Your marketing agency is increasingly required to collect, process, and analyze large amounts of data to run successful campaigns or achieve its clients’ business goals.

It’s a complex responsibility. And if the complexity isn’t challenging enough, managing all of this data has legal implications for your agency too. How do you get a handle on it all?

First, What do we mean by data protection?

The concept of data protection generally refers to the two distinct, but related, considerations of “data privacy” and “data security.”

Data privacy generally involves laws and regulations that govern:  (1) the collection of consumers’ personal information by organizations, and how that data is handled, and (2) the rights consumers have to control their information once it’s been collected.  These rules can be enforced by government agencies or by affected consumers, depending on the specific law, and the consequences for violating them can be serious, including heavy fines, legal defense costs, and reputational harm to the brand.

Data security involves the technical safeguards and measures organizations implement to secure and prevent unauthorized access to their information, including consumer data, such as implementing and maintaining appropriate network security and access controls protocols.  Data security also involves the type and quality of response an organization will make to a data breach or cyber-attack.  More and more, agencies that collect data on behalf of their clients are expected to take data security seriously and be in a position to show their ability to address security threats.

What data privacy regulations apply to marketing agencies?

The United States does not currently have a uniform federal data privacy standard or regulation. Instead, it’s a patchwork of state regulations regarding the use, collection, and processing consumer information, with California’s regulations considered the gold standard of protection for consumers.

A number of states have enacted, and others are considering, their own privacy regulations aimed to protect consumers within their jurisdiction such as California’s Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).  These state-based regulations consistently require that advertisers obtain or provide:

• a consumer’s consent to receive advertisements
• an opt-out right,
• a consumer’s rights to access their information or have it deleted (and notice of those rights).

There are, additionally, some specific federal regulations that cover specific consumer audiences or types of information. For instance, federal regulations like the Health Insurance Portability and Accounting Act (HIPPA) (concerning patient health records), the Children’s Online Privacy Protection Act (COPPA) (concerning children’s online privacy) and the Gramm-Leach-Bliley Act (GLBA) (concerning financial consumer information), apply to protect consumers within specific market sectors.

Numerous other countries around the world have followed Europe’s General Data Protection Regulation (GDPR), which may be the most important data protection regulation enacted to date, and have enacted their own similar robust and comprehensive data privacy laws.

Ultimately, in additional to direct application of these laws to agencies with respect to their own data collection and retention practices, any number of these individual privacy protection regimes could apply to brands depending on the type and location of their target audiences.

One key takeaway for your agency? It doesn’t matter where your agency or its client are located – it’s about the consumer’s location. This is the variable that requires every agency use care and diligence when using or processing consumer data in its work.

Clients want their agencies to shoulder the risk of data privacy violations and data-related breaches.

Agencies may have experienced their clients’ demands for data security and liability obligations have become more complicated and demanding lately.  This is due to the increasing pressures placed on businesses to comply with data privacy and security requirements and keep consumer information safe.

Risk of non-compliance with data privacy regulations could be significant, including revenue loss from loss of consumer confidence, penalties and fines, and even loss of talent as top talent opts for more privacy-friendly employers.  According to a 2021 IBM Report on the cost of data breaches, surveyed companies reported an average cost of $4.24 million per incident (with breaches costing over $1 million more on average when remote work was indicated as a factor).

For these reasons, agencies are now more than ever before expected to take on the additional risk or make extraordinary assurances in their client agreements in order to win certain contracts.  While requirements may have more to do with clients wanting to ensure the agencies are taking privacy regulations seriously than with shifting the risk, many smaller agencies who simply can’t afford to take on the risk can be sidelined by these new liability requirements.

Your agency needs to review their services agreements and all clauses or Data Privacy Addenda to make sure you understand your risk, and know how to appropriately negotiate these provisions.

Negotiating Data Protection Clauses

The following are some considerations for agencies to keep in mind when negotiating contract clauses concerning data privacy and security:

• Don’t agree to comply with obligations over which you don’t have direct control, such as ensuring access to media vendor books – any such clause should be immediately removed from the agreement.

• Don’t take on liability for “any” data breach regardless of the agency’s involvement with the data collection. Services agreements should require that clients maintain responsibility for security breaches or privacy violations occurring within their sphere of control.

• Liability should not be unlimited as the agency could easily be taking on a multi-million-dollar risk for a relatively small contract, and thereby jeopardize their entire business.

Review any cyber security requirements carefully – any security measures should be reasonable and consistent with the scope of work being performed by the agency.

• Don’t agree to blanket data privacy or data security obligations where they aren’t relevant to the scope of work or services. If you’re a branding or creative agency that won’t have exposure to the data, for example, demand those provisions be deleted from the agreement.

• Tie liability limits to the amount of available insurance coverage the agency has in place. Relatedly – add cyber and data coverage to your general liability and errors and omissions coverage..

Two final observations:

Don’t let overwhelm about the data security and data privacy compliance issues cloud the issue, or prevent you from negotiating these terms thoroughly to protect your agency; and.

Keep updated on the evolution of regulations regarding data privacy – they are ever evolving.