Wiland Blog

Thirteen new state data privacy laws have come into effect in 2023 or will be in force over the next three years. This patchwork of new state laws has proved challenging for marketers as brands and nonprofit organizations work to ensure compliance while still running effective direct marketing campaigns.

One of the specific challenges that has arisen is the evolving definition of “sensitive data” in these new state laws. There are many types of data that are already widely accepted as sensitive and subject to protection under existing laws. All thirteen of these new state privacy laws have expanded what data must be treated as “sensitive,” and included several specific requirements governing how organizations can use it. Some of the types of data that have newly qualified as sensitive in certain states have traditionally been used by marketers for a number of ethical direct marketing purposes that benefit the marketer and consumers. In this blog post, we’ll dive into how the definition of sensitive data has evolved, the state of sensitive data rights today, and how marketers can navigate new sensitive data protections.

What is Sensitive Data? An Evolving Definition

Individuals often have differing personal opinions about what types of data they consider sensitive. From a legal perspective, there is a standard set of data types that are consistently protected by state data breach reporting laws, including health diagnoses, financial account information, social security numbers, and driver’s license numbers. Current laws in all fifty states acknowledge that this information is nearly always sensitive, as exposure creates risks to consumers of identity theft, financial harm, or publication of information considered very private by nearly all individuals. These laws require that consumers be notified of data breaches if such data is misappropriated or exposed.

For other types of personal data, whether a consumer considers a type of data sensitive often depends on how the data will be used. For example, a consumer might feel that age, race, religion, or ethnicity should be considered sensitive if used to make decisions about access to key goods and services like housing, employment, or credit, due to the risk of unfair discrimination. Recognizing this risk, state and federal laws such as those governing equal access to credit, housing, and employment already prohibit the use of demographic information such as this for these types of decisions.

Until recently, demographic data has not been subject to stricter protections when used for most marketing and fundraising, at least in part because the risk of unfair discrimination is much lower for that type of use. However, this is changing under new state data privacy laws.

Ethical Data Use Cases in Marketing

There are many ways that marketers use demographic information in an affirmative manner to tailor advertising so that people receive relevant offers and information. For instance, a nonprofit may be seeking to reach people within a particular religious or ethnic group with a uniquely relevant appeal. A brand may be seeking to build a more inclusive, diverse customer base, perhaps by marketing to underserved ethnicities or communities. A brand may be trying to reach people with offers for specific products or services that would benefit them based on their primary language. These are legitimate, beneficial forms of tailored advertising that help organizations further their outreach and help people stay informed about the products, services, and charitable missions about which they’re likely to care.

The trouble with some new state data privacy laws qualifying these demographic data types as sensitive is that it will be more challenging for marketers and fundraisers to run these types of beneficial programs. In all thirteen new state consumer privacy laws, data that is considered sensitive is subject to new protections. In four of the states (California, Florida, Iowa, and Utah), individuals have a right to opt out of many kinds of sensitive data uses. In the other nine states (Colorado, Connecticut, Delaware, Indiana, Montana, Oregon, Tennessee, Texas, and Virginia), marketers must have opt-in consent to use or store this data in any way.

How Marketers and Fundraisers Can Respond to New Sensitive Data Regulations

There are a number of actions that marketers and fundraisers should take in response to new state laws’ evolving definitions of sensitive data and the new protections and requirements. These include:

1. Understand whether you currently use any newly defined sensitive data types.
   Engage a cross-functional team that includes legal advisors, marketing, and information technology to perform data mapping or data inventory. Ensure that this audit is inclusive of all of your marketing data repositories, such as customer or donor information systems, order processing systems, marketing automation systems, and website-related systems.
2. Determine how you currently use this data or if you have plans to use it in the future.
   Interview your cross-functional team, including whomever is in charge of your prospect marketing and your marketing diversity and inclusion efforts. Understand how your prospect, customer, or donor outreach would be impacted if you no longer had these types of demographic information in certain states. How would it impact your ability to evaluate marketing strategy? How would it impact your diversity, equity, and inclusion efforts?
3. Determine your compliance approach.
   Some marketers are choosing to eliminate the use of these types of data for individuals they believe reside in the states that now require opt-in consent. Others are seeking consent from customers or donors to use this information through a friendly, direct communication. Opt-in consent is a high bar under new state data privacy laws, so be sure that your chosen methods meet all the necessary criteria.
4. Ensure that consumer-facing documents and systems comply with the new laws.
   We call this “painting the front door.” Review your website privacy policy, terms of use, and other documents and standard communications to ensure that they comply, as some new laws require you to have a public description, by category, of any sensitive data you process and how you use and share it. Some of these laws also require that you establish one or more public-facing points of contact to which consumers can submit concerns, exercise their data rights, request copies of their information, and appeal decisions you make. These external-facing disclosures are critical because they are often an easy way for consumers and regulators to be able to tell who has thoughtfully prepared for these new state laws and who has not.
5. If these new state laws negatively impact your organization, get involved.
   As more states have adopted the opt-in approach for using newly defined sensitive data types, many organizations are finding that that the impacts are greater than they had originally assumed. There are many industry groups such as the Association of National Advertisers, the Interactive Advertising Bureau, and The Nonprofit Alliance, that are actively working with legislators to explain why demographic data should not be so severely restricted for marketers. The more real, operational impacts that these organizations can demonstrate to legislators and regulators, the better.

Understanding the inherent needs of consumers has always been at the heart of responsible marketing. Laws that don’t reflect this understanding risk doing harm to ethical marketers, organizations, and the individuals and communities they serve. By more carefully considering the issue of what is “sensitive” and in what circumstances, it is possible to ensure that consumer privacy is protected while legitimate, mutually beneficial advertising is allowed.