Online privacy has emerged as one of the central issues of this decade. With the technologies becoming more pervasive in consumers’ lives, the attitudes toward privacy have dramatically changed. 7 out of 10 Americans say they believe their personal information is less secure than five years ago.
Table of Contents:
- Consumers Sentiment towards Online Privacy
- What is the ePrivacy Directive?
- What is the ePrivacy Regulation?
- What’s the difference between the privacy Directive and the ePrivacy Regulation?
- What does the General Data Protection Regulation (GDPR) mean for publishers?
- What does the California Consumer Privacy Act mean for publishers?
- What does Personal Information Protection and Electronic Document Act (PIPEDA) mean for publishers?
- What does Lei Geral de Proteção de Dados (LGPD) mean for publishers?
- What does the Personal Data Protection Act (PDPA) mean for publishers?
- What does the Children’s Online Privacy Protection Rule mean for publishers?
- What does the California Privacy Rights Act (CPRA) mean for publishers?
- How can publishers invest in privacy-forward advertising?
- What’s next?
Consumers Sentiment towards Online Privacy
When it comes to online privacy, Americans have had a variety of opinions. Here are a few findings from the Pew Research Center that show how US citizens think about the vulnerability of their personal information and online privacy:
- 81% of US adults say they have very little/no control over their data collected by the companies.
- 59% of US adults say they have very little/no understanding of what companies do with the data collected.
- 81% of US adults say the potential risks of collecting data about them outweigh the benefits.
- 48% of Americans say they have no control over who can access the search terms they use, and 41% say the same about the websites they visit.
As the concern over privacy continues to grow, various regulators have stepped up to protect online consumers. With more countries implementing their data protection regulations, publishers should know about the existing laws and keep themselves updated to stay ahead of the upcoming regulations. After all, web publishers (the open web) are an essential part of the Internet and so is online privacy.
Image Source: Src
So, let’s take one step forward and understand various privacy laws that have come online in the US and overseas, how each of the laws can affect you, and what you should do to protect your users’ privacy.
What is the ePrivacy Directive?
The ePrivacy Directive came into force in 2002 and focuses on protecting personal information privacy and security in the digital world. It requires the publishers and advertisers operating in any European Union countries to obtain consent from the European users before dropping cookies in web browsers to capture their data. So yes, the ePrivacy Directive is what started cookie banners you see across the sites.
In 2017, the ePrivacy Directive was revised and gave online consumers more control over their data. With the revised version, the users could select cookies, and for what purpose and to what extent they would let themselves be tracked. They might allow all the cookies, just some, or might reject all cookies.
So, What is the ePrivacy Regulation?
In 2009, the ePrivacy Directive was amended and became the ePrivacy Regulation (The Cookie Law). To comply with ePrivacy Regulation, you need to:
- Obtain users’ consent before using any cookies (except strictly necessary cookies).
- Tell users about each data the cookies track and their purpose in plain language.
- Give users the option to access your content and services even if they refuse to allow certain cookies.
- Enable the users to withdraw their consent at any time.
What’s the difference between the ePrivacy Directive and the ePrivacy Regulation?
The ePrivacy Directive is a bit more flexible legislative instrument than the ePrivacy Regulation. Because it provides the Member States the choice to add new rights to the existing law, create a new law under the ePrivacy Directive or adapt an existing law.
On the other hand, ePrivacy Regulation is robust, self-executing, binds all Member States, and comes into effect immediately on the set date. With the Regulation, once the negotiation and discussion amongst EU institutions concluded, it became law at the set time across the EU States.
What is the General Data Protection Regulation (GDPR) for publishers?
General Data Protection Regulation (GDPR) is a European Economic Area (EEA) data protection framework that was declared on April 14th, 2016, and came into force on May 25th, 2018. The law takes proactive measures and a consent-first approach to collect users’ data and analytics.
It ensures that the companies should not collect data without a lawful basis and a valid reason for processing. Compared to any other privacy laws, GDPR has the broadest definition of personal data. If your website offers goods or services to EEA users, then GDPR should be in your mind.
While doing business in EEA, you might track their activities. But with GDPR, you need to obtain consent from the users on the data, and you need to tell them with whom you’re going to share that data. In accordance with GDPR, the following types of data are covered:
- Personally Identifiable Information (name, address, date of birth, social security number, etc.)
- Web-based data (IP addresses, cookies, etc.)
- Genetic and health-based data
- Ethnic and racial data
- Biometric data and sexual orientation, and
- Political opinion
How does GDPR differ from ePrivacy Regulation?
Though GDPR and ePrivacy Regulation are intrinsically linked to each other by a few common factors, there are a few differences that you should know:
- GDPR was introduced in the EU to control the usage of personal data across every sector including finance, healthcare, medical, advertisers, marketers, and publishers. Whereas the ePrivacy Directive specifically addresses cookie usage.
- GDPR is based on Article 8 of the European Charter of Human Rights while the ePrivacy Directive is based on Article 7. Moreover, the ePrivacy Directive guarantees the‘ right to privacy in the electronic communication sector’ and that includes services like WhatsApp, Skype, and Facebook Messenger.
- Under GDPR, publishers, advertisers, and any business having direct access to the users can control the consent-process request. That means, they can select how they communicate their consent with the users. However, under the ePrivacy Directive, users must set their cookie preferences in the browser setting.
What happens if you don’t follow GDPR?
You may end up paying fines between 2% to 4% of your annual global revenue in addition to €10 million to 20 million, depending on the extent you violated the law.
In the same week of GDPR getting introduced, U.S. Senators Edward J. Markey and Richard Blumenthal introduced The CONSENT (Customer Online Notification for Shopping Edge-provider Network Transgressions) Act.
What is it? It is a bill aimed at protecting the US-based user’s information from the edge providers that collect, use, and share the data. Here’s a broad overview of the privacy regulation and what you should know about it.
What is the California Consumer Privacy Act for publishers?
California Consumer Privacy Act (CCPA) came into effect in January 2020 and was signed in by unanimous votes in the summer of 2018. The California data privacy law gives the consumers the right to decide what kind of personal data is getting collected by the users and for what purpose. It also allows users to opt-out of the data if they want.
As defined by CCPA, personal data are the standard identifiers used in the physical world e.g. driver’s license, social security numbers, etc, digital identifiers e.g. email addresses, demographic information, etc., online behavior data e.g., browsing history, IP addresses, interactions, purchases, and so on.
Unlike GDPR, CCPA doesn’t require the user’s consent or permission in the first place. Instead, it focuses on giving control of who sees the user’s data. How it lags from GDPR is – it doesn’t require consent so companies can still collect users’ data.
For publishers who display ads and collect users’ data and share with their ad-tech partners, they should disclose this purpose to their users and also give them an option to delete their information collected.
What happens if you don’t follow CCPA?
For intentional violations, publishers can face penalties up to $7500 and for unintentional violations, they can face up to $2500 if not cured within 30 days of being provided the notice of such violation. In order to avoid penalties, read our detailed guide on CCPA here.
What is Personal Information Protection and Electronic Document Act (PIPEDA) for publishers?
Personal Information Protection and Electronic Document Act (PIPEDA) is Canada’s data privacy law that came into effect in June 2015 and got the latest update in January 2019. The law aims to protect users’ personal information such as age, name, ID number, occupation, income, and more. So, if you’re dealing with Canadians, you need to obtain their consent for data collection and usage.
The law gives the users the right to access the gathered information by the companies and be informed about if the data is going to be used for any other purpose than mentioned originally. Similar to GDPR and CCPA, PIPEDA holds the publishers responsible for protecting the users’ data regardless of whether they are handling the data directly or via third-party companies.
Under PIPEDA, the following information is addressed and covered:
- User name, age, income, ID numbers, blood type or ethnic origin,
- Comments, social status, opinions, evaluations, disciplinary actions,
- Users’ credit records, loan records, medical records, etc.
What happens if you don’t follow PIPEDA?
Any publisher violating the law could end up paying a fine of up to $100,000 CAD.
What is Lei Geral de Proteção de Dados (LGPD) for publishers?
Lei Geral de Proteção de Dados (LGPD) is a new data privacy law that was passed in 2018 and due to come into effect on August 16th, 2020. But the enforcement is likely to be enforced from August 2021 due to Covid-19.
The law applies to businesses processing the personal data of users located in Brazil. Brazilian law shares many concepts with the European GDPR. Under LGPD, the publishers should assess how each type of users’ data is collected, stored, used, and retained within their organization.
What happens if you don’t follow LGPD?
The fines under LGPD aren’t as severe as GDPR. A publisher may have to pay 2% of total revenue excluding taxes that can be up to 50 million reals (€11 million). How can you comply with LGPD? Read this article to learn about the steps.
What is the Personal Data Protection Act (PDPA) for publishers?
The Personal Data Protection Act (PDPA) is Thailand’s law that is heavily based on GDPR and came into force on May 27th, 2020. The law covers any publisher who processes the personal data of Thailand’s citizens whether the publisher is located inside Thailand or not.
“With the introduction of PDPA, brands can now use a newer approach to targeting their audience; using data they have gained in a trustworthy manner to appeal to users based on their interests and content they are already engaging with.”
– Nickolas Rekeda, CMO, MGID (Src)
The PDPA 9 data protection obligations i.e.,
- Purpose limitation
- Access and Correction
- Retention limitation
- Transfer limitation
Learn more about the obligations and how to comply with PDPA in detail here.
What happens if you don’t follow PDPA?
If you violate the PDPA, you’re liable to:
- Pay fine up to $10,000 or imprisonment for up to 12 months (in the case of an individual)
- Pay fine up to $100,000 (in any other case)
What is the Children Online Privacy Protection Act (COPPA)?
Children Online Privacy Protection Act (COPPA) is a United States federal law that came into effect in April 2000. Under COPPA, the publishers are limited to collect and use personal information about children. To be specific, the law intends to protect the data of children under the age of 13.
“Its stated purpose is to protect children from micro-targeting by advertisers and to minimize the potential for contact with dangerous individuals through chat rooms, e-mail, and bulletin boards by involving parents in kids’ online activities,”
– Monica Rogers (Src)
In 2013, the FTC revised COPPA as the previous version of law excluded the businesses involved in advertising or collected users’ data by any other means (plugins). With the revised law, the publishers and other ad-tech ad networks were made to comply with the law.
What happens if you don’t follow COPPA?
According to the FTC, if you don’t comply with COPPA and violate the terms and conditions, you may have to pay up to $43,280 for each violation. How to make sure that you’re complying with COPPA? Here’s an article that will help you.
What is the California Privacy Rights Act (CPRA) for publishers?
California Privacy Right Act (CPRA or California Privacy Law) is the new privacy law that is expected to come into effect from January 1, 2023. The ballot to pass the law will be done in November 2020. Also known as CCPA 2.0, the CPRA will introduce the following six rights:
- Sensitive personal information
- Right to correct inaccurate personal information
- Children’s data under CPRA
- Security audit
- Automated decision making
- Data retention
We’ve explained all the new data rights in detail for understanding the law better. As the law is yet to be passed, the council will adjudicate the fines in the upcoming few days.
How can publishers invest in privacy-forward advertising?
To ensure that your website is compliant with the growing data privacy laws, follow the below suggestions:
Integrate Customer Data Platform (CDP).
To comply with data privacy laws, you need to double down on the efforts when you collect and store user data. Though you can be an expert in siloed data, you need advanced technologies to gain a complete 360-degree view of the user’s data. Said that you need a Customer Data Platform that can do more than sort and store the information.
A CDP can help you to scrub the data and create a unified record of users so that you can understand how your marketing or advertising partners are using users’ data.
Only collect data that you really need.
One of the most important aspects is to understand why you need data and what kind of data will be relevant for your business. There are various publishers who are capturing all kinds of data available without knowing for what purpose they will use such data and if they really need it.
Integrate the Consent Management Platform (CMP).
To tie your policies to all the data privacy regulations, ‘ask for permission’ i.e., getting consent is mandatory. It is important to ask for consent to use the data and provide transparency of data usage.
Sample consent message (Src)
Onboard a Consent Management Platform (CMP) so that you can:
- Collect consent of your website visitors and ensure that the third-party trackers don’t collect the data if the visitors refuse,
- Provide an easy mechanism for the opt-out to comply with online privacy laws,
- Give your visitors the choice to withdraw their data when they want, and more.
Many publishers are already using CMPs as a tool to gather consent and provide the control to make it easier to adapt to the privacy laws in the future. Not sure which CMP to choose for your business. We’ve curated a list of top CMPs available in the industry.
Stay apprised of significant data privacy updates.
Paying attention to data regulations and adapting to the new updates is crucial for every publisher. Dealing with new privacy policies and introducing the changes can be tough. But it’s something that you cannot miss or delay.
However, there are advanced Artificial Intelligence (AI) or Machine Learning (ML) tools that can be used to keep you updated with the latest changes in the existing laws or upcoming laws. Further, you can subscribe to blogs e.g. Chromium blog or other ad-tech blogs to stay tuned.
Better yet, sign up to our ‘Adtech weekly newsletter’ where we cover all the important updates including internet privacy laws.
Follow the guidelines defined by IAB.
Interactive Advertising Bureau (IAB) organization has released a set of guidelines known as Transparency and Consent Framework (TCF) to help publishers comply with Europe’s data privacy regulations while providing interest-based targeting advertising.
To put it simply, the framework aims to simplify the communication process amongst publishers, ad-tech companies, and advertisers. Many organizations are already using TCF as the foundation for users’ data safety. So, ensure that you’ve implemented the latest version of the TCF framework. Don’t know what’s up with the new version. Read our comprehensive guide on this framework.
Consumers’ privacy laws both in the United States and overseas have mandated how the data is collected and used. Though each privacy laws varies in the specifics and fines, harnessing the control of your website and providing a privacy shield to your users is a must. Think about where your website visitors reside and what law could be applicable to them. Cleanse their data and ensure you’ve strictly adhered to procedures and policies.