Marketer’s Guide to Data Protection and Consumer Privacy Laws
In order to compete in today’s oversaturated retail landscape, brands need to keep a constant eye on their industry, their competitors, and their consumers. They should also pay close attention to user data regulations, as they affect what types of information they can collect and how they can capture, store, and use it. Marketers need data to provide personalized experiences but shouldn’t do so without consumers’ explicit knowledge and consent. Otherwise, they risk facing fines, legal action, and a loss of trust with governments, regulatory bodies, and consumers. What data protection and consumer privacy laws do brands need to know about?
Google first announced their intention to ban third-party cookies in February 2020, aiming to phase them out of Google Chrome by the end of 2022; this has since been delayed to 2024. Google has also introduced a few potential third-party cookie replacements so brands and advertisers can continue to track site activity and user behavior.
In 2019, Google launched their Privacy Sandbox initiative with three main goals: “to build new technology to keep [user] information private, enable publishers and developers to keep online content free, and collaborate with the industry to build new internet privacy standards”. Through this initiative, Google aims to work with publishers, developers, and advertisers to create better user browsing experiences without compromising their security or privacy.
The Federated Learning of Cohorts (FLoC) was the first proposed initiative within the Privacy Sandbox. It was an algorithm intended to help marketers serve targeted ads by grouping users based on shared similarities rather than looking at individual interests. Each user would receive a FLoC ID number, then advertisers would access these numbers through an API to determine consumer cohorts. During the testing stage, which started in March 2021, multiple companies and organizations expressed concerns over user privacy, including Amazon, WordPress, GitHub, and the Electronic Frontier Foundation. By April, all major browsers using Google’s Chromium codebase had declined to implement FLoC; Google suspended its development in July.
Next, Google announced FLoC’s replacement, Topics API, in January 2022. Topics, currently in the testing stage, selects three interests based on a user’s browsing history, then shares these interests with the sites that a user visits in order to serve relevant ads. This information is deleted and reset after three weeks, and users can view, edit, and opt out of Topics entirely. Topics is a much more simplified version of FLoC, with only 350 initial topics compared to FLoC’s 30,000. As a result, advertisers have expressed concerns about its targeting effectiveness, while others have asked for clarification on how to control user data flow.
In addition to Topics, Google has also proposed several smaller initiatives for targeted advertising and data analytics, including TURTLEDOVE (“Two Uncorrelated Requests, Then Locally-Executed Decision On Victory”), SPARROW (“Secure Private Advertising, Remotely Run On Webserver”), and PELICAN (“Private Learning and Interference for Causal Attribution”).
Apple “design[s] [their] products and services guided by [their] four key privacy principles”: data minimization, on-device processing, user transparency and control, and security. They recognize users’ personal preferences for how to share and protect their data, such as keeping apps from tracking their activity across other apps or preventing banks from sending marketing information based on their transaction history.
Each iteration of Apple’s software, iOS and OS X, brings new user privacy features and barriers for brands and marketers looking to connect with consumers. For example, iOS 14.5 introduced App Tracking Transparency (ATT), where iPhone users have to explicitly consent to having their web and app activity tracked, resulting in “the portion of tracked users [falling] from 73% at the start of 2021 to 32% by the end of June”. ATT also decreased the effectiveness of IDFA (Identification for Advertisers), which advertisers use to retarget consumers with relevant ads, and MMPs (Mobile Measurement Partners), which provides marketers with data on app installs, views, and ad clicks.
Next, iOS 15 introduced Mail Privacy Protection, iCloud+, and Hide My Email. These features help iPhone users hide their IP addresses, create fake IP addresses, and generate random email addresses, respectively. This prevents advertisers from tracking email opens and browsing history, as well as collecting users’ actual email addresses. These features only apply to Apple’s email application, Mail; brands can still track people who use email applications like Gmail and Outlook. Marketers can also look beyond open rates and focus on other email metrics such as clickthrough and unsubscribe rates.
Lastly, iOS 16 was launched in September 2022. To start, it offers automatic security updates independent of full software updates, helping protect users who may have avoided them otherwise. It also includes copy-and-paste permissions, where apps require user consent before accessing the phone’s clipboard. iOS 16’s Lockdown Mode protects users from spyware by temporarily disabling features like email attachments, link previews, and shared photos. Finally, Safety Check is “designed for people who are experiencing or at risk of domestic abuse”, which simplifies the process of resetting a phone’s privacy permissions, location tracking, security settings, and so on.
Android shares many similarities with both Google and Apple, though its privacy policies are generally more tied to users’ Google accounts than Android devices. To start, Google’s two-factor authentication protects Android users from hackers, while Google Play Protect keeps them safe from spyware, stalkerware, and other malicious third-party apps. Android also allows users to disable sensitive notifications from showing on their lock screen, such as private messages and authentication codes.
The default browser, Google Chrome, offers Enhanced Safe Browsing, protecting users from malicious websites, phishing scams, and dangerous downloads, but it also collects more personal data than the regular mode. For example, it can connect users’ browsing history to their social media profiles, which can be advantageous for advertisers but concerning for consumers. As a result, tech experts often recommend alternative browsers like Brave and/or alternative search engines like DuckDuckGo that prioritize user privacy and anonymity.
Lastly, Google recently implemented a Privacy Dashboard through its latest Android update, Android 12. The Privacy Dashboard helps Android users see what information is being seen and used by which app, such as their location or their camera. The update also includes options that notify and help users enable or disable their camera, microphone, or GPS sensor across different apps.
United States
In addition to the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA), the U.S. House Energy & Commerce Committee is currently in the process of developing a national user privacy bill called the American Data Privacy And Protection Act (ADPPA), which will dictate “how data can be collected, used and shared for marketing and other purposes”. The bill's primary goal is to prevent companies from capturing unnecessary data, profiting from sensitive information like health and finances, and targeting ads towards children. It would also give government officials more enforcement capabilities and consumers more rights to sue brands for privacy violations.
While ADPPA has progressed further than previous attempts at developing national privacy policies, it still faces several roadblocks, including getting support from key members of the House and Senate and aligning with existing statewide privacy laws. The Federal Trade Commission has also been investigating technology and telecommunications companies to better understand how they collect, use, and protect consumer data, and how the ADPPA can create more restrictions on third-party data tracking and first-party data targeting.
Other than ADPPA, there are currently five comprehensive statewide privacy laws in California, Colorado, Connecticut, Virginia, and Utah, though only California’s CCPA is currently in effect; the other four will go into effect in 2023. These acts cover protocols for common privacy concerns, including the collection and storage of sensitive information, the definition of selling and sharing personal data, and the processes for acquiring user consent, deleting consumer information, and enforcing privacy regulations. Michigan, New Jersey, Ohio, and Pennsylvania are also finalizing their own statewide laws, while others like New York and Washington are currently in progress.
Companies must be especially careful when navigating multiple statewide privacy laws, as they typically have different standards for the amount of data brands can collect, different best practices for acquiring user consent, and so on. Marketers can start by requiring double opt-in, avoiding targeted ads toward children, and practicing progressive profiling to build user profiles over time, rather than asking for excessive amounts of information from the start.
Canada
Canada currently has two national data privacy laws - the Privacy Act, which covers personal information collected and stored by the Government of Canada, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which covers personal information collected and stored by private-sector organizations and federally-regulated businesses like banks and airlines. Under PIPEDA, businesses must follow ten fair information principles: (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure, and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance. There are also provincial privacy laws in Alberta, British Columbia, and Quebec, and health-related privacy laws in Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia.
In June 2022, Canada introduced the Digital Charter Implementation Act, which consists of the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. This act intends to increase consumer control and transparency, strengthen minors’ personal information protection, protect users from AI-based harm and biases, and establish prohibitions and penalties for non-compliant organizations.
Likely the most well-known of all the privacy laws, the General Data Protection Regulation (GDPR) governs how personal data is collected, processed, and used between users, businesses, governments, and nations. It’s based on seven key principles: (1) lawfulness, fairness, and transparency, (2) purpose limitation, (3) data minimization, (4) accuracy, (5) storage limitation, (6) integrity and confidentiality, and (7) accountability. The GDPR’s language and principles have been used to model user privacy protections in countries like Turkey, Japan, South Korea, and Brazil, and applies to any business that processes information on individuals from the EU or the EEA, including the United Kingdom.
The GDPR has undergone multiple developments since its inception, such as new cookie guidelines and the dissolution of the EU-US Privacy Shield. There are also a few legislative proposals in progress that outline additional regulations and security measures, including the Data Governance Act, first proposed in 2020, the Digital Services Act, which will come into effect in 2024, and the Digital Markets Act, which became effective in September 2022. The DGA aims to create a framework for data sharing, while the DSA intends to address misleading advertising and information.
Lastly, the DMA covers eight different Core Platforms Services (CPS): online search engines, online intermediation services, social networks, video platforms, communication platforms, advertising services, operating systems, and cloud services. Its main objectives are to regulate big tech companies, guarantee a fair level of competition within each CPS category, and give consumers the power of choice.
Asia does not have standardized consumer privacy regulations, though multiple individual countries have started to develop and implement their own policies. China enacted the Personal Information Protection Law (PIPL) in 2021, while Thailand’s Personal Data Protection Act (PDPA) first came into effect in 2019, though was not fully enforced until June 2022. India and the Philippines were relatively early adopters with their respective Information Technology Act of 2011 and Data Privacy Act (DPA) of 2012. India also introduced the Personal Data Protection Bill in 2018, though it has faced controversy for its total exemptions for the government.
Other national data privacy laws include South Korea’s Personal Information Protection Act (PIPA), Singapore’s Personal Data Protection Act, Taiwan’s Personal Data Protection Act (PDPA), and Japan’s Act on the Protection of Personal Information (APPI), which was first enacted in 2003 and recently updated due to poor cybersecurity and data privacy breaches in 2022. Asian countries without official data privacy laws include Bangladesh, Mongolia, and Sri Lanka.
Brazil’s General Personal Data Protection Law, heavily influenced by the EU’s GDPR, is considered the most comprehensive data protection bill in Central and South America, unifying over 40 different Brazilian laws regulating information processing and user privacy. Other national data privacy laws include Argentina’s Personal Data Protection Law, Colombia’s Law 1581, and Mexico’s Federal Law for Personal Data Protection Possessed by Private Persons (DPL). Latin American countries without official data privacy laws include Cuba, Ecuador, and Venezuela.
61% of countries in Africa have adopted data protection and privacy legislation, including South Africa’s Protection of Personal Information Act (POPI), Kenya’s Data Protection Act, and Egypt’s Personal Data Protection Law. African countries with no legislation or draft legislation in place include Sudan, Libya, and Sierra Leone.
Australia’s Privacy Act of 1988 outlines when and how personal information can be collected by government agencies, private organizations, and independent businesses. It has since undergone several amendments and revisions, including the Privacy Amendment (Enhancing Privacy Protection) Act of 2012, the Information Privacy Act of 2014, and the Privacy Amendment (Notifiable Data Breaches) Act of 2018, outlining additional standards for credit reporting, data handling, security obligations, and so on.
New Zealand’s Privacy Act of 1993 was later replaced by the Privacy Act of 2020, with thirteen “privacy principles that govern how businesses and organizations should collect, handle and use personal information”, including accessibility, accuracy, and disclosure of user data. Individuals can lodge complaints with New Zealand’s Privacy Commissioner or the Human Rights Review Tribunal if they feel their information privacy was compromised.
Navigate consumer privacy laws with first-party data
People are becoming increasingly wary of how their personal information is collected, stored, shared, and used, resulting in the widespread development of data protection and privacy laws on a global and domestic scale. While many consumers want to share their information to help brands better serve their needs, marketers shouldn’t do so without explicit knowledge and consent. Brands need to focus on capturing zero-party and first-party data to build better relationships with their consumers and navigate the legal and ethical risks of handling user information.
With 3 tier logic’s PLATFORM³, brands can collect first-party data safely and securely through marketing campaigns like gift with purchase promotions, sweepstakes and contests, and customer loyalty programs. Modules like Purchase Receipt Validation, Dynamic Messaging, and Data Capture & Analytics give marketers the tools and information they need to connect with consumers on their own terms. To learn more, chat with an expert today.