As if acronyms in and of themselves weren’t confusing enough, make ‘em legal acronyms and we’re talking a whole new ball game! While you’ve maybe heard (but probably not) of CCPA, CCPA 2.0 (aka CPRA) and GDPR generally as new privacy regulations, you may be struggling to understand what they mean for your marketing efforts going forward. Will these regulations restrict online advertising? Do I need to do anything to prepare my business to comply? What does it all mean?!?!
If you're feeling intimidated and confused, just know—you are not alone! In this blog I will break down what these rules mean and how they may affect the digital advertising landscape going forward. If you collect data from consumers or use data to target ads to consumers (directly or via a third party firm), this article will be of interest to you.
First thing’s first—no spoiler alert here! When it comes to privacy regulations and policies, the story is still being written. These are very complex laws and exactly where they will end up, no one truly knows. So my goal is to provide some practical guidance to the non-legal folks out there looking for a basic understanding of these privacy rules in the current form they exist in today.
Let’s start with a primer on what these acronyms mean:
- GDPR - General Data Protection Regulation: A European Union law aimed at unifying privacy regulation within the EU by giving control to individuals over their personal data and simplifying the regulatory environment for international business.
- CCPA - California Consumer Privacy Act: A California state statute intended to enhance privacy rights and consumer protection for residents of California through strict data restrictions.
- CPRA (aka CCPA 2.0) - California Privacy Rights Act: Expands and amends the CCPA.
Now that we understand what the acronyms stand for, let’s discuss what the rules are intended to do and how they may impact you.
As a whole, these regulations were established to solve one problem—protecting the privacy rights of individuals. In essence, legislators and regulators felt that businesses that monetize consumer data were not doing enough to protect that data. The starting point here is that the consumer data is owned by the consumer, and thus the consumer has a right to privacy in their own data. These rules are meant to put limitations and restrictions on a certain subset of consumer data—that which can be used to identify an individual.
To make things as confusing as possible, there are different terms for such data that can identify an individual. Under GDPR in the EU this data is known as “Personal Data.” Under CCPA it is called “Personal Information.” In the US, the industry typically refers to this data as PII, or Personally Identifiable Information. For simplicity, I will use PII in this article.
Some obvious examples of PII are social security number and medical information. Some less obvious examples, which are most relevant to those in the digital marketing space, are IP addresses, cookies, beacons, pixel tags, customer IDs and device IDs. If you, your business or a third party working on your behalf collects data on customers or uses targeted advertising, you are likely collecting PII and thus are or could be subject to these privacy rules.
One important note, while the rules take into account the ability for businesses to exist and thrive while meeting these privacy rules, they focus primarily on privacy rather than economics. Meaning, regulators come up with rules that inevitably increase the cost of doing business, cut into margins and make it harder to conduct business-as-usual. While not good for bottom lines, that is simply how policy works. As a policymaker, you inevitably have to prioritize one interest over another. These rules prioritize the right to privacy over the interest of business.
So, What Does It Mean For My Business?
There are many in depth articles on how you should go about complying with CCPA/CRPA/GDPR, and I won’t go into that level of detail here. In terms of the ultimate impact to your business, however, you should expect the following, among others:
- To determine if you are subject to these rules in the first place, based on where you are doing business, how big you are and how much data you collect;
- To analyze and determine what PII you or your partners are collecting and/or using in ad targeting;
- Ensure proper opt-outs are being used, and to add specific links to your homepage;
- Develop a process to handle customer inquiries.
On a more macro level, expect to see a US-based federal rule governing data privacy, which would supersede CCPA and avoid a scenario where different states have different rules—leading to a labyrinth of privacy rules to comply with.
As you can see, compliance will require time, attention and resources. As mentioned, this inevitably increases the cost of doing business and thus may decrease your margins accordingly.
However, in terms of how data is used in ad targeting, the impact may be nominal. In the EU, where GDPR requires users to “opt-in” to permit use of their PII, the “opt-in” rate is above 95%. In the US, CCPA is “opt-out” and it’s fair to think less than 5% of people will “opt-out” given the “opt-in” rates in the EU.
Assuming you are subject to these rules:
- New privacy regulations will require you to put more thought and effort into what data you or your vendors are collecting, and how such data is used.
- You will likely have to make some technology changes on your website, and will have to adopt new policies and procedures.
- Expect a US-based federal rule governing data privacy.
- Work with trusted advisors and vendors!!!
If you want to learn more about privacy regulations and what they mean for you and your business, feel free to reach out, I'm happy to discuss!
Good Luck and Godspeed.