The Capital One Breach in 2019 was yet another incident in a long string of high-profile breaches that continue to plague companies that collect or store data online. Privacy advocates have spent years pushing for changes to online advertising and data storage because of incidents like this one. Some countries and companies have finally begun making strides in the direction of protecting consumer data, but digital advertising may be the biggest casualty of these new rules.
So what changes have already been made and what changes are being proposed?
Governments have begun to crack down on data collection due to the costly and problematic data breaches that have occurred with regularity in the past few years.
General Data Protection Regulation (GDPR)
You’ve probably heard about GDPR. It’s the data privacy act that was passed by the European Union and went into effect in 2018. This act changes the rules around data storage, requires an opt-out for data collection, and implements significant fines for companies that fail to protect against data breaches, among other things.
Well-known companies like Marriott and British Airways have already faced fines due to their failure to comply with GDPR rules, and more fines are likely on the way for Google, Facebook, and other big companies who attempt to protect consumer data without losing valuable advertising information.
Plus, further updates to GDPR have already been proposed. Over the next few years, companies will likely need to make even more changes to their data policies and informed consent in order to continue digital advertising campaigns in this region.
California Consumer Privacy Act (CCPA)
While GDPR exploded onto the scene, CCPA has been quietly pushed through the California legislature—despite serious opposition from major companies. With similar goals to GDPR, the aim of CCPA is to give control of data back to individual users. Though its impact may be less significant based on the number of people affected, it nevertheless has the potential to cause sweeping changes for any US business.
Because businesses will have to comply if they want to do business in California, it is essential for all companies to know what is changing and when.
Here are the important details:
- The act officially is effective as of January 1, 2020.
- The act states that consumers have the right to understand what data is being collected about their online behavior and whether a company will sell or share it.
- Additionally, consumers need to be able to opt out of having their information sold, be able to access this information if necessary, and have the ability to request that their data be deleted.
- CCPA applies to businesses that operate in California and meet certain thresholds, including gross revenue in excess of $25 million or earning more than half of your revenue from selling consumer data.
This act currently only affects businesses operating in California, but that will indirectly include most companies that operate in the US. CCPA may also be adopted by other states or the federal government over time, if proven successful. Ensuring your compliance now may save further headaches later on.
Because of both frequentbreaches and governments beginning to create oversight, some businesses have begun implementing changes themselves in order to gain consumer goodwill and stay ahead of new regulations. This is especially true of the advertising duopoly (namely, Facebook and Google).
From recent lawsuits against developers committing ad fraud to new privacy filters for consumer data, Facebook has been trying to direct the narrative away from their previous Cambridge Analytica scandal. As part of this effort, a new tool they have announced will allow consumers to “disconnect” data that is not collected directly from Facebook.
However, there are a few drawbacks. First, it can take days for the data to be removed from a person’s account. Second, the data won’t be deleted, but instead merely separated from the account. This means that the data still exists, it just won’t link directly to the consumer. And lastly, there’s no way of knowing when the tool will be available, since it was blocked by a court order to aid in a civil case against Facebook.
For now, this means that advertisers have no way of knowing when and how their campaigns will be affected by people choosing to opt-out of targeting data.
Much like Facebook, Google is also trying to get ahead of the narrative by creating their own tools for handling data. Google claims to be cracking down on device fingerprinting and other opaque tracking methods, but they still support cookies and are also disabling features of many ad-blockers. In 2019, they removed the DoubleClick IDs feature (which helped with cross-device tracking) from their advertising offerings.
Because Google has not announced all of their initiatives yet, it will be important for advertisers to pay attention as new changes are announced. It’s likely that nearly every advertising campaign will be affected by any changes Google makes, since they are the leading digital advertising seller and own the most popular web browser in the world.
All three of these companies have begun adding more privacy features to their browsers, making it easier for consumers to avoid intrusive advertising and excessive data collection. New features like cookie transparency, tracking blockers, and ad consent are being added to several browsers. As these companies offer more privacy, Google and Facebook will be pushed to offer more privacy features as well.
More and more companies are changing how they handle data in general. Most companies now have disclaimers that explain cookie use and data-tracking on their websites. Many use two-factor authentication for user accounts and lock down personal data. Others have created more inclusive terms of service that explain how data is used, what data is shared or purchased, and more.
While all of these are steps in the right direction, the numerous data breaches in past years have flooded the web with our personal, health, and financial data. Online fraud has become a significant problem, and more companies will need to step up before substantial changes occur.
Potential Effects of Changes
The real effects of all these changes will not be fully known for a long time. However, some ripples are already noticeable, and we’ll likely continue to see changes as more regulations and policies become privacy-oriented.
Obviously, the biggest effects of data regulations will be seen in digital advertising. As companies, governments, and consumers fight over how to balance privacy and business needs, digital advertising is situated at the heart of the debate. Initially, we will likely see a rollback in micro-targeted advertising as discussions around informed consent continue. Will this last? Maybe. Maybe not.
For a while, advertisers will simply need to roll with the changes. If you have a strong brand strategy that can work around these changes, you’ll be in an even better position to come out strong no matter the resolution of these debates. In the meantime, be prepared for a lot of changes—this fight is just getting started.
While ecommerce itself won’t see the direct effects of these data regulation and policy changes, the ripples of change will reach this industry as well. We can already see it happening with the new Strong Customer Authentication (SCA) requirements in PSD2. As more data is readily available on the internet, more protections for people online are sure to be enacted.
We’re also seeing a crackdown on companies that have data leaks. Ensuring that your customer data stays secure will be essential moving forward. Unfortunately, data is the lifeblood of most online businesses and it’s impossible to eliminate the need for data altogether. Trying to balance keeping only necessary, secure information with providing a customized, positive customer experience may be difficult. This will be another area where being flexible is going to be key to future success.