You’ve probably had to think more about data privacy in the last year than ever before, as Apple rolled out more iOS updates and the effects of new data restrictions started to impact platform capabilities and performance measurements across platforms like Facebook and Google.
But it ain’t over yet: 2022 must be, in many ways, the year of compliance for brands, because major state legislation is about to go into effect and a slew of additional bills are winding their way through legislatures across the country.
If you don’t make data privacy compliance a priority now, you are going to be hit hard once these laws are in play: performance will suffer, and you open your business up to potentially massive fines. It’s time to get ahead of the problem.
Before we get started, one thing we need to note: the following recommendations, opinions, and predictions do not constitute legal advice. Please consult your legal department for specific guidance around data privacy compliance for your business.
Let’s start with a general overview of what’s coming on the legislative front, and what you need to do to prepare.
When data privacy compliance gets complicated: what to know about upcoming state legislation
In 2022, new privacy legislation at the state level will be going into effect in California, Colorado, and Virginia, while other states including Florida, New York, Utah, and Washington have active privacy bills in play.
The number of state privacy legislation bills introduced since 2018 makes it clear that states are getting increasingly serious about data privacy:
- 2018: 2 bills were introduced from 2 states
- 2019: 16 bills were introduced from 13 states
- 2020: 25 bills were introduced from 16 states
- 2021: 29 bills were introduced from 23 states
These bills and laws are all different, and it’s important to note that if your business is active in a particular state, you need to get into the nitty gritty with your legal department to ensure your marketing is compliant. As marketers know only too well from the initial implementation of GDPR in Europe and CCPA in California, it’s not always a smooth ride. The initial laws aren’t always clear about what practices are still allowed and what compliance actually looks like.
Case in point: the California Consumer Privacy Act (CCPA). The most prominent and strictest privacy legislation in the US left so many questions unanswered around Personal Identifiable Information (PII) and data collection that lawmakers passed the California Privacy Rights Act (CPRA). That new law expanded and clarified CCPA and will become enforceable in 2023.
The CPRA changes include strengthening the limits on data sharing and more detail on how marketers can use what the law defines as potentially sensitive personal information, including:
- Genetic data
- Private communications
- Sexual orientation
- Health information
The Virginia Consumer Data Protection Act (VCPDA) gives Virginia consumers the ability to access and control personal data that businesses collect about them. Consumers would have the right to submit a request to access, correct any inaccurate information and delete personal data a business has obtained from them. It also gives consumers the right to opt out of targeted advertising. The law goes into effect on January 1, 2023.
Similar to the VCDPA, the Colorado Privacy Act (CPA) gives consumers the right to access, correct, or delete personal data. It also gives consumers the right to opt out of targeted advertising. The CPA goes into effect on July 1, 2023.
Work with your legal team to define compliance according to the specific state laws going into effect where your business operates. Take note of what will need to change in your strategy, gaps in technology or other solutions to mitigate impact, and identify potential grey areas that might not be fully clear until the law goes into effect.
It’s also worth taking a look at other bills on the table to get a sense of where legislators are focusing their efforts and what you can proactively do now to prepare for the likelihood of additional legislation.
Federal data privacy legislation is on the backburner, but it gives us some clues for the future
It’s unlikely that we will see any federal privacy legislation pass in 2022, but that doesn’t mean you should adopt an “out of sight, out of mind” attitude because it’s still very much part of the conversation. Those preliminary communications can give us some idea of what Congress might produce in the future.
In early 2022, lawmakers introduced ‘The Banning Surveillance Advertising Act’ which seeks to prohibit advertisers from targeting ads based on personal data such as race, gender, and religion. The bill does allow for broad location targeting and advertisers would be able to upload their first-party customer lists to marketing platforms, but marketing platform data could not be combined with the advertiser’s data.
“The ‘surveillance advertising’ business model is premised on the unseemly collection and hoarding of personal data to enable ad targeting. This pernicious practice allows online platforms to chase user engagement at great cost to our society, and it fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms. The surveillance advertising business model is broken.”
— Congresswoman Anna G. Eshoo (D-CA)
But you shouldn’t write this off as an existential threat. The language in this bill announcement shows legitimate concern for consumer data privacy, indicating it’s on the radar of the top lawmakers.
Get a data privacy compliant marketing strategy in place before legislation goes into effect—or face the consequences
If it wasn’t clear, getting ahead of the curve with privacy compliance is non-negotiable for your business. There are two major ways to start preparing for new laws restricting your ability to target specific audiences to ensure your marketing is abiding by the law and your performance won’t suffer.
Digital marketers have long relied on third-party data to serve ads to the right customers, but those capabilities are quickly diminishing in light of both legislation and platform data restrictions. We call this concept identity: how marketers use personally identifiable information (PII) and other signals to create audiences, target campaigns, and more.
In this new privacy-compliant world, you need an alternative to third-party cookie-driven identity tactics. That’s where first-party data comes in. First-party data is information your brand owns that has been consensually shared by users either passively (like an IP address) or actively (like a form submission on your site).
Strategies powered by first-party data are a powerful alternative to the old way of doing things, and provide a path to personalization and targeted advertising that is more likely to be compliant with legislation. But in our survey of marketing executives in late 2021, only 21% reported that first-party data collection will be a top budget item in the year ahead.
That’s a serious problem, and indicated privacy compliance may not be top of mind for many marketers. But you don’t need to make that mistake. If your competitors are making it, you have a chance to gain a serious advantage in the near future.
The key here is that you need to invest in campaigns and tools to earn that first-party data from your customers. Building interactive experiences, creating exclusive content, or offering discounts or promotions in exchange for information are all major components of a strong data collection strategy. It’s not enough to rely on information captured at the purchase point at the very bottom of the funnel, you need to proactively build relationships with your audiences at every stage.
Source: Boston Consulting Group
Those campaigns should be focused on the goal of earning access to that data, not as a secondary purpose, but as their primary reason for existing. First-party data collection is not where you can take shortcuts, it takes concerted and focused effort to connect and engage with consumers and build trust over time. And volume of data is crucial here: without enough data, you’re not going to be able to personalize campaigns and serve relevant content as effectively.
You’ll also need to explore and assess if the technology and processes you have in place are sufficient, particularly when it comes to your CDP. Work with your team to audit what you already have and identify gaps to address to ensure you’re ready to execute on first-party data collection campaigns and can use that data once you have it.
Another key component of both data privacy compliance and earning your customers’ trust is transparency. When it comes to data privacy, consumers want to understand how their data is being used and have a degree of control over what information advertisers can access and what they can do with it.
Much of the legislation under consideration includes requirements to provide consumers with more information and more choices about data usage, so making transparency a pillar of your brand seems like an easy and necessary decision if you want to be fully prepared for the future.
You can get started by:
- Working with your team to figure out how you’re going to be using customer data in your marketing and beyond.
- Explaining what data you’re collecting and how you’re going to it.
- Describing the benefits consumers will receive, from more personalized and relevant content to a better user experience. Get specific for your customers who want to dig into the details!
- Posting the information on your website and anywhere else you’re going to be utilizing customer data to deliver ads.