The Impact of New Privacy Laws for Marketers

In a world that is continually moving toward digital means for everything from communication to storage to entertainment, protecting your digital assets becomes even more important. And though ownership may be clear cut in person much of the time, with an individual able to place a physical lock box around whatever they hold dear, online spaces have often blurred the lines between what an individual has ownership over.  

In 1983 the Office of the Privacy Commissioner of Canada was established following the passage of the Privacy Act, the first iteration of law that looked to create boundaries for privacy online. Of course, in 1983 “online” looked a lot different than it does today, and much of the conversation around privacy had not really begun as owning a household computer was only a dream for many in the 80s and early 90s and not yet a reality.    

PIPEDA 

Between 2001 and 2004, the Personal Information and Electronic Documents Act revolutionized how we looked at and stored data online. PIPEDA requires private-sector organizations to collect, use or disclose personal information by fair and lawful means, with consent, and only for purposes that are stated and reasonable. Those organizations are also required to protect the consumers data through appropriate security measures, keep it accurate, and allow the user to access what they have gathered about them. For the first time, organizations gathering data online were under strict rules to follow in making sure that data was collected and kept private.  

And of course, PIPEDA holds many nuances around privacy for different organizations, but these remained the main points that now guided privacy on the internet:  

• You are responsible for personal information under your control.  

• You must limit your collection of personal information to what is needed for the purposes set by your company.  
• You can’t obtain, use or disclose personal information without prior consent.  
• You should clearly communicate the purpose of collecting the data and the ways you want to process it.  
• You must inform every interested individual about the collection, use and disclosure of their personal information.
• You must protect personal information using security measures proportional to the sensitivity of the information. 

CASL 

Separate to Canada’s privacy laws is the Canada Anti-Spam Legislation, an important one for marketers that are communicating electronically with their customers. CASL’s primary function is to protect consumers from unwanted commercial electronic messages.  

To be compliant when sending emails or messages to your target audience the organization must:  

• Review their email address collection methods (do you have implied or express consent?)  
• Obtain express consent   
• Make sure all outgoing messages identify who is sending the message, the service provider, the ability to unsubscribe, and contact information. 

 A case study in email marketing 

Not only is CASL an important and necessary part of your email marketing plan but understanding the changes to the email landscape and how everyone subscribed to your communications plays into the data you collect.  

Apple’s updates have further complicated email marketing with iOS 15, launched September 2021. The update blocked the tracking pixels attached to email through “Mail Privacy Protection”, so marketers were no longer able to see the customer journey. Whether the email was opened, how long the user read it, and whether they continued looking for more information elsewhere after reading it are all now hidden. 

Since this update, marketers have needed to rely on other metrics like engagement and action done willingly by subscribers to gauge whether the campaign was successful. With privacy laws continuing to move toward more severe protection, email is just one piece of the puzzle in marketers understanding their customers in new ways to reach and delight them. 

CPPA 

Though PIPEDA still contains many excellent guides for privacy online, the introduction of innovative technologies has shown a need for more protection in digital spaces. The Consumer Privacy Protection Act (CPPA) aims to mirror what we see in the Global Data Protection Regulation (GDPR) that came into effect in the UK in 2018. The GDPR has the strictest data laws of any country in the world and Canada’s CPPA will hope to give it a run for its money.  

Bill C-27 has its first reading on June 16th, 2022, the bill is “An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and the make consequential and related amendments to other Acts”. And though it may all seem like a lot to take in, one of the main takeaways is that the proposed new laws will be similar to those we have now, only they will update to be relevant in recent technology, create stricter rules for organizations on where they can access and how much data they are allowed to collect, and increase the severity of punishment for those who do not comply.  

The proposed CPPA establishes penalties of C$25 million ($19.4 million), or as much as 5% of global revenue, whichever is greater, for companies that breach privacy rules. This is in the hope that larger companies will no longer see privacy rules as a tax they pay to break, but rather an important part of interacting online.  

For marketers, there are two principal areas of the CPPA to focus on: meaningful consent and de-identification.  

Meaningful Consent focuses on: 

• The purpose of the collection, use, or disclosure of information. 
• The way the information is to be collected, used, or disclosed. 
• Any reasonably foreseeable consequences of such collection, use, or disclosure. 
• The specific type of information that is to be collected, used, or disclosed. 

• The names of any third parties or types of third parties to which the organization may disclose personal information. 

De-identification focuses on:  

• The CPPA will allow organizations to use personal information for certain purposes without the data subject’s knowledge or consent, provided they de-identify the information. Acceptable circumstances may include internal research and development or within the context of prospective business transactions, for example.  

What does any of this mean for marketers? 

Marketing professionals have been aware of the shift in privacy for years now and the desire of consumers to have more control over where their personal information is collected, stored, and used. One of the biggest conversations around privacy in the last few years has been around the disappearance of the cookie and what that means for advertising.  

Cookies equate to third-party data, small text files that are stored on your web browser and follow you around the internet, gathering information on where you go, what you do, and what you have affinity for. And with these departing the wheelhouse of use for marketers, other options will need to be considered in how to make sure you are reaching the right customer and keeping your CPA’s down.  

Data Alternatives 

If third-party cookies are not an option, and the CPPA requires more regulation around what data you are allowed to collect, making sure you choose the right combination of methods will be the key to your continued success in creating winning strategies. It will be imperative to create viable, privacy first solutions when choosing the right methods as well, understanding that transparency will enable you to target effectively and consumers to receive the level of personalization they are comfortable with.

Authenticated Identity Data 

Data is gathered with explicit consent as someone has logged into a platform and is a user, acknowledging their own agency in the data collection. Collecting this type of data is ideal, as consent is baked into the equation when the individual signs into the platform. However, because sharing this data outside the platform will have stricter rules, it won’t always be the most available type of data.  

Companies like Walmart are working to create their own walled gardens for authenticated data to make this process easier and own more first party data. But for smaller companies this will need to be only one example of how you collect and use data to target your consumers. 

Organizations like The Trade Desk are creating alternatives like Unified ID 2.0, a stricter version of cookies that asks for users’ permission to receive targeted advertising on websites. It will an open-source framework that will be run by an independent, third-party organization and be an excellent option, keeping in mind that authenticated data will require mass adoption to work its best.

Aggregated Identity Data 

Individuals are grouped into cohorts with other like-minded or those with similar behaviours and targeted to as a group rather than as an individual. Still targeting interests but in a less invasive approach.  

This avenue will be less specific than current methods but keep a sense of personalization for users while their data remains protected. Aggregated data is likely to be the type of data collection we see develop the most over the next decade.  

Anonymous Data 

Contextual data is gathered, whether online or through geo-location data, and advertisers will have to cast the net wider and think differently.  

 These are a few of the several ways marketers are looking to gather and use data in the future. And though your marketing strategy may rely on one over another, it will be important to understand each one individually as well as how they play together in collecting information on your consumer. Privacy online will be one of the biggest topics online for years to come, both for users and advertisers, and finding the perfect balance of personalization and protection will come with great rewards or devastating consequences depending on your actions.  

With less specificity in the audience, it will be extra important to lean on marketers who understand not just the data, but what each movement means.