In the past, few people thought that much about third party tracking cookies or Mobile Device IDs. However, as awareness of tracking cookies has grown, so too has concern over their use. A new, model for the internet is falling into place, one which prioritises the privacy of users over the ability of advertisers to track their browsing habits. Reflecting the concerns of the public and legislators, privacy regulations are coming into force across the world. Combined, these regulations will reshape how brands connect with audiences online.
In this series of occasional blogs, Novatiq will provide a top-level overview of established, new and emerging global privacy regulations and data protection standards. These blogs are intended only for general information purposes, and are not intended to represent regulatory or other professional advice.
Global privacy regulations of note
EU/UK: General Data Protection Regulation (GDPR)
The inspiration behind most global privacy regulations today, the GDPR came into force in 2018. The regulation imposes obligations on any organisation that targets or collects data on EU Citizens (and UK citizens through the UK GDPR), backed up by fines reaching into the tens of millions of euros for non-compliance.
The impact on digital marketing is profound. Under the GDPR any publisher processing personally identifiable information (PII) requires a legitimate purpose to do so. Publishers must also secure consent before setting cookies on any website that users visit and before collecting their data. Without consent, publishers cannot track users to understand their preferences or show them targeted ads based on that data. Transparency is also key, and under the GDPR publishers must be transparent about how they process data.
US: California Consumer Privacy Act (CCPA)
The CCPA is a good example of the “Brussels effect”, where strong EU regulations set the global standard. Passed into law in 2020, the CCPA mirrors many of the provisions of the GDPR, including around transparency of data processing uses and the right to be forgotten. Fines under CCPA reach up to $7,500 per breach.
Under CCPA, digital marketers cannot gather and use California residents’ personal data – which includes their search history and IP address – without their consent. The law includes stipulations around establishing a process to obtain data sharing consent from parents or guardians for minors under 13 and affirmative consent for minors between 13 and 16.
US: Virginia Consumer Data Protection Act (CDPA)
The act was signed into law in March 2021, making Virgina the second US state to enact comprehensive privacy legislation. Once again in line with GDPR, the act empowers consumers with rights to access, correct, delete and port their data, as well as an explicit right to opt-out of targeted advertising. There are no exceptions to these rights. The law also states that once data is collected, it can only be processed for the explicit use consented to by the data owner.
Brazil: Lei Geral de Proteção de Dados (LGPD)
Brazil’s data protection law came into force in 2020, the first major privacy regulation in South America. LGDP is designed to align Brazil’s data protection regime with the GDPR – another example of the Brussels effect in action. The law applies to all companies processing the data of Brazilians, and as with GDPR it provides citizens with new rights. These include the right to request that their data be corrected, deleted, or easily transferred to another company. Data processors are also required to inform users about the purposes their data is being used for.
China: Personal Information Protection Law (PIPL)
April 2021, China published the second draft of the PIPL. When passed, the law will apply to any company processing the PII of Chinese citizens.Taking a lead out of the GDPR playbook, the law will give new rights for Chinese data subjects, including the right to deletion, the right to information and explanation of data processing, the right to access and request a copy of personal data, and the right to withdraw consent. The law will also expand the bases for lawful data processing to include consent, processing that is necessary for the conclusion or performance of a contract to which the data subject is a party, the fulfilment of statutory duties or obligations, or to respond to public health incidents. The draft legislation stipulates that penalties can reach up to CNY 50 million or 5% of a company’s turnover in the previous year.
Japan: Act on the Protection of Personal Information (APPI)
In June 2020, Japan enacted amendments to the APPI, expanding its scope and increasing the obligations of companies to be transparent and secure with the personal data of Japanese residents.
The changes are expected to come into force in 2022 and will give citizens the power to demand the erasure of their personal data. As with GDPR, there will be a requirement for publishers to secure the consent of users for the use of cookies for specific uses such as personalised advertising.
GDPR has clearly set the tone for a shift in thinking worldwide around, among other things, how marketers collect and use data to target people online. These regulations are fuelling an industry-wide move away from third party tracking cookies towards privacy-first alternatives, such as Novatiq’s telco-verified Identifiers. They are spurring innovation and helping to bring about a new and better adtech ecosystem.