First things first: Happy Data Privacy Day 2023! We hope you consent to having some fun this year!
As we celebrate Data Privacy Day 2023, there is no shortage of news happening in the privacy world. From large fines (although not large enough according to some) being levied in Europe to new privacy legislation being introduced in state chambers across the United States, it is hard as a marketing professional to differentiate the signal from the noise. Here we outline the three main happenings in the world of privacy to keep an eye on in 2023.
U.S. Privacy Regulations
2023 is the year of privacy in the United States. At the state level:
- California’s updated CPRA requirements became effective January 1, 2023
- Virginia’s CDPA became effective January 1, 2023
- California’s new rules from the CPPA regulatory board are expected to be in place by mid-spring
- Colorado’s CPA becomes effective July 1, 2023
- Connecticut’s CDPA becomes effective July 1, 2023
- Utah’s CPA becomes effective December 31, 2023
- Seven additional states have active privacy bills in discussion
Meanwhile, a greater emphasis is being placed on the need for cohesive privacy legislation, with the American Data Privacy and Protection Act sitting in Congress and President Joe Biden calling for federal legislation in an op-ed published in the Wall Street Journal in January.
This fragmented state of privacy in the United States can lead to tons of operational confusion—where to even begin? The important thing to understand is that privacy requirements are no longer a “European problem”—it’s time to take all of your consumer’s privacy seriously regardless of where your business is located.
To begin with, there are some consistent themes across the current U.S. State regulations that can be used as a foundation for your operational plans. We covered these in our U.S. State Privacy Regulation Roundup at the end of 2022. Focus on the needs for transparency, opt-out rights, and access/deletion to start. The precursor to all of this is understanding what data is collected, how it is used, and where it flows. If you haven’t already, it’s high time for an audit of the marketing and analytics data practices at your organization.
Fallout from Irish DPC/EDPB Decision on Meta
While the year started with new privacy regulations in the United States, it kicked off with large GDPR enforcement decisions against Meta—390 million Euros for violations on Facebook and Instagram and 5.5 million Euros for violations on WhatsApp. While you may be thinking “well of course Meta is being targeted for privacy violations,” it’s important to note the key findings and ensure your company won’t be next. Many insights can be found in the EDPB’s binding decision regarding the cases in question, but three big take-aways are critical to understand and applied to your organization:
1. Make sure you have a valid lawful basis of processing for actions being taken with personal data
Central to the decision against Meta was the question of the lawful basis for processing users’ personal data for the purpose of behavioral advertising. Meta included this condition within the terms of service required to access and use the platform, relying on “contractual necessity” as the lawful basis for processing the data. The authorities found that advertising was not the core function of the service so it was not contractually necessary to process data in this way to provide the service to the user. Therefore, the processing of users’ personal data was found to be unlawful under GDPR.
The key takeaway here is that you must ensure you have a valid lawful basis for all processing activities involving personal data. Be specific about what data is being collected and for what purpose. Ensure that for each of those identified purposes you have a valid lawful basis. As a quick refresher there are six lawful bases for processing available, with consent and legitimate interest being the primary ones used for advertising purposes. All lawful bases are well summarized in this resource from the IAPP.
2. Revisit and update your data disclosures
Another finding was that Meta was not fully transparent about the data being processed and the purposes for which it was being processed. Further, if not being fully transparent then there could not be an expectation that people would understand the contractual requirement they claimed justified the processing behavior.
The key for your organization is to revisit your disclosures to ensure what personal data is collected, why it is processed, and that the lawful basis for the specific processing purpose is specific and clear to the user. This should all be done in an organized and understandable manner. No longer can you use catch-all terms like “we may collect this information to advertise to you”; you must be specific about what information is being collected and how you are using it to advertise to the user.
3. Consider the concept of “fairness” when making decisions about the necessity and outcomes of processing activities
The concept of “fairness” is embedded in the GDPR through things like the “balance test” requirement when using legitimate interest as a lawful basis for processing. In this process, you must balance the value derived from the processing of a user’s personal data (value both for the business and the user) against the risk of harm to the user resulting from the same activity. This decision takes on the concept of fairness in a broader context.
Is it fair to expect a user to understand what they are agreeing to in the scenario of consent or contract acceptance? Is the processing activity itself fair with respect to the outcome for the user? These are the types of questions you need to be asking about any processing activity and outcome which relies on personal data. Simply take off the advertising cap for a second and think, “if I explained this to a typical user, would they consider it fair?” This process can go a long way in ensuring you’re on the right path for compliance.
Progress in the Privacy Sandbox
With Google’s currently stated date for the phasing out of third-party cookies in Chrome still set for the second half of 2024, many eyes are shifting to the Privacy Sandbox initiatives meant to preserve advertising use cases in the cookieless world. As Google progresses in these initiatives, more organizations are beginning to test activation via the Topics API and FLEDGE. Both of these solutions are expected to be generally available in the second half of 2023.
The Privacy Sandbox has not progressed without headwinds, however. On January 15, the w3c (web standard board) group responsible for reviewing the Topics API came to the conclusion that “the proposed API appears to maintain the status quo of inappropriate surveillance on the web, and we do not want to see it proceed further.” Concerns raised were related to the lack of true privacy-preserving protection, as well as the stated positions from WebKit (Safari) and Mozilla (Firefox) that they have no intention of adopting the solution. Varying browser support would result in fragmented browser standards and challenges for the application ecosystem. Google disagrees with the board’s assessment and has vowed to continue developing the solution.
So where does all of this leave us on this Data Privacy Day 2023?
- A more private web is coming!
- U.S. regulations are on the rise with the prospect of a full federal standard on the horizon.
- Learn from the sins of others! Check your disclosures, verify your lawful bases, and make sure you are being explicit, transparent, and fair with your users.
- Technology to support a web without third-party cookies is progressing, but it’s not going to be a silver bullet. Focus on the fundamentals and meaningful relationships with your consumers.