Gartner estimates that 50% of people on European marketing lists will be deleted by the end of 2020. While many will actively opt out of having their data processed, others will simply do nothing. In the absence of consent, or another lawful justification for processing data as defined by the EU’s General Data Protection Regulation (GDPR), companies will be legally obligated to delete their own customer data.
Consumer privacy laws have already had major consequences for advertisers operating in Europe. Not only are companies hemorrhaging customer information, collecting new data is more complex and expensive than ever:
- Estimates put GDPR compliance costs for U.S. Fortune 500 companies at $7.8 billion.
- Fines for violating the new laws have already cost Marriot $124 million and Google more than $50 million.
Despite companies jettisoning their own data while coughing up billions in compliance costs and fines, complying with GDPR could be relatively simple compared with the future of data privacy regulation in the U.S.
The future of U.S. consumer privacy laws is fragmented
There are federal laws protecting financial, educational (e.g., records), and medical data, as well as protection for children’s privacy—but there is no single U.S. law regulating consumer data privacy at the national level.
Federal protections for children under the age of 13 are provided by the Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) recently announced it will fine Google $170 million for tracking the viewing history of minors and following them across the web using persistent identifiers, all for the purpose of serving targeted ads. This represents the largest COPPA fine since the law went into effect 19 years ago.
Federal laws also regulate how personally identifiable information (PII) is handled in some industries. Beyond these cases, the FTC’s Fair Information Practice Principles simply offers general guidance, recommending businesses:
- Tell customers their data practices
- Give people some choice about additional uses
- Provide people with access to information about them
- Ensure the security of the data collected
Different states have different privacy laws
The California Consumer Privacy Act (CCPA) passed in June, 2018 is America’s first broad consumer data privacy law. Beginning January 1, 2020, California residents will be legally entitled to see what data companies have collected about them as well as stop their data from being sold. While this landmark regulation is good news for consumers, it also marks the beginning of data privacy law fragmentation in the U.S.
Nevada’s Senate Bill 220 (SB220) is an amendment to existing online privacy legislation that followed in CCPA’s footsteps, but went into effect three months before it on October 1, 2019. These new Nevada laws were modeled after the portion of CCPA that allows consumers to opt out of having their personal data sold, but is more limited in scope than California’s solution.
Companies that are impacted by SB220 must enable consumers to notify their business if they do not consent to having their personal data sold. Verified opt-out requests can be processed through a dedicated email, toll-free number, or website address.
What are some of the differences between SB220 and CCPA?
Key differences between Nevada’s SB220 and California’s CCPA help demonstrate emerging fragmentation in consumer data privacy protections across states:
- Nevada’s amendment only protects personally identifiable information collected through a website or online service. Conversely, CCPA protects all consumer PII data regardless of how it was collected—if data can be linked to an individual or household, it’s protected.
- SB220 only applies to online businesses, services and operators of internet websites, while CCPA applies to any business that deals with California resident data and meets specific revenue or capacity thresholds.
- SB220 only regulates the exchange of PII consumer data that is sold for a monetary incentive, while CCPA takes into account non-monetary exchanges.
Multiple other state legislatures across the country have introduced draft “Copycat CCPA” bills. In New York lawmakers have floated several consumer privacy related bills, including one on biometric privacy. Meanwhile, a Mississippi bill that pulled language directly from CCPA died in committee. The scope and likelihood new laws have of passing varies wildly, demonstrating how far the U.S. has to go before consumer data privacy regulations become consistent across state lines.
This map visualizes the emerging complexity of data privacy laws across America:
Marketers should embrace consumer data privacy
As privacy regulations continue to grow in both complexity and volume, the responsibility for managing consumer rights will not fall squarely on platforms like Facebook and Google. Marketers operating at a smaller scale must adopt more stringent best practices for analyzing personal user data, and be more particular when it comes to data collection—only asking for information that has a specific purpose.
Under CCPA, organizations will be required to maintain up-to-date knowledge of the personal data they store, as well as respond to requests about that information. California’s new law also requires companies to give people the ability to monitor the gathering, use and sharing of their personal data, as well as retract consent to having their data processed for certain activities.
Most marketing organizations and departments aren’t presently capable of managing data consent and preferences for their customers, and have a limited understanding of how third-party advertising partners target prospective customers. Being proactive about user privacy protections will not only prepare your business for impending regulations, but also help it become less dependent on data and ad targeting techniques that may not be permitted in the future.
Regulation is disrupting common ad targeting techniques
The ad tech industry is grappling with regulatory disruption. New privacy laws are dampening, or eliminating entirely, common ad targeting techniques that rely on personal user data. Under the GDPR certain methods have died down across Europe due to how the law limits the way consumer data is tracked and sold, while the forthcoming impact of the CCPA sheds light on what’s to come in the U.S.
Cross-device tracking is a technique used to associate one consumer across all their owned devices (e.g. smartphone, tablet, and laptop). This helps with building more accurate behavioral models and reduces duplicate data. The practice is grinding to a halt across Europe, with some companies in the cross-device tracking space exiting the region entirely after the GDPR went into effect.
Stipulations in the CCPA require third-party data processors to provide consumers with notice and opportunity to opt out before selling their personal data, greatly complicating the mechanisms that cross-device tracking companies depend on. Location-based targeting is facing a similar fate in Europe, with suppliers struggling to source compliant data they can use to create user profiles.
Data sharing practices among advertisers have evolved with little oversight, causing new regulation to catch the industry off guard. Many companies are unwilling or incapable of retooling their business models and finding new methods for delivering targeted ads. Businesses that don’t merely comply with regulations, but also work to reestablish trust with their customers through data transparency are most likely to prevail amid maturing legislation and mounting public concern around privacy.
Better data privacy rights are a matter of when, not if
By 2022, Gartner predicts half of the world’s population will have its personal information covered under local privacy regulations in line with GDPR. While privacy rights are guaranteed to improve in some places, America’s state-specific laws may cause the strength of privacy protections to remain geographically volatile.
With big tech already accused of lobbying against CCPA in California, privacy advocates in the U.S. are locked into an uphill battle. Marketers must get ahead of regulations by educating themselves about privacy laws and developing a complete view of how their business sources and leverages consumer data.
More on marketing technology and privacy regulations:
If you’re interested in finding out more about marketing technology and privacy regulations, GetApp has some handy resources worth checking out:
- GDPR Fines Are Parking Tickets for Big Tech—for Now
- CCPA, GDPR, and the state of internet privacy laws
- Dear [INSERT NAME], Does Marketing Personalization Work?
NOTE: This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.