As privacy laws tighten, can APAC marketers balance privacy and personalization?

It's a challenge that is becoming increasingly difficult for multinational brands and marketers as nations continue to create unique legislations, each demanding different controls and requirements for data collection, use and storage, in addition to consent and opt-in and opt-out regulations.

While this is not a new issue for multinational companies and marketers, the shift towards it is becoming increasingly more complicated for marketers.

"Regulators across the world - including APAC - have been launching new consumer data protection laws or tightening existing ones. There are other factors such as consumers' increasing awareness on data privacy and digital platforms pivoting to privacy-first positioning. It is increasingly challenging for marketers to balance privacy and personalization," says Xiaofeng Wang, principal analyst at Forrester APAC.

According to Wang, just over half (59%) of marketers in the Asia Pacific region are managing to meet the minimum compliance requirements.

"Our previous research 'The State Of Consumer Data Privacy In Asia Pacific', showed that 59% of marketers in APAC only fulfill the minimum requirements to comply with data privacy regulations; just 30% have a dedicated strategy to communicate with consumers about data privacy. Data compliance is just doing the minimum; privacy-first marketing strategy will earn consumer trust and ultimately win competitive advantage," says Wang.

One market where marketers and brands face strict compliance requirements and hefty punishments for failing to comply is China.

China's Personal Information Protection Law (PIPL) features strict rules on handling (collection, storage, usage, disclosure and deletion) Chinese citizens' personal data and stringent compliance requirements. While the PIPL was modelled on the European Union's General Data Protection Regulation (GDPR), it only protects consumers' data from the private sector and still ensures the government has full access.

Navigating data localization laws across APAC

One of the more significant pain points for multinational companies is China's Data Security Law, which applies strict provisions that all data must be stored locally and restricts companies from transferring data outside of China unless they submit to a security assessment.

These regulations mean international businesses cannot share, use or analyze data collected in China outside the country – a difficult hurdle for companies with offshore insights and analytics departments. However, it goes even deeper, with companies unable to use overseas servers to back up systems.

The penalties for data breaches are also significant. "International brands face harsher sanctions for breaching laws like PIPL (Personal Information Protection Law), such as being put on a blocklist and banned from handling the personal information of Chinese citizens," says marketing consultancy R3.

The consulting firm advises marketers and brands on strategies to help navigate these regulations and ensure they maintain compliance.

"Brands need to reconsider how they use data from third parties. Platforms and providers will be subject to tougher regulations on the collection and use of personal data. With access to a plethora of client data, huge tech platforms like Alibaba and Tencent are currently used by companies and marketers to create more specialized content and products. Brands need to consider if those activities are permitted by the regulation or whether they will later be linked to unnecessary items."

"One solution is to build a local data management platform and work out how to keep and analyze data in the country."

However, the regulations around the movement of consumers' data are a growing minefield for marketers across the region.

For example, Thailand's consumer data laws dictate that personal data cannot be transferred out of the country unless the recipient country – or international organization using the data - has adequate personal data protection standards. Singapore's Personal Data Protection Act (PDPA) has similar legislation forbidding organizations from transferring personal data outside of Singapore unless the recipient country complies with PDPA requirements.

Australia is currently reviewing its privacy laws with proposals on the table to regulate international companies that are collecting and using consumers' personal data, which privacy expert Peter Leonard says "creates challenges for companies conducting business across the Asia Pacific region, or globally, as data privacy affecting processes and practices will need to accommodate distinct features of the revised Australian law."

"Many businesses consider that they have 'turned themselves inside out' to become complaint with GDPR and ask why countries like Australia are now imposing additional requirements that in some cases are also quite inconsistent with GDPR."

Increasing diversity in privacy legalisation

Leonard says we are witnessing an era of increasing diversity regarding individual nations' privacy regulations, which is particularly evident across the Asia Pacific region.

"I like privacy regulatory harmonization," says Leonard, "but I don't think that it is going to happen any time soon. The trend is probably increased diversity, not convergence, albeit that some of the underlying objectives of privacy regulation are universal."

"Data privacy law reflects particular national views as to consumer protection, rights of individuals and the rule of the State (i.e., the desirable and acceptable level of intervention of government and regulators to address concerns of citizens). That diversity of national views – and opinions and concerns of citizens within nations – is probably increasing, not decreasing.

"Multijurisdictional businesses already need to adjust how they do business and collect and use data about customers and consumers to address peculiar and quite different laws in different countries. The harmonization of privacy laws is desirable, not least to reduce friction in international dealings, but by no means necessary to facilitate international business.

"Businesses would be wise to design their data ontologies, architectures and data handling processes and practices to be readily capable of adaption to suit local conditions, and unpredictable changes over time. The readily adaptable survive and thrive," says Leonard.

To read more from The Drum’s latest Deep Dive, where we’ll be demystifying data & privacy for marketers in 2023, head over to our special hub.