Privacy. This is a word that’s likely to elicit different reactions from consumers versus those of us who work in marketing.
For marketers who live in Europe, the last eight years or so have been spent trying to wrap our heads around different pieces of privacy-focused legislation and how to best be compliant.
Our cousins in America have watched this process with feelings ranging from relief, to bemusement, to mild envy.
For all the change we’ve seen so far, 2020 is going to be the year where we see the biggest shifts yet.
It’s likely to have a profound impact on anyone who works in marketing, but particularly for those of us who work in paid media – regardless of which side of the Atlantic you live on.
So what’s going on?
Let’s take a quick look at what’s covered by GDPR and the upcoming e-Privacy Regulation, which affect Europe, but also take a look at the California Consumer Privacy Act and how this is likely to affect our industry.
The General Data Protection Regulation (GDPR) came into force in May 2018. In a nutshell, it covers how we collect, store and use personal data.
If you’re a company based within the European Economic Area (covers slightly more countries than are in the European Union), or you’re based outside and the EEA and ever process the personal data of someone who lives in the EEA, then it applies to you.
It covers personally identifiable information – anything that relates to an identifiable individual and could be used to trace or distinguish them – such as:
- Social security number.
- Date and place of birth.
- Biometric data.
- Education history.
- Anything financial, medical or employment-based.
In the EU, it also includes your IP address.
As scary as GDPR been, there’s something even scarier on the horizon – the E-Privacy Regulation (ePR).
ePR is significantly more impactful when it comes to digital.
The last time regulation specific to the Internet was put in place, was 2003 and the online world has changed so much in the last 17 years.
ePR will apply to your business if you use online tracking tech, engage in electronic direct marketing, or provide online communication services.
It also expands the definition of PII to include anything that can identify an entity online – including cookies and metadata.
The good news for those State-side is that the California Consumer Privacy Act (CCPA) is much closer in scope to GDPR than it is ePR (lotta Rs in that sentence) when it comes to what it counts as personal data.
It applies to your business if you’re based in California and meet at least one of the following:
- Has annual gross revenues in excess of $25 million.
- Buys or sells the personal information of 50,000 or more consumers or households.
- Or earns more than half of its annual revenue from selling consumers’ personal information.
If you’re one of the companies covered, here are some of the things you’ll have to do to comply (I cheated and copy-pasted this for legal ease!):
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number
- Update privacy policies with newly required information, including a description of California residents’ rights
- Avoid requesting opt-in consent for 12 months after a California resident opts out
So, it’s similar to GDPR, but also more specific when it comes to handling the sale of data.
Check and see if it will apply to you and what work you’d need to do in order to become compliant.
What Does This Mean?
Ultimately, the key thing that both of these pieces of legislation covers are ways that we track users which aren’t personally identifiable.
GDPR in Europe generally applied to information that could be used to pinpoint someone based on their real-life identity – so anything that would help a company keep track of me, Arianne Donoghue.
What it didn’t cover, and is now going to be covered, is anything that tracks me as an entity online.
To many data and tracking services, I won’t be known by my real identity – but they’ll have a user ID that identifies this 35-44-year-old woman who lives in the north of England, loves cats, and spends far too long browsing Wholesome Memes on Reddit.
They’ll know almost everything about me – except who I actually am, but they don’t need to.
If you have a Google account it’s always worth taking a look at the Ads Preferences and information Google has stored on you. It highlights how well services are able to profile us without knowing who we are. – Read more