Data, Privacy & The Marketer’s Dilemma

Privacy concerns are growing due to continuous hacks and misuse of personal data. The Great Hack on Netflix is an eye-opening example of this practice and the shift in public perception. Governments around the world are responding with new regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Marketers, however, may find this rapidly evolving data privacy landscape difficult to navigate. Or, worse, detrimental to their bottom lines. 


The GDPR applies to all companies and controllers that intend to use or sell data of EU citizens and residents. The data can only be captured in specific consent scenarios, which requires explicit opt-in from users. More specifically, there can be no pre-checked boxes or “I Understand” single options. Penalties for violations are based on gross annual revenue–up to 4% or $20MM.

The CCPA applies to any company doing business in California that collects users’ personal data and satisfies at least one of the following thresholds:

  1. Has annual gross revenues in excess of $25 million;
  2. Buys, receives or sells the personal information of 50,000 or more users or households;
  3. Or, earns more than half of its annual revenue from selling users’ personal information.

Beyond cash transactions, “selling” data covers releasing it, making it available or transferring it for “valuable consideration.” The CCPA is an opt-out policy, meaning users can be tracked until they elect to opt-out. The statute goes further than the GDPR by including “personal identifiers,” such as cookies. This means otherwise anonymous tracking by platforms like Google Analytics is being governed. Penalties are based on a per-infraction basis, anywhere between $2500 and $7500 if it is deemed intentional. 

What Marketers Need to Know about Data Privacy

  1. People support more regulation and don’t think their data is safe. According to Pew Research:
  • 64% support more regulation of advertisers.
  • 67% say current regulations are not good enough.
  • 50% do not think their data is in safe hands.
  • Only 9% are confident social media companies protect their data.

Companies that are perceived to be better at protecting customer data use it as a competitive advantage in their marketing efforts. Apple, a prime example, was among the first to limit data sharing on its platforms and leverage this fact as a competitive advantage in advertising.

       2. Privacy regulations aren’t going away. They’re expanding. 

  • The GDPR, enacted in mid-2018, was the first significant legislation regulating digital privacy and many countries have followed suit since then.
  • In addition to the CCPA, Brazil enacted the Lei Geral de Proteção de Dados (LGPD) and Canada the Personal Information Protection and Electronic Documents Act (PIPEDA), along with other governments.
  • Other U.S. states plan to mirror CCPA and/or adopt federal legislation in the near future. 

What These Data Privacy Regulations Include

  1. Companies need more robust privacy and cookie policy disclosures, going so far as consent popups or links to opt in or out. The CCPA, for example, explicitly requires marketers to include links on their websites that say “Do Not Sell My Personal Information.” These lead users to more detailed information on how they can opt out.
  2. Expanded definitions of online identifiers. More than cookies, this includes IP addresses, geo-location, mobile device IDs and more.
  3. Further designation of “sensitive personal data,” including but not limited to race, political opinions, religion, union membership, health status, genetics, biometrics, gender, orientation and criminal record.
  4. Guidelines to follow when companies are allowed to collect data.
  5. Reporting on what data is collected, where it’s transferred, how it’s used and what vendors and service providers do with it. For example, is it sold or shared? 
  6. Users have explicit rights to access their data, right to verification, evaluation and deletion. Those who opt out cannot be discriminated against in terms of experience or pricing. 

If Marketers Fail to Comply 

  1. Fines will be levied for not making disclosures clear.
  2. Fines will be levied for not ensuring vendor contracts comply with regulations.
  3. Data will be purged. 

Our Tips for GDPR & CCPA Compliance

  1. Consider data centralization, or a formal data management platform (DMP) with ongoing audits for compliance.
  2. Ensure you have solid, transparent partnerships with vendors and service providers that support the vetting process for data usage. Put data and tracking agreements in place.
  3. Remain diligent about tagging and tracking updates. 

Our Data Privacy Predictions for the Future

  1. Regulations will continue to expand on both state and federal levels.
  2. Marketers will see stricter enforcement of those regulations and fines for violations. Putting it candidly, the “grace period” is over. 
  3. 3rd party cookies will be further limited and marketers that continue to rely on them will do so at their own demise. 
  4. 1st party cookies might be limited, which could hinder basic website functionality. 
  5. Data sharing restrictions may limit the personalization of advertising and user experience, possibly harming performance in turn.

Our Disclaimer

Talk to your lawyers about current legislation, how it might expand in the future and what it could mean for your marketing efforts. For assistance in implementing technical requirements as well as managing vendors and their use of data, contact us.