for their customers.
If you’re new to data compliance or you’re looking for tips to refresh your memory, we’ve got you covered.
Keep scrolling 👇 to hear from Cognism’s legal and compliance experts!
You’ll hear from:
A quick recap: what is B2B data compliance?
The General Data Protection Regulation, or GDPR, came into force in May 2018 across the whole of the EU and EEA.
The GDPR aims to:
- Give citizens more control over their personal data.
- Set out ways that companies must process and protect the data they hold about their customers.
GDPR rules around processing personal data do apply to B2B companies. But they can still carry out marketing activities such as cold calls or emails if they have a lawful basis (e.g., legitimate interest) and comply with applicable requirements.
Penalties for not adhering to the GDPR are severe, with the maximum fine being €20 million or 4% of annual worldwide turnover for the preceding year - whichever is greater.
CCPA and CPRA
The California Consumer Privacy Act, or CCPA, came into effect in the US state of California in 2018. It applies to any for-profit entity doing business in California that meets one of the following:
- Has a gross revenue greater than $25 million.
- Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes.
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that either:
- Controls or is controlled by a covered business.
- Shares common branding with a covered business, such as a shared name, service mark, or trademark.
- In addition, parts of the CCPA apply specifically to service providers and third parties.
The CCPA is similar to the GDPR in that it requires companies to identify all personal information they hold on their customers and how they sourced that information.
It also stipulates that companies must:
- Provide and publicise unsubscribe links on company communications.
- Delete personal data if the customer demands it.
B2B marketing activity is covered by the CCPA, although B2B companies did not have to comply with some parts of the act until 2021.
The maximum penalty granted under the CCPA is $7,500 per violation if the violation is found to be intentional.
The CPRA (California Privacy Rights Act) is a ballot initiative that amends the CCPA. It includes extra privacy protections for consumers and established the California Privacy Protection Agency, a government body with powers to enforce the law.
The CPRA came into force on 1st January 2023.
Data privacy in the USA
Currently, no federal data privacy law exists in the United States.
But this could soon change if the push for greater privacy protection continues.
The American Data and Privacy Protection Act (ADPPA) could become the first federal data privacy law that protects individual privacy rights.
Several other states are joining California in creating their own privacy acts. These include:
- The Colorado Privacy Act (CPA) goes into effect on 1 July 2023. This gives residents the right to opt out of processing personal data for targeted advertising.
- The Connecticut Data Privacy Act (CDPA) goes into effect on 1 July 2023. It gives consumers choices regarding their personal data when it’s collected by companies that do business in the state.
- The Virginia Consumer Data Privacy Act (VCDPA) was enacted on 1 January 2023. It impacts non-government and government organisations that control and process personal data.
- The Utah Consumer Privacy Act (UCPA) goes into effect on 31 December 2023. This act is more business-friendly; it only impacts businesses with an annual revenue of at least $25 million.
There are currently 19 other states that have bills that offer varying levels of data protection, all at different stages of development. This is a good indicator that data privacy and compliance will be an industry that continues to grow and develop in the USA in the coming years.
Alongside the EU and USA’s rules on data protection, Brazil has added its own General Protection Data Protection Law (LGPD).
Like the GDPR and CCPA, the LGPD restricts the use, processing, collection and storage of personal data. It applies to data gathered physically and electronically across all industries within the Brazilian economy.
To enforce these new rules, the country has created the Brazilian National Data Protection Agency.
Currently, LGPD doesn’t cover B2B marketing activity. But this could change in the future, so it’s vital to be aware and compliant.
Why is B2B data compliance more important than ever?
More and more countries have started to legislate and tighten their rules regarding data protection. So companies must be ahead of the curve when it comes to compliance.
But how do you achieve this?
Working with technology that already ensures a high standard of compliance is a great place to start! Keep reading to learn how Cognism ensures B2B data compliance.
How does Cognism ensure B2B data compliance?
Delfina Vallve is the Head of Security & Compliance at Cognism. She gave us a run-down of how Cognism adheres to GDPR compliance.
“Cognism is a GDPR-compliant B2B lead generation tool, and we ensure that we have all necessary processes and mechanisms in place to collect, process and share the data with our clients in a compliant way.”
Cognism achieves this through methods that broadly include (and are not limited to):
- Collecting limited B2B data.
- Having a lawful basis under GDPR to collect and process our data (legitimate interest).
- Conducting all relevant assessments to determine lawful bases for data collection and processing.
- Notifying our database in compliance with our transparency obligations under Article 14 of the GDPR. We inform data subjects that we have data on them, explain our processing activities and give data subjects the option to exercise any of their rights, including the option to opt-out.
- Having a streamlined opt-out process and a dedicated team that deals with Data Subject Access Requests (DSARs) in due time.
- Holding ISO 27001 and ISO 27701 certificates and being SOC2 type II attested.
- Screening our telephone database against Do Not Call registries in the UK (TPS and CTPS), USA, Germany, Australia, France, Sweden, Portugal, Croatia, Spain, Belgium and Canada. We’re also working to register in more DNC registries around the world.
- Reviewing our processes and mechanisms constantly to improve how we collect, store and process data.
B2B data compliance checklist
Cognism’s Head of Legal, Aksa Kalam, shares her B2B data compliance checklist.
Hit ▶️ to watch the video.
The GDPR already puts a requirement on controllers and processors to notify individuals about how their data is collected and processed.
This has been part of the GDPR since its inception, but it came into sharp focus in 2021 after an enforcement action was taken against Experian (although the First-Tier Tribunal found in Experian’s favour during an appeal in early 2023).
Following the Experian enforcement action, and to ensure Cognism remained compliant, Cognism decided to notify its entire database.
Notification means that we inform data subjects that we have data on them, and our processing activities at the moment of collection of the data. This ensures that data subjects are aware of this and can easily exercise any of their rights.
Notifying individuals under Article 14 of the GDPR when the data is not collected directly from the individuals is key to ensuring you remain compliant. It prevents a breach of data protection laws and subsequent enforcement action by the supervisory authorities.
B2B emails only
Cognism only provides B2B emails; we do not have any B2C emails in our database.
Cognism’s customers can be reassured that the emails on our database are B2B and within the bounds of the law.
Do Not Call Lists
Do Not Call (DNC) lists consist of individuals who do not wish to be contacted for marketing purposes. Each country usually has its own national Do Not Call list and its own process under which individuals can register their telephone number so that they cannot be contacted for marketing purposes.
The UK has the TPS and CTPS lists; Cognism screens against both of these. This is important to our customers because many enforcement actions have been taken against companies calling people listed on the TPS.
Cognism also screens against the following DNC lists outside the UK: USA, Germany, France, Australia, Canada, Spain, Portugal, Belgium, Sweden, and Croatia.
We are also constantly working to register in other Do Not Call lists around the world.
How can companies ensure compliance and avoid fines?
Fines for failing to ensure compliance are now common practice, with companies such as British Airways and Clearview AI being fined €20 million (in 2019 and 2022, respectively) for non-compliance.
What should companies take into account to ensure they remain compliant? Delfina explains:
“Companies need to make sure that they comply with any applicable data privacy and/or marketing regulations that might apply to them based on their processing activities.”
“Companies need to analyse their processing activities and compliance processes to ensure that they can process their data for their intended purposes while upholding data subjects’ rights and interests.”
How does Cognism’s GDPR-compliant data help customers?
Delfina explains the benefits of choosing a GDPR-compliant data provider:
“Cognism provides its customers with GDPR-compliant data that has been lawfully collected and processed.”
“In addition, we screen our telephone database against more than ten Do Not Call registries around the world, and notify our database following GDPR requirements.”
“All of these measures give our customers the trust they need to work with us. They’re also reflected in our platform and functionalities, which makes it easy for customers to access compliant data.”
B2B data compliance is a complex topic, but here are the really important things you need to remember:
- Data privacy and protection is a growing area of legislation worldwide.
- Businesses should prepare for this by ensuring they are compliant with the current rules and standards where they do business.
- Failure to adhere to compliance laws will result in hefty fines and reputational damage.
- Companies that are behind the curve in appointing a data protection, compliance or security officer will struggle to adapt to the fast-changing privacy landscape.
The contents of this article are for the purposes of general awareness only. They do not constitute legal or professional advice. The content may have changed since this article was published. Readers should take appropriate professional advice for their own particular circumstances.