What’s new in Data Privacy law and its effect on marketing analytics
Privacy & Analytics in 2021 Series–Part 1
This month, One North is putting out a content series on Data Privacy and Analytics that focuses on changes in guidelines and regulations, their effects on digital analytics and new ideas for maintaining compliance while still getting valuable information to better serve your audience. This is the first post in the series.
Note: we are not lawyers, and the below article is not legal advice. Questions on how to help your website comply should be handled by a risk team.
Early last year, US Marketers were bracing for a new challenge that was sure to define 2020.
I am talking, of course, about data privacy, with the passage of the California Consumer Privacy Act that went into effect on January 1, 2020.
Obviously, the immense challenges businesses faced amid the pandemic response made focusing a response on the new regulations difficult. But throughout the last year, more governments across the world have formalized requirements for how businesses can collect data from visitors on their digital products.
What’s New in Data Privacy Law
- Virginia is the first state since California in 2020 to enact a Data Privacy law, the Consumer Data Protection Act (“CDPA”). It borrows much of the language of CCPA but is less strict on liability.
- The EU Council is in discussion on an update to 2002’s ePrivacy Regulation (“ePR”) which may simplify compliance on websites by allowing websites to use the browser settings set by users as the users’ consent.
The multiple sets of regulations for users from different territories can be a headache for websites, which can serve audiences easily from all over the world on any given day.
But with CCPA and CDPA in the US, clarity has emerged on how the two huge markets of the EU and US are expecting consumer privacy to be handled. See this great interactive graphic from Varonis for an easy comparison.
- Duty to report data breaches to Consumers/Individuals
- Must provide transparency to Consumers/Individuals on how their data is collected and used
- Requires greater security of consumer/user data
- Gives consumers the right to access and right to delete data
- Definitions of what personal information is have begun to merge with additional guidance from European bodies despite different explicit definitions, where any data that can be directly or indirectly identified to a user, including persistent IDs or data that can be used to profile a single user/household, fall under personal information
United States Laws (CCPA and CDPA)
- Requires Opt-out options for consumers/users (analytics can be measured unless the consumer/user explicitly says no)
- Higher, less strict thresholds for what types of websites/businesses must comply
- Not concerned with de-identified and aggregated data. Even though it has broader views of Personal Information in CCPA, if the data is anonymized and aggregated so that no user profile could be created with it, it would not need to be included on customer requests
European Laws (GDPR)
- Requires Opt-In options, and only cookies deemed required for site functionality may be set before consent is acquired (analytics cannot be measured with cookies unless the consumer/user has explicitly opted in)
- Broader, more strict definition on who must comply, requiring any data controller or data processor with data on EU consumers to comply
- Provides consumers the right to data portability and data rectification
When it comes to something like Google Analytics, opt-in vs. opt-out has huge ramifications for traffic collection. But things may be getting easier on that front. There are still moving pieces on this in both the EU and US.
Europe and UK
The European Union’s introduction of the General Data Privacy Regulations (GDPR) in 2018 was a monumental first step in standardizing what rights its digital audience had with its own data, how data must be stored and maintained, and communicated (for a rundown on what was included in GDPR, see One North’s coverage here).
Its timing was perfect, coming on the heels of an endless string of data breaches exposing personal information consumers didn’t even know they had provided.
After it went into effect, cookie policies popped up across the bottom of websites everywhere. Data storage was organized to allow users to request access or deletion of their data. But for the most common interpretations, aside from restricting user data being sent to third party ad partners like Google Ads without opt-in, web analytics largely went on as usual.
A post from Blastanalytics in 2018 summed up this common position:
“Unless you are in the camp of the most stringent interpretation of GDPR (specifically where any online identifier cookie, such as the GA Client ID, requires consent), then there is a method to consider. You can collect data in Google Analytics for your entire audience and then once opted in, expand your data collection as appropriate to include User ID and/or Remarketing data.”
Since then, the guidance has continually been updated through court rulings and new guidance from other entities.
An excellent summary on law firm Hogan Lovells’ website gives a rundown of the new guidance. Some key updates are sampled below:
- “Implied consent is also no-go. Statements such as ‘by continuing to use this website you are agreeing to cookies’ should not be used as they do not meet the requirements for valid consent required by the GDPR. Pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies. Users must have control over any non-essential cookies and they must not be set on landing pages before consent is obtained.”
- “Website operators should not pre-enable any non-essential cookies. The ICO’s view is that just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, this is not a valid reason to pre-enable it. Enabling a non-essential cookie without the user taking a positive action before it is set on their device does not represent valid consent. By doing this, the website operator is taking the choice away from the user.”
- “Advertising and analytics cookies are not ‘strictly necessary’ and so do not fall outside the cookie consent rules. While advertising cookies may be crucial in the eyes of a website or mobile app operator as they bring in revenue to fund the service, they are not ‘strictly necessary’ from the point of view of the website user and hence, the law.”
The last bolded bullet is a doozy. Previously, many focused on just advertising third-party cookies but did not worry about the first-party cookie collection of a tool like Google Analytics, where the data is largely anonymized after setting policy settings.
But moving to strict opt-in, where most users just ignore the pop-up, has led to steep decreases in reported traffic. According to VideoWeek’s Tim Cross, “ the ICO says that after implementing its own best practices, it has seen a ninety percent drop in traffic measurable via analytics, implying a ninety percent drop in opt-in rates.”
New ePR in discussion in EU
This new legislation is worth tracking. Among other things, this may ease the burden of compliance on individual websites by allowing the settings configured by users on their individual browsers to define their cookie consent on the websites.
Later in this series, we will cover the evolution of browser policies that give greater control to users over tracking (cookies after all, are actually set on the user’s browser). Greater privacy has become a tit-for-tat across major browsers such as Safari, Chrome, Firefox and more as they increasingly see privacy and not just speed as a differentiator.
Even for companies located outside of the EU, the size of that market and difficulty of multiple standards kicked off a new era of compliance and was seen as only a matter of time before more states put in place regulations of their own.
In the United States, the passage of the CCPA was given a lot of attention, rightly, due to California’s population and the expectation that it could be used as a model for a Federal law. Sure enough, since its passage on 1/1/2020, many states have begun drafting and voting on laws, including Massachusetts and New York. Just last month, Virginia passed the Consumer Data Protection act into law.
While the similarities in how the US is handling privacy were listed out prior, there are meaningful differences in Virginia and California that a federal law could help in consolidating.
One is what triggers compliance for the law. Virginia’s law sets thresholds based on number of annual visitors and does not include a revenue threshold. Both, however, are generally aimed at regulating firms that monetize and sell consumer data, rather than those that are collecting it just for marketing purposes.
Keep coming back throughout the month, during which, we will continue to dive deeper into this topic. Future posts will explore:
- Ways to still get analytics without cookies
- The browser wars–how changes in browsers are affecting data tracking and privacy
- Is the era of free data analytics over?
Photo Credit: Aron Van de Pol | Unsplash
As Associate Director, Data Strategy at One North, Ben supports clients by applying a strong data focus to marketing initiatives across channels and tools. He starts by gaining an understanding of each client’s unique goals and tactics, and guides them toward a strategic analytics program. He focuses on the creation of a meaningful feedback loop to help support and steer decision-making.
Favorite vending machine snack: Snickers
Most embarrassing moment: Accidentally walking into the same section of the revolving door with the restaurant hostess as she led us to the patio.