Updated December 20, 2022
With growing consumer concern and recent regulatory changes restricting the use of personally identifiable consumer data, privacy is becoming more important for and increasingly is being blended with cybersecurity efforts of companies across the web. Advertising technology (ad tech) and digital media firms and consumer brands are reacting to significant regulatory and industry-driven changes to the methods by which customers are identified and tracked online.
Within the ad tech and digital media sectors, companies realize that as they obtain consumer data, they gain a corresponding need to protect that data and to demonstrate compliance with all applicable regulations. Doing so is crucial to maintaining consumer and brand trust, both of which are vital to the success of the online advertising ecosystem.
In 2019, Google announced the Privacy Sandbox initiative in an effort to protect consumers’ online privacy while also offering companies access to user data that would help their businesses grow. And in March 2021, the company disclosed a plan to phase out the use of third-party cookies (which log the sites users visit) in its market-leading Chrome browser. Based on the Privacy Sandbox timeline, stage 1 of this transition started in Q4 of 2022 and will continue through Q2 of 2023. By the end of 2023, Chrome will no longer support third-party cookies.
Rather than selling web ads targeted to individual users’ browser histories, Google is advocating the use of browser data to group web users into broad categories based on their interests and for advertisers to target those interests instead of individual consumers. However, the company will continue to track individual users across Google-owned sites including its search engine, Gmail and YouTube.
Apple released App Tracking Transparency (ATT) in April 2021 as part of an iOS update. The feature requires developers to get affirmative permission from users to track app and web usage on their devices, and to collect and share iPhone data. Leading online platforms, including Meta (formerly Facebook), say this change hinders their ability to serve relevant ads to consumers.
These tech industry changes come in the wake of existing and new regulations, which are summarized below.
It’s important to stay up to date with these data privacy regulations to ensure your data collection practices comply.
Enacted in 2018 by the European Union (EU), the General Data Protection Regulation (GDPR) guides worldwide organizations that target or collect data related to EU citizens or residents. With high fines and broad scope, this regulation addresses data protection principles to enhance accountability, emphasize the importance of consent and strengthen data security. It also outlines people’s rights, to give users greater control over their information. The GDPR is an important component of EU privacy law and should be considered by anyone with a focus on Europe.
With this regulation, approved by the European Parliament in July 2022, the EU hopes to enhance consumers’ online rights across the union. To boost companies’ accountability requirements, websites will need to report the number of active end users to the European Commission . This will create standardized designations while defining compliance requirements based on platform size.
Adopted in November 2022, this new European directive outlines stricter rules and expands the types of entities and industrial sectors that must comply with standardized cybersecurity policies. It enhances consistency across the EU while expanding reporting requirements and increasing violation penalties. By 2024, EU members must incorporate this directive into national law; when this happens, NIS2 will impact every company in the region.
The California Consumer Privacy Act (CCPA), which took effect in 2020, has now been amended to become the California Privacy Rights Act (CPRA) in 2023. The CPRA expands the consumer protections that were guaranteed under CCPA. It includes the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, the right to access information about automated decision-making, as well as the right to opt out of automated decision-making technology.
The Brazilian General Data Protection Law creates a legal framework for the use of personal data of individuals in Brazil — regardless of where the data processor is located. Brazil’s law, closely modeled after the GDPR, provides data subjects with specific rights about how their data is used, provides a legal definition of personal data and creates guidelines for processing personal data lawfully.
In broad terms, these laws place restrictions on the ability of companies to collect and share consumer data without having a proper legal ground (e.g., consent), and they’ve greatly increased attention on the use of data collected online and the need for companies to safeguard consumer data and protect user privacy. Staying vigilant about data privacy and cybersecurity is the first step for ad tech and digital media to comply with regulatory updates. As policies continue to change, organizations must implement best practices to maintain safety and consumer trust.
In response to regulatory and market changes, a growing number of companies are using cybersecurity frameworks including the NIST Privacy Framework, the NIST Cybersecurity Framework, GDPR, ISO 27001 and ISO 27701 (learn more about achieving these certifications in this recorded webinar), and SOC 2 to demonstrate compliance and a commitment to security and privacy.
More companies are seeking some form of assurance their business partners adhere to the most recent privacy and cybersecurity practices, and ad tech and digital media firms are increasingly seeking such mechanisms to highlight their privacy and security capabilities.
The NIST PF/CSF frameworks and ISO 27001 and 27701 frameworks establish requirements for managing the privacy practices of the organization and the security of the data a company holds, including consumer information, data entrusted to the company by a third party (such as a business partner), and other categories of data.
ISO 27701 outlines requirements for creating a privacy information management system (PIMS). A PIMS blends policies and procedures with privacy management technology and employee training to help a company manage, store and share personally identifiable information within regulatory requirements.
The SOC 2 review provides standards for evaluating how well a company’s information protection controls operate. The evaluation assesses an organization’s controls relevant to, among other aspects, processing and storing customer data securely and maintaining data privacy.
These frameworks demonstrate a company’s ability to protect the confidentiality, integrity and availability of sensitive information, and they can serve as demonstrable proof of a company’s ability to protect customer personal data while helping the organization ensures privacy and cybersecurity compliance.
The following steps can help you navigate industry and regulatory changes:
If you have questions or want to learn more about how to protect your data and maintain regulatory compliance, contact our data privacy experts.
