Home Data-Driven Thinking Ignore No More: 3 Impending Privacy Changes You Need To Pay Attention To Right Now

Ignore No More: 3 Impending Privacy Changes You Need To Pay Attention To Right Now

SHARE:
Ines Henrich, VP of sales planning and media strategy at Aki Technologies

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Ines Henrich, VP of sales planning and media strategy at Aki Technologies, an Inmar Intelligence company.

When it comes to privacy legislation, denial often comes before compliance.

When GDPR went into effect back in 2018, some companies in the US simply ignored it, opting to shut down or limit operations in the EU instead of adjusting their data privacy practices.

But with privacy legislation in California (CPRA), Colorado (CPA) and Virginia (VCDPA) set to go into effect 2023, American businesses will have no choice but to accept and act.

How exactly does this trio build on the precedents that GDPR and CCPA have set? And what do companies need to do now to ensure compliance in 2023?

These laws will usher in an era of classification-based compliance, privacy assessments and restrictions to data sharing. Here’s how to prepare.

Understand the distinction between controller and processor 

The EU’s GDPR identified two classes of businesses dealing with customer data: controllers and processors. Controllers determine the purpose of processing data; processors process data on behalf of the controller but do not determine the purpose for processing.

Virginia’s and Colorado’s laws borrow the controller-processor distinction from the GDPR, forcing US businesses that operate in those states to reckon with that taxonomy. 

Most retailers and brands are considered controllers – and being a data controller under new legislation will come with new responsibilities. 

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

One new hurdle to navigate? Data subject access requests. These requests are consumers’ way of invoking their rights to find out what data a company has collected from them and to delete or correct inaccuracies in that data.

Prepare for privacy impact assessments

The Colorado and Virginia laws introduce a requirement for data controllers known as a privacy impact assessment or data protection assessment. Conducting a PIA entails assessing the benefits of sensitive data processing for targeted advertising, customer profiling or other use cases relative to the risk data collection and usage pose to the consumer. 

Not sure if you’ll have to conduct PIAs? Data mapping holds the answer. Data mapping is the practice of detailing how data moves throughout an organization. It helps businesses ensure they know exactly what data they are storing, how they are storing it and where it is going in order to limit risk, provide transparency to end users and comply with regulatory requests.

If it sounds daunting, fear not. Mapping can be automated, taking some of the burden off of businesses.  

Adjust to data sharing restrictions

CCPA forced businesses to give consumers the right to opt out of sales of their data to third parties. But there was a lack of clarity about whether data sharing to facilitate targeted online ads constituted a sale and therefore required an opt-out opportunity. 

But with CPRA, there’s no gray area. 

The law explicitly defines “sharing” to include “cross-textual behavioral advertising” (or targeted advertising based on user behavior). This means the many brands that share data with ad tech providers to facilitate advertising will now need to develop opt-out capabilities for customers. 

Brands will need to clearly state what data they are sharing and give consumers the right to opt out of sharing with third parties. This shift could present a major challenge not only in operationalization and compliance, but also in its potential impact on marketing. Marketers will also want to make the best possible case to consumers for necessary data processing and sharing, explaining the value exchange customer data makes possible.

Complying with new privacy laws will require some legwork, but if companies get it right, they can transform privacy challenges into opportunities. Eliminating regulatory liabilities is a big win, but shoring up consumer trust will be the most important victory.

Follow Aki Technologies (@akiunlocks) and AdExchanger (@adexchanger) on Twitter.

Must Read

Conversion APIs Are Becoming Table Stakes – But Not All Brands Have Bought In

CAPI integrations have moved from a nice-to-have to a necessity for anyone operating within walled garden environments. Now they’re laying the groundwork for an outcomes-driven ad ecosystem.

Peppa Pig

The Media And Retail Deals Behind The Peppa Pig Franchise Expansion

Peppa Pig is everywhere. Whether or not you have children, you likely know the little girl pig from the kid’s cartoon show. But the Peppa media franchise is just getting started.

How A For-Profit College Is Using CTV Ads To Win Over New Students

The American College of Education partnered with performance TV company MNTN to better reach its audience of adults seeking higher education.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Critics Say The Trade Desk Is Forcing Kokai Adoption, But Apparently It’s Up To Agencies

Is TTD forcing agencies to adopt the new Kokai interface despite claims they can still use the interface of their choice? Here’s what we were able to find out.

Why Big Brand Price Increases Will Flatten Ad Budgets

Product prices and marketing budgets are flip sides of the same coin. But the phase-in effects of tariffs, combined with vicissitudes of global weather and commodity production, challenge that truism.

The IAB Tech Lab Isn’t Pulling Any Punches In The Fight Against AI Scraping

IAB Tech Lab CEO Anthony Katsur didn’t mince his words when declaring unauthorized generative AI scraping of publisher content “theft, full stop.”