In the two years since the General Data Protection Regulation (GDPR) became law, the world has indubitably moved closer towards a privacy-oriented future. Digital marketers are grappling with the end of third-party cookies, mobile marketers are repositioning to counter the deprecation of advertising IDs, and new legislation is being written to solidify standards of data privacy across the world.
Below, we review the current status of key data privacy legislation, like GDPR and CCPA (California Consumer Privacy Act), then examine pieces of emerging international legislation, before finally offering advice for advertisers looking to keep their APIs and SDKs compliant.
The State of International Data Privacy Legislation and What It Means for Advertising
GDPR Compliance and Enforcement Since 2018
Widely regarded to be the earliest comprehensive data privacy regulation, GDPR came into effect in 2018 – affecting members of EU nations and all those who handle their data. Despite being an EU law, GDPR has become the de facto global standard for privacy; 41% of privacy professionals name compliance to it as their highest priority.
Many in the advertising industry are still concerned about loss of ad revenue following GDPR’s ruling that customers must opt-in to data collection. However, it has already resulted in both negative and positive outcomes for the ad industry. Not only does it help alleviate brand safety, advertiser perception, and transparency issues, but it may well increase long-term ad performance by filtering out uninterested users.
Over 160,000 violations of GDPR have been detected since it became EU law. Yet at time-of-writing, only 408 fines (totaling approximately $260m) had been levied. The disparity between instances of noncompliance and enforcements of punishments can be put down to four factors:
- Lack of funding
- Lack of other resources
- Administrative hurdles with national-level Data Protection Authorities (DPAs)
- The “vagueness” of certain aspects of the ruling
It is worth noting that the frequency of fines levied will likely continue to increase as more landmark cases are finalized, and indeterminate parts of the regulation are defined or amended.
The Future of GDPR
Earlier in 2020, the EU Council Presidency released a proposal for a new version of the ePrivacy Regulation intended to modernize the existing ePrivacy directive and complement the protection of personal data under GDPR. The proposed regulation aims to ensure the “right to a private life” of electronic communications users — essentially ensuring that data sent via text or video messaging is considered confidential. While the ePrivacy Regulation is currently on hold due to the COVID crisis, it is expected to attach additional strict conditions and security measures to the collection of data, while expanding the legal basis of “legitimate interests” found in GDPR.
The compliance of AI software with GDPR will remain in the spotlight in the years to come. Data collected by an app’s facial recognition system, for example, can only be used for other purposes, such as crime prevention, in certain developmental and deployment phases. Organizations using AI must address the risks surrounding privacy rights and freedoms by implementing sufficient levels of security against unauthorized data processing, as well as accidental loss and destruction.
CCPA’s Crucial Differences with GDPR
CCPA is the US’s first major foray into data privacy law. While designed for California, like GDPR, it has consequences for those outside of its state of origin. Furthermore, multiple states are in the process of passing similar legislation in their state congresses. While GDPR and CCPA share many similarities, key differences such as CCPA’s opt-out obligation create unique challenges and opportunities for mobile advertisers.
Important Updates to CCPA
On November 3rd 2020, voters passed the California Privacy Rights Act of 2020 (CPRA); essentially an overhaul of CCPA, CPRA has become known as CCPA 2.0. CPRA includes additional consumer rights, data and purpose minimization provisions, as well as other privacy principles from GDPR.
While CCPA allowed ad targeting where data was not sold, CPRA widens the definitions of “data selling” to incorporate more data sharing practices. It also contains a broader opt-out provision. Both of these privacy changes are specifically designed to restrict “cross-context behavioural advertising”. For a further breakdown of how CPRA differs from CCPA, we recommend this article by Ad Law Access.
Other Data Privacy Legislation Around the World Affecting Advertising Landscape
Major nations have followed the lead of Europe and the US with the enactment of their own data privacy regulations that will affect advertising landscape:
- India’s Personal Data Protection Bill (PDPB) has a strict data localization policy which would require any companies processing the personal data of an Indian subject to store a copy of that data on Indian territory. It is expected to pass soon.
- Brazil’s General Personal Data Protection Law (LGPD) is closely modelled on GDPR and applies to all companies that handle the personal information of Brazilian residents. It came into force on 15 August 2020.
- Thailand’s Personal Data Protection Act (PDPA) was passed in early 2019 following twenty years of development and discussion. It includes some of GDPR’s stricter requirements for data protection officers and sensitive categories of data. Violators face criminal prosecution and imprisonment of up to a year.
- Australia’s Privacy Amendment to the Privacy Act came into effect in February 2018. Any organization with an annual turnover over $3m AUD must disclose data breaches that pose a “real threat of serious harm” or face fines of $1.8m AUD.
- Japan’s Act on Protection of Personal Information was amended in May 2017 to include both foreign and domestic companies. They have since reached an agreement with the European Commission to reciprocate adequacy of their respective laws. The latest updates are due to be enacted in late 2021.
How Mobile Advertisers and Publishers Can Future-Proof Privacy Compliance
Every business must ensure that they thoroughly familiarise themselves with and comply with all data legislation in countries containing their customers. For app publishers and advertisers whose customers are often global, this is no easy feat. Fortunately, there are fantastic resources and checklists available to help digital marketers comply with the most significant of these acts.
To protect themselves from current privacy laws and futureproof themselves from prospective ones, advertisers need to build protections into their APIs. That includes, password hashing, measures to avoid exposure of information on URLs, pseudonymization of user data, integration of timestamps in requests, and avoiding the exposure of API keys.
These protective measures not only include a company’s own APIs but those of all integrated services. Furthermore, under GDPR for example, mobile apps are the “data controllers” responsible for the data gathered by them via SDKs and/or third parties. Companies should not be content with a statement of compliance, they must choose their vendors with utmost care by discovering how they themselves handle data as well as the processes they have in place for data access, deletion, and processing.
Comprehensive data laws are coming into effect the world over. And those that exist, as a rule, are becoming more strict rather than less. Acting early and complying before your competitors, may give you a crucial advantage when it comes to new opportunities in the emerging global landscape of data protection. Fill the form below to discuss your mobile marketing strategy in a privacy-first world.