Can you comply and thrive amidst emerging data regulations?
The news lately is full of data breaches, and those from major corporations—and the tech giants—have thrust consumer data privacy into the political arena. The impact of these breaches has brought about much awareness and scrutiny over the commercial use of personal data. With the advertising industry still grappling with the General Data Protection Regulation (GDPR) in the EU, more regulations, such as the California Consumer Privacy Act (CCPA), are impending stateside. These well-intentioned, but often contradictory policies have created the perfect storm for industries like digital advertising, who rely on data for business.
The current legal landscape in a state of flux
Europe’s GDPR, implemented in May 2018, began a ripple effect for businesses around the globe. It has led many companies to withhold business in the region. Several landmark penalties have already been handed down. Since its enforcement, the Information Commissioner’s Office (ICO) has fined companies a total of $397M.
Adding fuel to the fire of data mishandling have been mishaps at several tech giants including Facebook, Google, Microsoft, and Amazon. All have had data breaches or their data has been misused or exposed. Commercial breaches by Experian and now CapitalOne have also exposed sensitive consumer data—not to mention breaches by smaller companies, which are even more vulnerable to hacks.
While there is agreement about the need to protect data privacy, the question of how is embroiled in deep debate, particularly as the consumer fallout from these breaches has yet to be fully understood. Consumer data is vulnerable; companies who require data to function and provide their services now must earn consumer trust (in addition to complying with regulations) in order to succeed.
Confusion and contradictions
In the United States, there is no overriding federal legislation that protects the data of individuals. All states have some form of data breach notification laws but they vary in what is covered or required. CCPA has made headlines for its data collection limitations and consumer involvement over how collected data on them is used. It’s been compared to GDPR and goes into effect in 2020. Although CCPA has garnered the most attention around state-specific regulations, Nevada has already passed legislation about how companies inform consumers of personal data collected.
At the federal level, Senator Brian Schatz (D-Hawaii), of the Senate Communications, Technology, Innovation, and the Internet Subcommittee introduced the Data Care Act last year which would require advertisers to protect consumer data in the same way the healthcare, legal, and financial industries are required to do.
Several significant advertising industry groups concerned about conflicting and contradictory aspects of regulations have joined the “Privacy for America” coalition. The coalition supports broader privacy rules, restrictions on certain data practices, new oversight protection and laws, increased rulemaking authority for the Federal Trade Commission, stronger data security protection, and penalties for violations. It is advocating to revise aspects of the CCPA referring to a requirement that non-identifiable text IDs be tied to a device, thus revealing personally identifiable information ((PII) data that may identify an individual).
Flawed intentions
A common misconception of the advertising community is that individuals are invasively tracked—almost spied on. Yet, the advertising industry largely relies on anonymous, unique device identifiers in serving and tracking ads. In mobile advertising these are called mobile ad identifiers (MAIDs). MAIDs don’t reveal PII and they can be refreshed or blocked by users, making them a safer form of identification.
While the intentions behind regulations to protect consumer data are valid, the logistics are flawed. One unintended consequence of some emerging regulations may be the collection of more sensitive consumer data than is currently tracked. For example, as noted by the Privacy for America coalition, in order to comply with a requirement to provide collected personal data to consumers who request it, adtech/martech companies would have to tie normally anonymous identifiers with personal information. To provide adequate services by individual preference, for a GPS service app, for example, apps may resort to requiring personal information if they cannot use anonymous device identifiers. This would put consumer data at a significantly higher risk for unintended exposure.
Another unintended consequence of limiting anonymous identifiers is it opens the door for attribution fraud. The use of probabilistic attribution (see iOS 14+ restrictions) makes devices and ad campaigns susceptible to fraud. It enables fraudulent entities to receive payment for their schemes which steals from advertising budgets and misinforms business decisions. If a fraudulent entity hijacks a phone, it can affect that consumer’s battery and cellular data.
Comply and thrive
While the ways of collecting consumer data are changing, businesses can be proactive about compliance. Advertisers can begin implementing transparency by being clear about the information being collected, how it will be used and protected, even while best practices are yet to be determined.
Because advertising has taken a beating in the public eye, it’s important to prove trustworthiness. Advertisers have access to an incredible amount of consumer data. Providing transparency by using discretion with sensitive information, having safeguards, being upfront and clear about the data being collected, and obtaining adequate consent are all prudent steps advertisers can take.
If your company hasn’t needed to implement GDPR regulations, using them as a guideline is a good foundation in preparing for US state/federal regulations. Much of the focus is in obtaining proper user consent and being clear about permissions. Marketers will also need to consider how to comply with opt-in (where users agree to have their data sold, as with GDPR) versus opt-out (where users must tell businesses not to sell their personal data, as with CCPA) regulations. It may be wise to avoid blanket consent requests, such as a laundry list of user permissions to install an app, because it leaves the data vulnerable to misuse.
Become more strategic
There will be growing pains as more regulations are confirmed, but look for the silver lining, too—reevaluating what and how you collect data may make you more strategic and efficient. Advertisers should consider what data they collect and why. By eliminating what you don’t need, you’ll reduce risks for privacy violations and data bloat. If you’re an advertiser who uses data to enhance the user experience, be conscientious of the data needed to make that happen. Considering the data you collect internally may also eliminate the need for third-party vendors or at least allow you to become more selective about whom you work with.
With GDPR, most of the advertising industry is already navigating the uncharted waters of data regulations while governing entities work to protect misuse of personal data. Considering data consolidation and working with fewer vendors may aid in preparing for stricter limitations on data collection. Upcoming and emerging policies will no doubt impact businesses, but being mindful of what data is needed for marketing will make everyone more efficient.
Grant Simmons – Head of Client Analytics
Kochava