Over the years, consumers have become more aware and concerned about the collection of their data in daily life. A Tealium survey found that 97 percent of consumers are somewhat or very concerned about protecting their personal data. This widespread discomfort regarding the collection and utilization of consumer data has already created significant changes in the world of marketing. From industry giants like Google and Apple adapting new policies and technologies for consumer privacy, as well as comprehensive US state privacy laws and a push for national legislation, data privacy is here to stay.
The changing global privacy laws surrounding consumer data puts marketers in the position to assume the risks involved when launching campaigns. Risks can vary widely, in part because there’s no single comprehensive federal law regulating how most companies collect, store, or share customer data. Data privacy law in the United States continues to fragment as individual states push forward data protection legislation. Without a singular law that covers the privacy of all types of data, the US has a mix of sectoral laws, including HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA to cover a wide range of data types in different settings.
Here are a few important global and national data protection laws to know as a marketer:
The California Consumer Privacy Act (CCPA), The California Privacy Rights Act (CPRA) & other US laws
The California Consumer Privacy Act (CCPA) outlines the rights of California residents to know what personal information is being collected, understand how that information is being used, request the deletion of that information, and opt-out of the sale of personal information through a ‘Do Not Sell My Personal Information’ (DNSMPI) link on the business’s website. It’s important to note that ‘personal’ includes any unique identifiers, such as cookie IDs, mobile device IDs, and even some IP addresses. For more information, you can review the California Attorney General’s official webpage. California’s Attorney General and the new California Privacy Protection Agency (CPPA) have also indicated support for an “ opt-out preferences signal” or global privacy control (GPC) to enable devices or browsers to direct websites to automatically remove oneself from data sharing. Further guidelines for the use of this ‘signal’ and other amendments to the CCPA have recently been drafted by the CPPA and can be found here. These guidelines are outlined in advance of California’s newest law, the California Privacy Rights Act (CPRA), which becomes effective January 1, 2023. The CPRA will give California consumers the additional rights to correct/modify information and limit the use and disclosure of sensitive personal information such as ethnicity and religious attributes. It also will require businesses to expand their DNSMPI link to provide consumers with the right to opt-out of the ‘sharing’ of their personal information for cross-context behavioral advertising (aka; ‘retargeting,’‘interest-based,’ or ‘tailored’ advertising).
Other states have also recently passed legislation that are comparable to the CCPA, including Virginia’s Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), Connecticut’s Personal Data Privacy and Online Monitoring Act (CPDPA), and Utah’s Consumer Privacy Act (UCPA). Refer to this chart for a detailed description and comparison of U.S. State laws.
Europe’s General Data Protection Regulation (GDPR)
The European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018. It, along with the 2003 updates to the ePrivacy Directive, regulates how companies handle European residents’ data. Under the GDPR, there must be a ‘lawful basis’ to process personal data such as based on a contract, consent, or ‘legitimate interest.’ Where consent is the lawful basis, the consent must be opt-in. Importantly, the GDPR restricts the transfer of EU citizen data outside of the EU except either to countries that have ‘adequate’ privacy laws (like Canada ) or where the importing company has agreed to specific terms to protect the personal data of EU citizens (eg; ‘Standard Contractual Clauses’). The GDPR gives EU citizens 8 rights: the right to be informed; the right of access; the right to correction; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right to not be subject to automated decision making.
For more information, you can review its official webpage here.
Cookies and mobile ad IDs are governed both by the GDPR and by the ePrivacy Directive. In the EU, among other requirements, you must receive a user’s consent before you use any cookies except strictly necessary cookies. This is often done via a cookie banner, with most advertising-related cookie banners using the IAB Europe’s Transparency and Consent Framework (TCF)* to specify each consent purpose.
Currently, the UK has passed a similar GDPR law of their own that is substantially the same as the EU’s but is considering modifications that diverge from the EU’s GDPR.
*The TCF is currently under review by the Belgian Data Protection Authority, and may undergo significant modifications in order to continue being used. More info on that issue here.
The Brazilian General Data Protection Act (LGPD)
Inspired by the European regulation (GDPR), the Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules for the collecting, handling, storing, and sharing of personal data. Like GDPR, it requires a lawful basis to process personal information and requires data importers to either have an adequacy decision or other mechanisms in place to protect its citizens’ data. While cookies are not expressly regulated by the LGPD or any other Brazilian law, many have interpreted the law to also require opt-in consent before placing cookies. For more information, you can review its official webpage here.
Data protection for consumers
The throughline between the legislation that has been passed in recent years, and any bills still in process, is prioritizing the individual in all cases. Embracing this new privacy-first approach, marketers must walk the line between building trust with consumers, while creating lasting value through targeted marketing campaigns.
At first, these restrictions may seem like a barrier to overcome, but if you are able to focus on the unique and personal values of your audience and make efforts to build rapport, you’ll be able to continue providing value through your targeted campaigns. In the long run, these challenges will be beneficial for the marketing industry because they will encourage innovation and adaptation.
The global movement toward more protections for consumers creates risk for digital marketers as more fragmentation occurs between regional legislation. Understanding privacy laws will help you keep track of how you’ll be responsible for protecting consumers’ privacy while allowing you to continue launching your most effective campaigns.
During this time of transition, there will be a big opportunity to compete for effectiveness in the new landscape and differentiate yourself from competitors. Continue to experiment with new tactics and strategies that are available. As policy changes, start thinking about which of your technology and partners are prepared for the long-term.
Choozle helps you manage privacy
Anyone who says audience targeting and data protection is easy probably isn’t doing it right. And if you’ve ever felt perplexed by all of the different rules surrounding audience targeting and data protection, you’re not alone.
Choozle works to help you be compliant with all of the strictest privacy policies and understand them as new legislation is passed across the country. Our team of industry experts can help you understand how to protect the privacy of your audience when creating custom audiences and leveraging data with Choozle. We are here to stay on top of the latest privacy policies so you can keep focused on what matters: growing your business.
Here are some of the measures we can help you take to protect your audience under changing privacy laws:
- Data collection and sharing rights: People have the right to see what data various companies have collected on them, and to request that companies delete any data they’ve collected.
- Managing consent preferences: A company should have to provide advance notice and ask whether it may share or sell data to third parties. Whether opt-in or opt-out, users should be able to easily manage their consent preferences rather than spend time opting out from every ad or website.
- Data minimization: A company should collect only what it needs to provide the service used.
- Nondiscrimination and no data-use discrimination: A company shouldn’t discriminate against people who exercise their privacy rights. For example, a company can’t charge someone more for protecting their privacy, and the company can’t give discounts to customers who give up more data.
At its best, data privacy laws make it so you can experience the best and newest technology available in the marketing industry without having to fret over fast-changing privacy laws, while individuals can feel reassured that their data is being collected responsibly and is being used to create value in their shopping experience.