U.S. Data Privacy Regulations: How current privacy laws impact your brand’s data management practices

Data privacy laws and regulations took center stage within the digital marketing community three years ago when the General Data Protection Regulation (GDPR) went into effect on May 25, 2018. While the legislation was introduced in Europe, it sent waves throughout the global marketing industry, signaling major shifts to come in terms of consumer data collection and management practices. Within two years of GDPR, California enacted its own regulations when it passed the California Consumer Privacy Act (CCPA).

Since the California Privacy Rights Act (CCPA) went into effect in January, 2020, 14 more states have introduced similar consumer privacy bills, forcing brands to rethink how they capture and maintain customer data.

In a very short amount of time, fourteen more states now have introduced consumer privacy regulations, pointing to the growing need for brands to prioritize customer data management practices to better target their audiences and personalize their marketing messaging. As more state-level regulations are introduced, and major platforms like Apple and Google further user privacy initiatives, the effectiveness of third-party cookies will continue to diminish — underscoring the need for marketers to adopt zero-party data solutions.

Because zero-party data is 100% consent-based, it does not conflict with consumer data privacy legislation measures. Instead of relying on sparse, and often inaccurate, data from third-party data solutions, zero-party data gives brands a more accurate, privacy-friendly view of the consumer based on information the individual willingly shares.

Consumer Data Privacy Laws: A quick history

Consumer data privacy laws are far from new. Nearly 50 years ago, the U.S. enacted the Privacy Act of 1974 which established a “Code of Fair Information Practices,” mandating how  federal agencies collected, maintained, used and disseminated individuals’ personally identifiable information. The evolution of the digital ecosystem, and subsequent proliferation of third-party cookies to track consumers as they moved across the internet, opened the floodgates to consumer data and heightened the need for legislation that protected consumer privacy.

The introduction of the EU’s GDPR was a key moment in consumer data privacy efforts, holding businesses responsible when it came to how they collected, managed and used consumer data online. Because the announcement of GDPR coincided with Facebook’s Cambridge Analytica data scandal (a consulting firm that harvested the data of millions of Facebook users via the social platform), consumer data practices became a hot topic around the globe, requiring brands to reconsider how they were using consumer data to connect with their audiences.

California’s legislation, CCPA, ushered in a new wave of reform when it went into effect in January, 2020, marking the first legislation of its kind in the U.S. The state now has a new consumer privacy bill that will go into effect in 2023: The Consumer Privacy Rights Act (CPRA). According to the International Association of Privacy Professionals (IAPP), this new data privacy legislation will amend language within CCPA. Virginia has also introduced its own Consumer Data Protection Act (VCDPA) which is scheduled to go into effect the same year as CPRA.

Consumer Data Privacy Laws: What’s in effect and what’s coming

General Data Protection Regulation (GDPR)

GDPR was enacted by the European Union (EU) on May 25, 2018 and aims to protect the personal data of consumers within the European Economic Area (EEA) and regulate data collection practices of companies that collect, store or process consumer data. While it is an EU regulation, it applies to any companies that conduct business in Europe. (You can find a more detailed overview of GDPR here: “Getting Ready for GDPR with Wyng”)

California Consumer Privacy Act (CCPA)

CCPA went into effect in January of 2020, requiring companies that conduct business with California citizens and earn $25 million or more in annual revenue — even if the company has no physical presence in California — to be transparent about their data collection and management practices. It also granted new rights to consumers, giving them more control over who has access to their data and how it is used. (You can find a more detailed overview of CCPA here: “Getting Ready for CCPA with Wyng”)

California Privacy Rights Act (CPRA)

CPRA was first introduced in 2020 and is scheduled to go into effect in January, 2023. This legislation will likely replace the existing CCPA and establish a much, “broader set of privacy rights and obligations than the CCPA,” according to IAPP, such as creating a new set of provisions for organizations managing sensitive data; new restrictions around automated decision-making and profiling, and more. It would also create the first U.S. privacy agency: The California Privacy Protection Agency.

Virginia Consumer Data Protection Act (VCDPA)

VCDPA was signed into law this year and will go into effect January, 2023. According to IAPP, the legislation “flew” through the Virginia Legislature and closely resembles laws that are being considered in Colorado, Connecticut and Minnesota. IAPP reports that Virginia’s Consumer Data Protection Act includes several new requirements not found in CCPA or CPRA, and comes with simpler definitions, “That have significant operational implications.”

While California and Virginia are the only states that have passed consumer privacy acts, more are coming. Florida currently has two privacy protection acts that are in committee, one of which JDSupra.com reports, “would be the most aggressive privacy law in the country.” A number of other states currently have data privacy regulations in committee as well, including: Alabama, Alaska, Arizona, Connecticut, Illinois, Minnesota, New Jersey, New York and Washington.

How data privacy laws impact brands

For brands aiming to build deeper relationships with their audiences, the coming consumer data privacy legislation can look like a minefield. Each state-level law comes with its own legalese and level of security measures. Enterprise corporations, and even brands that market to consumers across states, must abide by each state’s legislation, creating a labyrinth of laws that dictate not only the information brands are able to collect on their customers, but how they use that information to market to audiences and build their business.

Third-party data platforms that once upon a time powered ad targeting capabilities are already seeing the impact of consumer privacy regulations.

“B2C marketers’ most pressing top-of-mind issue is how data deprecation will impact targeting, measurement, personalization, and digital media buying,” wrote Forrester Principal Analyst Tina Moffett last August, “Here is the cold, hard truth: Google’s intention to deprecate the third-party cookie will drastically impact modern marketing. And data management platform (DMP) core capabilities of audience creation, targeting, and syndication will be obsolete unless DMPs evolve to meet current data restrictions.”

A McKinsey & Company report from 2019 emphasizes the risk brands are taking when it comes to collecting, holding, and using consumer data to personalize offerings.

“Getting the security and privacy of personalization wrong can slow time to market for new applications, constrain remarketing and consumer-data collection, result in significant fines, or—worse—cause material harm to brand reputation through negative consumer experience,” according to McKinsey.

In addition to the diminishing capabilities of third-party cookies, Google and Apple both are adopting aggressive privacy measures. TechCrunch reported in January that Apple’s IDFA (identifier for advertisers) will require app developers to ask users for permission to track and share their IDFA for cross-property ad targeting purposes. Google announced in March it will not create or use any technology that identifies individual users for advertising purposes, “A move that could upend the digital advertising industry,” reports Business Insider.

Zero-Party Data: The answer to data deprecation challenges

“A profound and abrupt shift is coming for everyone who uses the internet,” reported McKinsey in April of this year, “By 2022, regulations designed to protect consumer privacy—particularly the California Consumer Privacy Act—and major technology companies will require users’ explicit permission to share and use data generated from digital interactions.”

The growing list of data privacy regulations combined with the depreciation of consumer data by major technology platforms like Apple and Google will significantly impact the advertising industry. For brands, the challenge becomes even greater when you consider the fact that more than 50% of the 15,000 consumers Salesforce surveyed for its State of the Connected Customer report expect advertisers to personalize their messaging and offerings.

So how do brands avoid the pitfalls of data privacy regulations and overcome the lack of third-party cookie data: Zero-party data (ZPD). A ZPD solution delivers consent-based personal context data that is provided by customers intentionally and proactively. Unlike any other data solution, ZPD adds an entirely new level of trust between the brand and the consumer. Because consumers provide their information willingly via fully transparent methods, brands are able to deliver welcome experiences that are personalized, relevant and compliant.

“ZPD gives brands a unique opportunity to not only learn more about a customer, but also fold that customer’s input directly into her immediate and long-term experience,” according to a 2020 Forrester report.

A leading provider of zero-party data solutions, Wyng has been on the cutting-edge of privacy-first technology platforms for more than a decade. Just recently, we introduced two industry first ZPD solutions: Wyng Profiles and Wyng Moments, both developed to help brands expand their zero-party data capabilities.

If your team is searching for new ways to reduce its reliance on third-party cookies and is interested in learning more about ZPD, be sure to read our recent series on personalization: “The Future of Personalization is Privacy First” and “How to Source Zero-Party Data.” The series serves as an introduction to zero-party data and how it can be leveraged to improve your marketing and advertising efforts.

Summary of links: 

About Wyng

Wyng is the world’s leading privacy-first personalization platform. Built on a zero-party data API and privacy by design principles, Wyng makes it easy for marketers to deliver customer experiences that are always welcome, relevant, and compliant. More than 250 brands and enterprises use Wyng to build deep, trusted relationships with their customers. To learn more, visit https://wyng.com.

Related Posts

Experience Highlight: CHANDON Garden Spritz

CHANDON’s Garden Spritz experience is a beautifully designed spin-to-win used to promote their aperitif while turning offline event engagement into online opt-ins. About CHANDON CHANDON

Subscribe to Our Newsletter

We will use this information to contact you and provide any content requested. See our Privacy Policy to unsubscribe or withdraw consent.