What is data privacy?

Data privacy is a more complex issue than you might expect – while most of us have a general idea of the concept, trying to actually define what it means is another thing entirely. According to Lifelock (their entire business is protecting people’s identities/information so they should be a good source) “Data privacy relates to how a piece of information—or data—should be handled based on its relative importance. For instance, you likely wouldn’t mind sharing your name with a stranger in the process of introducing yourself, but there’s other information you wouldn’t share, at least not until you become more acquainted with that person…In the digital age, we typically apply the concept of data privacy to critical personal information, also known as personally identifiable information (PII) and personal health information (PHI).” 

The key components here are PII and PHI, data a company holds about individuals must be protected securely to avoid negative impacts on those individuals. To avoid data privacy issues, many platforms (like Google Analytics) do their best to collect useful information for marketers while anonymizing user information, so these data sources are not the main concern; however, how you use any first-party data you have collected from leads/customers is very important. To better understand data privacy laws and how to conduct marketing efforts in a way that conforms to them – let’s take a look at what GDPR is, as the latest big example of a national/standardized data privacy policy.

What is GDPR?

According to the EU, “Regulation (EU) 2016/679 of the European Parliament and of the Council, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.” 

Ok, thanks EU! How about some examples?

When the regulation applies

A company with an establishment in the EU provides travel services to customers based in the Baltic countries and in that context processes personal data of online users.

When the regulation doesn’t apply

An individual uses their own private address book to invite friends via email to a party that they are organizing (household exception).

At this point you’re probably asking what GDPR has to do with you, and that’s a great question – we were just getting there so slow down a bit. GDPR is impacting US businesses in the following ways: 

1. You do business in Europe and are seeing an immediate impact 

2. States in the US, like California, are beginning to adopt their own data privacy laws in advance of a national policy from the US government 

3. Platforms/Publishers, like Google, are scrambling to alter the way they work to conform with the new laws and are starting to face substantial fines (Google was fined $57 million recently for GDPR violations). 

According to eMarketer, “Fear of violating these tough new laws has driven publishers to turn off open exchanges and led vendors to pivot their business models. More than three-quarters of brand marketers in the US and Europe agreed that GDPR will affect how they use third-party data to target people, according to a November 2018 survey by Sizmek.” 

So to summarize, we have a groud-breaking data privacy policy covering the entire EU that will impact any business doing business within the union and will not hesitate to hand out fines for violations and we are already seeing the beginnings of comparable legislation in the US.

What Is CCPA?

The California Consumer Privacy Act (CCPA) is already impacting marketers before it officially goes into effect. Digital Guardian, an enterprise data loss prevention company had this to say about the CCPA “The California Consumer Privacy Act is a piece of consumer privacy legislation which passed into California law on June 28th of 2018. The bill, also known as ‘AB 375’, has been described by some as ‘almost GDPR in the US.’ Far and away, this Act is the strongest privacy legislation enacted in any state at the moment, giving more power to consumers in regards to their private data. With a variety of major tech giants based in California, including Google and Facebook (both of which have recently suffered data breaches), AB 375 is poised to have far-reaching effects on data privacy. AB 375 will go into full effect on January 1st, 2020. Companies that already comply with the GDPR may find that they currently meet many of the requirements set forth in the California Data Privacy Protection Act.”

There’s a lot to unpack in that statement from Digital Guardian, the key points though are that the CCPA is being recognized as essentially a GDPR counterpart within the US, the law is taking place in one of the most important media markets in the US where most of our tech companies are located and GDPR compliance will most likely mean CCPA compliance.

What Does This Mean For Audience Data?

At this time, much of the impact on how advertisers use customer data for audience targeting is TBD; however, we do know a few things for certain. 

Your advertising should still be able to utilize data from anonymized sources, such as retargeting audiences from Google Analytics and the core audience capabilities of platforms like Google, Facebook, Snapchat should experience changes but not drastic ones. 

Advertising platforms, like Google Ads, are going to be forced to evaluate their current methodology for everything from what user data is collected, how audiences are made and how long they can be retained for, to what information can be contained within ads. Facebook famously has already begun the process of watering down their audience offering by removing all behavior based audience options from their out-of-the-box options.

Finally, developing a comprehensive customer data policy around what information your company collects over the life of your interactions with a customer, how it is stored and how it is used is absolutely a must. Businesses will likely only be under increased pressure to explain upfront to customers what their data policy is & be able to document it for policy enforcers.

What Can Advertisers Do Now?

Throughout this post we’ve looked at what data privacy is, what regulations exist/are expected, and discussed the outlook for audience data – but let’s sum up a few things your business should be focused on in the TL:DR version of this article.

  1. Form a comprehensive customer data policy. Someone should understand every data point you collect about customers across all interactions and eliminate superfluous information, or data that could violate data privacy regulations.
  2. Pay attention to data privacy legislation and news, in particular look for news on the coalition Privacy For America.
  3. Get consent for data collection and usage, this is essential!
  4. Look into vendor accreditation, are you using any advertising platforms that could see their core capabilities neutered by data regulation?

Moving further into 2019, your goal as an organization should be to develop a strong understanding of the underlying requirements of GDPR and the CCPA and prepare for Jan 2020 when the CCPA goes into effect. It is only a matter of time until national US data privacy laws are updated in a similar fashion, now is the time to prepare.