Data serves as a key factor for successful business functioning. However, advancements in information technology, which came to the scene during the last decade, have drastically reduced control over it. Only the first quarter of 2020 brought us a couple of loud, privacy violation cases.
The first one is unauthorised recordings of video calls on Zoom, and the second is the scandalous information leakage in the Marriott hotel database that disclosed the passport data of 500 million guests. Both cases prove that even giant corporations can fall prey to privacy breaches and data threats.
Because of this, the topic of data privacy has gone through rapid transformations in a short period. European GDPR, UK GDPR, the CCPA in California, upcoming implementation of the CPRA in California in 2023 and the COPPA proved that the era of data privacy has begun. The ad tech sector, which almost entirely relies on user data, will have to learn how to protect customer data in this new reality. What are those privacy standards and how should ad tech companies adapt to them? This ultimate guide will explain all.
Why compliance is paramount for digital advertising
By the end of 2021, we will have 4.66 billion active internet users in the world, accounting for 60% of the entire global population. Smartphones are used by 9 out of 10 internet users. Two-thirds also report that they frequently utilise laptop and desktop computers for internet browsing. The lockdown caused an even greater increase in online content consumption and shopping. Today, we normally spend 48 hours per week browsing the internet, accounting for 42% of our waking hours.
The average person normally owns different gadgets, each of which explicitly or implicitly tracks information about the owner: gadget usage stats, search engine queries, cookies, etc. Ad tech platforms have mechanisms that allow brands and advertisers to target those users whose interests, lifestyles and preferences correspond to the campaign criteria. Still, growing concerns about digital security pose a great challenge for the advertising sector – they oblige ad tech companies to develop new, safer mechanisms for collecting, storing and processing personal data. Substantial fines for non-compliance are not the only threat that companies need to avoid – prevention of potential damage to reputation should be a major concern for all businesses involved in the advertising industry.
According to the current regulations, what should ad tech companies know to protect customer data? Currently, we can speak about four major international privacy legislation frameworks that have international (extraterritorial) legal force. Let’s review each of them one by one.
So, what regulations should ad tech companies comply with?
● GDPR. In 2016, the European Parliament and Council of the European Union adopted a General Data Protection Regulation (GDPR). GDPR provides European residents with the right to provide data collection consent or restrict companies from collecting their personal data. GDPR applies to any organisation that deals with the data of EU citizens.
● CCPA. California law on consumer data protection was created in 2018. Its regulations are quite similar to GDPR but deal with the privacy protection of California consumers. The CCPA applies to for-profit businesses with an annual profit of over $25 million (or if it sells the data of 50,000 or more California residents). With the implementation of CPRA in California as of 2023, there will be major changes in regard to the treatment of personal information of California consumers.
● COPPA. The Children’s Online Privacy Protection Act, called COPPA, that was signed in 1998, came into force on April 21st 2000 and updated in 2013, has been developed to protect the data privacy rights of US children under 13 years of age. The law applies internationally to every company that deals with data of US children who haven’t reached the age of 13.
Main privacy principles of GDPR
Before a company can collect and process the personal information of European residents, it needs consent. This is the main basis of GDPR. If you compare GDPR with any other privacy regulation, you will find that this personal data definition is broadest and includes any type of info that can be used for user identification, including IP address, operation system, history of browser search or social media activity data.
Under the GDPR, EU citizens have the right to consent or reject the collection of data. Additionally, users can delete and control the personal information that companies collect for business purposes. In general, the regulations give users more freedom and control over the information they share with companies. The following are eight main rights that EU users obtain with GDPR:
- The right to know who is processing their personal data and why
- The right to access their personal information
- The right to correct and update their personal data
- The right to clear data, or the “right to be forgotten”
- The right to restrict or block data processing
- The right to transfer personal data from one service to another
- The right to object to data processing
- The right to personally influence automated data collection and profiling systems
The GDPR approach to personal data protection is based on eight principles that were documented back in 1980:
- Transparency. Personal data must be obtained legally through the transparent and clear mechanism of consent giving.
- Purpose. The purpose of the data collection must be provided at the time of collection, and the data must not be used for anything other than the purposes of the initial one.
- Data minimisation. The collector should justify for what purposes they are collecting user data. It is prohibited to collect more data than is required for a certain goal.
- Accuracy. Personal information must be as accurate, complete and up-to-date as necessary for the intended purposes. If such data is considered inaccurate, it must be erased (at the request of the user).
- Storage restriction. The data should be stored no longer than is necessary to fulfill a certain purpose.
- Integrity and confidentiality. Personal data must be protected from such risks as loss of or unauthorised access, destruction, misuse, modification or disclosure.
- Accountability. The data controller is responsible and must be prepared to demonstrate full compliance with the data protection principles outlined above.
If the violation of fundamental privacy rights are proven, GDPR sets forth fines of up to 10 million euros or up to 2% of the company’s entire turnover of the preceding fiscal year. For especially severe violations, the fines for the companies can reach up to 20 million euros.
Main privacy principles of CCPA
The CCPA defines personal data as information that identifies (relates, describes or characterises – directly or indirectly) a particular consumer: real names or nicknames, postal addresses, social security, driver’s license and passport number, biometric data (height, weight, fingerprints), geolocation, browsing data and so on. Worth pointing out is that cookies are also considered personal data and therefore are subjected to the law.
According to the CCPA, entities that collect, use, process and sell personal information must:
- Provide consumers with information regarding the purposes of data collection prior to collection
- Provide consumers with the right to access, delete and transfer certain parts of personal information
- Allow consumers to opt-out of selling their data
- Activate the consent process for minors under the age of 16 so that the sale of their personal information cannot take place without their explicit consent
According to the European directive, companies need to obtain user consent to process personal data. Under California law, however, an organisation is only required to process requests from users if they require the aforementioned information. Upon request, the company should satisfy such requests within 45 days. If the user’s data was lost, stolen or disclosed, the company has to pay $100 to $750 to each user who was affected.
Main privacy principles of COPPA
According to the main principles and provisions of COPPA, the operators of websites and internet services have no right to request and store the personal data of children without obtaining the official consent of their parents or guardians. The definition of “personal information” under COPPA has been expanded in the last law revisions. Now, this definition includes full name and contact details, including address, telephone number, email, Skype number, photo, video of the child and recording of the voice. The data contained in the cookies, such as IP address, device ID, as well as geolocation, can also be considered personal data.
The Federal Trade Commission (FTC), which is responsible for law enforcement, distinguishes between sites aimed at children and sites with a “broad audience.” The latter should follow COPPA only when they know that a certain proportion of their visitors haven’t reached 13 years of age.
According to the core principles of the law, the data operators that deal with information of minors should:
- Develop and post a transparent policy regarding procedures of personal data collection for children under the age of 13
- Create a notice for parents and ask for their consent before information may be collected
- Provide the flexibility for the parents to give consent for information collection, yet give them the right to prohibit the sharing of this information with third parties or reselling it
- Give necessary leverages to the parents so that they could manage, edit and delete information
- Give necessary leverages to the parents to prohibit the further collection of the information from children
- Provide the guarantee that collected information will be treated accordingly: secured and confidential
- To store and process such data only for the period necessary for accomplishing a certain purpose. As soon as the purpose of information collection is fulfilled, the data should be erased
- Do not condition the access to website activities on the volumes of data provided (as long as provided data is enough for activity participation)
It’s worth noticing that the law provides several ways for consent obtaining. Still, the majority of sites (such as Facebook and Twitter) prefer to limit the access to users under the age of 13.
This is because the fines per one case of COPPA violation can reach up to $43,792.
Key differences among the laws
Although the above-mentioned laws may seem similar, they have many drastic differences, and that’s why preparing for them requires an in-deep approach with the involvement of professional lawyers. For instance:
- All laws have similar data disclosure requirements but have different interpretations of personal data (and types of data that are qualified as personal).
- GDPR and COPPA require consent prior to information collection. Under CCPA, the company deals only with satisfying incoming data requests from users (regarding how their data is used)
- The GDPR does not require a specific link to opt-out of personal data sales, while CCPA and COPPA do
- In CCPA and COPPA, nothing is said in particular about the right of rectification. The GDPR grants data subjects the right to edit and complete their personal data
- There is a right to restrict the processing of data in GDPR and COPPA (under certain circumstances). In CCPA, there’s only an option to opt-out of personal information sales. The same applies to the objection of data processing, and the list goes on
How ad tech companies can adjust
It is clear that the future of ad tech (and all other industries) will be defined by transparent technologies. Sure, users might be more willing to agree with personal data collection and processing if data controllers clearly explain every step of the data processing in simple terms. However, compliance to GDPR, CCPA and COPPA constitute so much more than transparent, consent-giving mechanisms. They require compliance on every level of business functioning, including technologies, internal processes and dealing with partners.
In order to meet the requirements, the IAB (international advertising bureau) developed special GDPR and CCPA compliance frameworks and released a guide to navigating COPPA. Google uses a list of rules and regulations to protect personal data, which must be followed by the organisations and partners that work with automated advertising. Apart from these, here are a couple of practices that they deem worth following:
- Hire lawyers. Make sure privacy practices comply with all current laws. Perform internal audits regarding how those laws can affect your business
- Minimise data collection. Only collect and process information that is necessary for accomplishing certain purposes. As soon as data is no longer needed, delete it for safety reasons
- Make sure your partners comply. Audit your partners and the technology they use. They must adhere to the principles of confidentiality and take all necessary measures to comply with the laws.
- Implement a consent management platform when relevant. Make sure that users can control the use of their personal data. The consent request platform allows obtaining user permission directly from the site or app which streamlines personalised ad serving for publishers.
The bottom line
For any business, personal data serves as fuel for developing useful insights about existing and potential customers. However, the new era of privacy brings new challenges to businesses, especially those working in ad tech. On the one hand, the company should still be able to personalise advertising, and on the other hand, it should remain true to the principles of confidentiality and protection of personal data. International privacy frameworks are different and they continue to evolve. In relation to this, it is worth preparing beforehand and investing in mechanisms and procedures to ensure that your organisation is fully compliant.