In this post:
The landscape of digital advertising is shifting as government legislation and corporate action change data privacy practices. While everyone who’s in digital advertising has undoubtedly heard of GDPR by now, that is only the tip of the iceberg of many changes that are being rolled out. If you’re using digital advertising channels in your marketing mix (like most people!), here’s what you need to know about digital privacy changes and how they’ll affect United States-based advertisers this year.
The major shift in data privacy laws and practices began with the General Data Protection Regulation (GDPR). Although enacted by the European Union to protect its residents, the law affects many U.S. advertisers because it extends to any website that attracts EU visitors—regardless of where the site is based or whether it actively markets to EU residents.
Most digital advertisers have already witnessed the impact of GDPR, and even people outside of advertising have witnessed the law’s effects (although they may be unaware). It’s the reason why cookie notifications and opt-ins are virtually ubiquitous on websites today.
GDPR was enacted in April 2016 and took full effect in May 2018. This law requires all websites that attract EU visitors to disclose how the site collects, protects and uses visitors’ personal information. Visitors must consent to this use, which websites may obtain explicitly (e.g. “I agree” buttons) or implicitly (e.g. stating that continued use constitutes agreement).
While the U.S. has been somewhat slower to enact data privacy protections for website visitors, lawmakers and U.S.-based tech companies are starting to catch up. GDPR has been followed by both legislative and corporate across the pond.
The first legislative action was taken in California, which passed the California Consumer Privacy Act (CCPA) in 2018. The law took effect in January 2020. Although California’s aim was similar to that of the EU, the CCPA has a couple points of distinction.
The CCPA targets larger websites and companies, which makes sense considering some of the world’s largest tech giants are based in Silicon Valley. The law specifically applies to companies that meet any of the following three criteria:
Small businesses that don’t meet any of these criteria need not worry about the CCPA at this point.
Something else that sets CCPA apart from its European counterpart is that it's an opt-out law. Whereas the GDPR requires visitors’ consent, the CCPA only requires that visitors are given the option to delete or modify how their data is used. While websites must make users aware of how data is used and allow for the deletion of personal information (without penalizing the visitor), actually asking for consent isn’t necessary.
The East Coast cousin of the CCPA, the Consumer Data Privacy Act was recently signed into law by Virginia’s governor. The law won’t go into full effect until January 2023, so we've all still got some time to prepare for the effects on advertisers.
Virginia’s CDPA grants Virginia residents certain data privacy protections, just as the CCPA and GDPR do for their residents. Virginia’s version is best understood by comparing it to these other two.
Virginia’s CDPA takes a more restrictive approach to defining what websites must comply with the law than California’s CCPA does. The CDPA doesn’t have a revenue requirement, so the number of accounts stored and the sales ratio are the only criteria that determine whether a business must comply.
Additionally, Virginia carved out commercial settings and employment where businesses collect personal information. While these settings generally fall under the CCPA’s requirements, the CDPA doesn’t require businesses to obtain consent in these situations.
When Virginia’s CDPA does apply to a situation, the law is more akin to the GDPR than the CCPA. Specifically, it’s an opt-in regulation where businesses must get website visitors’ consent. Again, the GDPR is also opt-in but California's CCPA is opt-out.
Apple is expected to roll out the next iOS update sometime this spring, and iOS 14 will bring a notable data privacy feature.
In iOS 14, a prominent App Tracking Transparency feature will make it easy for users to turn off cross-app tracking. Advertisers will still be able to track users within their own apps, but building a more comprehensive profile by compiling multiple apps’ data won’t be possible if a user takes advantage of this feature.
Turning off cross-app tracking is actually already a feature in iOS 13 (and previous versions), but users must go into Settings to do so. As digital advertisers know, making it more obvious and easier for users to take an action will result in many more of them doing it. A lot of devices will likely have cross-app tracking turned off soon after the update rolls out.
Google announced in 2020 that it would permanently remove third party cookies from Chrome. Mozilla Firefox and Safari have already done this, but Google’s action will be much more far-reaching because Chrome has approximately 2 billion active installs.
Google will still allow first party cookies, but third party ones will be gone for good. The effect of this will be much like iOS 14’s cross-app tracking feature. Digital advertisers will still be able to gather data via cookies from their own websites, but developing a more robust profile from multiple sites’ information will be much more difficult. Getting a fuller picture of consumers won't necessarily be impossible, though. Google itself may still compile data across websites as visitors use the company's browser.
These are currently the most notable changes in data privacy, but more will inevitably come in the future. We can't predict what will happen (unfortunately), but we do know advertisers will have to stay on their toes to figure out smart ways to keep reaching audiences.
Stay current with the changes, and always keep your digital advertising best practices updated so your advertising efforts perform without being totally compromised by updates from tech companies or lawmakers.