Consumer Data Privacy: Promise and Peril for Marketers

May 9, 2020

New Rules

The GDPR, or General Data Protection Regulation, is an EU law that has placed dramatic new restrictions on the ways that marketers can use data. U.S. marketers might be tempted to disregard directives envisioned by bureaucrats who work overseas. But, in a spin on a familiar metaphor, when a butterfly in Brussels beats its wings, the cascade of consequences can include a tornado in Texas.

The GDPR is no different. No matter where in the world a business operates, it falls under the scope of the GDPR if it electronically sells goods or services to people in Europe, or if it monitors the online behavior of people in Europe. And the penalty for a violation can be exorbitant — up to 4 percent of the organization's annual worldwide revenue.

Nor are these consequences strictly hypothetical, as extremely severe penalties have already been handed down. Google, for instance, received a €50 million penalty for maintaining insufficient transparency and control and making insufficient efforts to acquire consent in the processing of personal data.

And GDPR is just one of many regulations that govern how marketers can use consumer data. The United States is a patchwork of state laws related to the matter, with the California Consumer Privacy Act (CCPA) being the most aggressive to date. The vigor of these regulatory efforts reflects the mounting concerns among a growing number of consumers regarding how much of their data companies are harvesting and how it is being used.

High-profile scandals have fomented concerns. In early 2018 it was revealed, for instance, that Cambridge Analytica had gathered data associated with millions of people's Facebook profiles to assist political advertising efforts in the 2016 presidential election — and without the consent of Facebook users.

Consumers can't rely on organizations to refrain from siphoning their data in illicit ways and then putting it to illicit uses; even when organizations come by their data in permissible ways, they can't always keep it from falling into nefarious hands. For example, on September 7, 2017, Equifax announced that it had suffered a cyberattack in which hackers stole records that included names, addresses, and social security numbers pertaining to approximately 145.5 million Americans.

The urgency of many consumers' concerns over data has motivated several companies to make privacy a central tenant of their missions and, in turn, their branding. Apple has placed a special emphasis on privacy. Its Safari browser, for example, blocks the data collection that often guides how ads are served to web users while its iOS 13 alerts users when an app wants to use their location data, giving users ample opportunities to decline what some will perceive as an intrusion.

GDPR is just one of many regulations that govern how marketers can use consumer data. The United States is a patchwork of state laws related to the matter, with the California Consumer Privacy Act (CCPA) being the most aggressive to date. The vigor of these regulatory efforts reflects the mounting concerns among a growing number of consumers regarding how their data is being harvested.

All of these features can exert a strong appeal for privacy-minded consumers, enabling Apple to wed its brand purpose to a defense of privacy. But companies needn't adopt changes as extensive as Apple has done. Even brands that continue to digitally collect data on consumers can take steps to foster trust and bolster transparency.

A critical place for this work is in the consent processes for data collection. Although these are mandated by many regulations such as the GDPR, they give marketers an opportunity to cultivate a relationship with users. These actions should be occasions for communication not obfuscation. When requesting consent, organizations should use plain English as opposed to legalese.

In addition to cultivating positive relationships with consumers, sensible data practices are important to an organization's basic operations. When organizations do collect data, they should know what they have and where they have it — if not for the benefit of consumers, than for the benefit of the organization itself, which must be able to map the location of data to make efficient use of it. Most important, organizations must know the steps they're taking to secure the data they collect and to keep it secure.

Recent Data Regulations

The GDPR and Digital Advertising

The General Data Protection Regulation looms large among recently issued consumer data regulations. The GDPR requires digital advertisers to take precautionary measures in the course of collecting, processing, and using personal data for marketing purposes. It applies to:

  • Data controllers: people or entities that make decisions about the processing of data (most often brands or agencies)
  • Data processors: people or entities that process data on behalf of the data controller (e.g., vendors)

U.S. marketers fall within the purview of the regulation when their organizations either offer goods or services to EU citizens or avail themselves of data compiled by tracking or monitoring EU citizens online. The fact that an organization does not have an establishment in the EU does not protect it against the regulation. To comply, organizations must have:

  • A data protection officer in place
  • A register of data-processing activities
  • A business justification for those activities
  • Data-breach preparedness
  • Procedures for the review of data processing and international data transfers
  • An explicit determination of the territorial scope of the data collection that they carry out or that others carry out on their behalf
  • Processes in place to transparently convey to data subjects both their rights and the organization's approach to using data

Advice for Data Security and Compliance

To offer further help to marketers whose data-collection practices might fall within the scope of the GDPR or other regulations, law firm Reed Smith LLP offered the following eight tips.

1. Be on the lookout for potential data liability issues. Risks can lurk in myriad areas of the law, including the Fair Housing Act, CAN-SPAM, employment laws, the Children's Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act. For instance, several housing authority corporations are suing Facebook for providing advertisers with a tool that allowed them to discriminate against people according to their housing. And the New York Attorney General settled a case with toy manufacturers that used a tool to track children online and target them with toy ads.

2. Protect any data collected by the company or its vendors. To do this effectively, marketers must understand:

  • The quality of their vendors
  • The flow of data from beginning to end
  • Who stores data and where
  • Who has access and how
  • What steps are being taken to protect data

When marketers lack such an understanding, serious consequences can result. In one case a marketing firm inadvertently permitted public access to a database of 12,000 social media influencers, along with their home addresses, email addresses, and phone numbers, as well as the names of the brands that partnered with them.

3. Plan ahead for how to maintain access, control, and portability of their data. Maintaining access requires maintaining the ability to not only access data handled and/or controlled by third parties, but also the ability to discern:

  • Who is collecting data
  • The cost of the data
  • The quality, validity, and authenticity of data
  • How that data is stored

Maintaining control requires maintaining the ability to:

  • Manage how one's data is collected and stored.
  • Clearly document the rights to data.
  • Discern limitations on data.
  • Audit rights to data.

For marketers to maintain the portability of their data, they must maintain the ability to:

  • Take data to another provider.
  • Integrate their data with other data.

4. Read and understand their own privacy policies. Liability for false advertising hinges on one's privacy policies and other disclosures made to consumers. To avoid liability, marketers should examine how these disclosures characterize their practices for collecting, sharing, and using consumer data and consider any inconsistencies with their actual practices. For instance, Snapchat had to settle a case with the FTC after investigators discovered that it did not delete messages that users were told would permanently disappear.

5. Understand technology. When using data-collection technology, consider how it works, and if that would not just violate the law, but unnerve consumers. Unsettled web-users filed several class action suits against Navastone after discovering that the organization was recording the keystrokes of its website's visitors.

6. Use caution when collecting and using personal or sensitive information. TV manufacturer VIZIO was forced to pay the FTC more than $2 million after investigators discovered that it was collecting data on users' viewing habits and selling it so other companies could target those users with tailored ads.

7. Participate in self-regulatory efforts and convince partners to do likewise. Several groups have emerged, including:

  • Digital Advertising Alliance: A coalition of media and marketing associations, publishers, and advertising service providers
  • Network Advertising Initiative: An association of advertising networks
  • Trustworthy Accountability Group: A joint marketing-media industry program, which focuses on four initiatives: eliminating fraudulent digital advertising traffic, combating malware, fighting ad-supported internet piracy to promote brand integrity, and promoting brand safety through greater transparency

8. Partner with IT, data security, and legal. Owing to their position on the cutting edge of the technologies used to reach and monitor consumers, marketers are in the best position to flag potential issues for legal and data privacy specialists.

The CCPA: An Overview

Europe is not the only source of new regulations with which brands must comply. Indeed, many states have their own regulations governing marketers' use of data, foremost among them the California Consumer Privacy Act (CCPA), which went into effect in January 2020.

The CCPA governs any brand that does business in California and also meets at least one of the following three conditions:

  • The organization's gross revenue exceeds $25 million.
  • The organization derives more than half of its revenue from "selling" consumers' personal information.
  • The organization annually buys, receives, sells, or shares, for commercial purposes, the personally identifiable information of more than 50,000 consumers, devices, or households that reside
    in California.

In many ways, the CCPA is even more exacting than the GDPR. To comply with it, organizations must:

  • Notify data subjects of a data breach within 48 hours (whether the consequences of the breach have been determined by then or not).
  • Provide data subjects with access to their personal information and allow them to have that information deleted, whether it's maintained by the organization itself or by a vendor.
  • Provide users with the ability to opt out of data-collection practices through means that must include both an 800 number and a link on the website labeled "Do Not Sell My Personal Information."

If a consumer does opt out, the CCPA forbids a company from then discriminating against him or her by:

  • Denying the consumer goods or services
  • Charging the consumer a different price for goods or services
  • Providing the consumer with goods or services of a different level of quality
  • Even suggesting that the consumer will receive a different price, rate, or level of quality

The Nitty-Gritty of the CCPA

While the above information captures the CCPA in broad strokes, a richer understanding can be reached by examining some of the specific terminology in the legislation. The CCPA, for instance, expanded the legal definitions of "personal information," "collect," and "sell."

Personal information is any information that identifies or reasonably links to a consumer. Companies may provide assurances that collected data is aggregated or de-identified for other purposes, such as for statistical analysis or for the benefit of the customer. Companies should demand that partners demonstrate how data is de-identified and investigate such claims themselves. Collecting refers to the practice of obtaining information by any means.

Selling includes any communication or transfer of consumer data by a CCPA-covered business to a third party. It's defined as the exposure of information for monetary or non-monetary benefits. This definition stands regardless of how immediate benefits are obtained.

Exceptions to the Rule

The CCPA excludes certain activities from its definition of sales. These activities are related to the transfer of personal information for the benefit of the consumer. These benefits include enrolling into loyalty/rewards programs, special promotions, opt-outs, or other instances in which brands provide customers with incentives for providing personal information.

Sales of data that violate the CCPA can be avoided by obtaining permission from the consumer: the privacy law allows for the transfer of personal information if the consumer directs the transfer and the recipient doesn't sell it afterward, unless the transaction is consistent with CCPA regulations.

Brands can direct consumers to disclosure notices and "I agree" buttons to obtain permissions. Notice and disclosure obligation should be provided to consumers at or before the collecting of personal information. Companies should treat disclosure messaging like ad copy, developing their own language instead of lifting legal jargon. Messaging should be transparent and build trust between brand and consumer.

How to Avoid Violations

Violations of the CCPA can result in penalties of between $2,500 and $7,500 per violation. To avoid violations, companies should add more employees to their privacy teams and consider the customer experience when developing language about consumer rights.

Brands and marketers should also avoid working with companies which use ambiguous language to describe their operations. Some companies may say they are vendors or suppliers to preserve their right to use data in ways that aren't compliant with CCPA regulations. Businesses must also know the role of the data in their possession, who owns it, and which partners hold certain responsibilities and obligations. Lastly, companies should delete any data they aren't using.

The CCPA Illustrated

Sarah Bruno, partner at Reed Smith LLP, considered several hypothetical circumstances to illustrate some of the measures necessary to maintain compliance with the CCPA.

Q. Your brand is introducing a new product aimed at teenage audiences and you decide to launch it on a popular teen social media site. The site views this as an opportunity to generate ad revenue from your brand. Your brand invites users to share pictures and videos through your brand's profile on the site, and to tag your brand and hashtag your brand's product. The social media site collects users' data — social media handles, pictures, videos, identifiers (including email addresses), mobile phone numbers, usage information, and tracking information (such as unique device identifiers and metadata to enable ad delivery) — but does not ask for any monetary exchange. Your brand wants the social media site to provide all of that data so you can continue to market to these potential customers. Does this promotion constitute a sale of personal information (PI) from the social media site to your brand?

A. Yes, this promotion constitutes a sale. The CCPA defines a sale as transferring consumer personal information (PI) for monetary consideration or other valuable consideration. In this promotion, although there is no monetary sale of the consumer data, both your brand and the social media site mutually benefit from its exchange. The social media site gets ad revenue from your brand, while your brand gets PI that can be used for marketing to customers.

Marketers who sell goods or services must provide a "Do Not Sell My Personal Information" link on websites, enabling consumers to veto the sale of their PI to third parties. This right must flow through to any parties that received data via a sale in the 90 days prior to the customer clicking on the link.

Q. Since the PI is being sold to your brand, what can the social media site do to ensure compliance with the CCPA?

A. The social media site has several options at its disposal to ensure the flow of PI data complies with
the CCPA:

  1. Cookie solution: The social media site can keep track of data exchanged on its own and notify downstream participants via cookies.
  2. DAA solution: This tool, offered by the Digital Advertising Alliance (DAA), allows consumers to send opt-out requests to all participating companies. (Of which more will be said in an article that follows this one.)
  3. IAB solution: The Interactive Advertising Bureau (IAB) developed a "compliance framework" arrangement with two components: a) a master contract that binds supply chain partners to specific behaviors that meet the law's provisions and b) a set of technical specifications that guide companies on how to implement the contract mechanically in their operations.
  4. Google solution: Google has a section of its privacy pages devoted to "restricted data processing," which enables users to limit the use of their data for only service-related functions

    Nota bene:
    Aggregated data and de-identified data are not considered personal information under the CCPA.

Q. The social media site which has partnered with your brand is popular among users ages 12–21. What can be done to address the issue under CCPA legislation?

A. The CCPA stipulates that a business cannot sell PI without affirmative authorization from users between the ages of 13 and 16 and from the parents of users under 13. The social media site, and your brand's presence on the site, need to specify the terms of use and a privacy policy requiring users to be 16 or older and to independently approve the sale of PI.

Your brand needs to rely on credit card information for purchases on the site (since customers have to be at least 18 years old to have a credit card), and both your brand and the social media site need universal cookie banners which all users must affirmatively accept.

The social media site might also consider an age gate if it has the technology to parse through data for users under 16 years old. Thirteen- to 16-year-olds can access the site, but must affirmatively opt in before using it, while users over the age of 16 would require a "Do Not Sell My Personal Information" link.

Q. Your brand's marketing team learns that a competitor is introducing a similar product two weeks before your launch. To gain competitive advantage, your brand promotes a contest on the social media site, wherein users who post a video or picture on the site receive a free giveaway. How would this giveaway be handled under CCPA rules?

A. The CCPA says your brand may offer these "financial incentives" in the U.S., as long as the incentives or price difference are summarized in the contest rules on your brand's profile on the social media site. In describing the rules, your brand must explain how consumers can enter the contest and how they have the right to withdraw from it, deleting their consumer data.

The rules also need to give an estimated value of the consumer data and a description of the method used to calculate the value (for instance, the price of the giveaway is equivalent to the value of an email address for marketing reasons).

The financial incentive must be reasonably related to the value of the consumer's data. According to the CCPA, it is discriminatory and prohibited for a business to treat consumers differently if they have opted out of having their PI collected and used. If consumers wanted their data deleted, they would still be eligible for the giveaway contest.

Resources for Compliance

The DAA's New CCPA Opt-Out Tool

The CCPA, among its other prescriptions, obliges marketers to give consumers the opportunity to opt out of certain data collection practices. Facilitating these opt-outs could be a challenge, but Lou Mastria, executive director of the Digital Advertising Alliance (DAA), said his organization — a self-regulatory body representing many brands — is ready to help marketers meet it with new tools that can help consumers adjust to CCPA legislation.

In December, the DAA introduced two resources, one for websites and one in apps, which can be used by consumers in California to send requests to companies to opt out of the sale of their personal information (PI). The opt-out tools apply to publishers and advertisers that collect and sell PI, as well as third parties that do the same. With these CCPA-compliant tools, Mastria said, consumers gain valuable insight into CCPA-participant companies and their privacy practices.

According to Mastria, the opt-out procedure is a multistep process: The DAA provides publishers (website and app owners) with a standard graphic file — a "CA Do Not Sell My Information" icon. The icon, placed at the footer of the website or app, links consumers to a disclosure notice about their rights related to the CCPA. Following the click-through, consumers are presented with an opt-out of the sale of their PI (via

If any third-party vendor collects PI from the publisher for advertising and analytics purposes and sells that data, Mastria said, the notification must state as much on the publisher's digital property. The source code of the website or app also requires a "flag" notice, machine-readable by third parties, indicating that the notice link and link to opt out have been given to the consumer. Under CCPA regulations, if the advertiser has not made these links available, third-party vendors should not be collecting data from the site or app.

Mastria said the DAA has a separate set of tools, both web-based ( and app-based (compatible with iOS/Android), for third parties to receive their own "do not sell" opt-outs.

Industry Launches "Privacy for America" Coalition

The CCPA and other privacy regulations have created abundant concerns among marketers of most every stripe. An effort to address some of these concerns was mounted on April 8, 2019, when the ANA, the 4A's, the IAB, and the NAI announced the creation of a new "Privacy for America" coalition. The coalition's goal is to create a national holistic privacy and data security policy. The current privacy and security paradigm is a crazy-quilt of state regulations that, in the industry's view, is not adequate to the needs of consumers.

The new policy seeks to achieve a single federal answer to the question of regulation and is centered on the belief that consumers want three simple things:

  1. They want their data to be used in ways that help them.
  2. They do not want their data to be used in ways that hurt them.
  3. They want their data to be secure.

The coalition hopes to build bipartisan support in Washington, D.C. for the plan. It sees the plan as something that everyone can support because it empowers advertising while adding protection and building trust for consumers. The consensus is that this approach is more politically viable than the industry's previous attempts at privacy legislation.

The coalition has built a steering committee, solicited expert advice, and commissioned consumer research. It also has announced the coalition's basic objectives:

  1. Protect consumers nationwide, preempting state laws.
  2. Restrict unfavorable, discriminatory practices arising from the improper use of consumer data.
  3. Create a new data protection bureau that will have rule-making authority.
  4. Ensure responsible advertising practices.
  5. Issue penalties for violations.
  6. Create standards that will last for the next 20 to 30 years.

Recent Data Regulations

Endangered Species: GPS Data and Cookies

Laws and regulations aren't the only measures that are complicating marketers' relationship to consumer data. At a recent meeting of the West Coast chapter of the ANA's Digital and Social Committee, QDOBA sounded the alarm over the fact that Apple iOS 13 effectively curtails the use of GPS data. It does so by requiring users to repeatedly give permission to apps to use it, likely discouraging such permissions.

This development has serious implications for targeting and attribution. An organization such as QDOBA uses GPS as one of the most effective ways of narrowing the scope of its marketing. A huge swath of the population enjoys Mexican food, but for many, proximity is a determining factor in whether they seek it out. In some markets, 25 percent of QDOBA eaters travel under 2.6 miles from home or work to visit a location, while 50 percent travel less than three miles. Under such circumstances, geolocation data available through consumers' phones has played a critical role in QDOBA's effort to target its marketing efforts — a role that Apple's decision has begun to make unfeasible.

In addition to aiding targeting efforts, GPS data aids attribution. Certain firms such as Cuebiq and Foursquare can match advertising data with location data to see who among those exposed to an ad have also visited a restaurant. Closing the loop in this way goes a long way toward quantifying return on advertising spend. But Apple's adjustment to its operating system has imperiled this capability just as it has GPS-enabled targeting.

GPS is not the only form of data that marketers rely on for the purpose of targeting and attribution. Cookies also play a critical role in these processes. But, like GPS data, cookies have been endangered by a recent decision made by a tech giant, namely Google's plan to stop supporting the use of cookies in its browser, Chrome, by 2022.

Cookies are files that record a web user's characteristics based on past online activity (exclusive of personally identifiable information). Marketers access these files to guide the ads that they serve to users. For instance, if a user viewed a DeWalt drill on, a cookie can record and convey that fact so that the individual can be served ads for the drill in the future. Similarly, cookies can tell ESPN that a given user is a male in a certain age group to guide the ads he's served more effectively. If Chrome stops supporting cookies, brands will no longer be able to target marketing in this way.

Cookies also help ascertain if ad exposure corresponded with a store visit. They do so by contributing to the anonymized but unified profiles that organizations such as LiveRamp can help create by stitching together ad server data, TV log data, and cookie data, along with GPS data from companies such as GroundTruth. This work might reveal, for instance, that people served an ad on ESPN's website don't convert at as high a rate as people who were served an ad on the New York Times website. But if Chrome stops supporting cookies, attribution as robust as this could become a thing of the past.

Source Information

"The GDPR, CCPA, and Digital Advertising." Erika Kweon, Associate at Reed Smith LLP; Gerard Stegmaier, Partner at Reed Smith LLP; Douglas Wood, Partner at Reed Smith LLP. ANA Media Leadership Committee Meeting, 10/2/18; ANA Legal Affairs Committee Meeting, 10/17/18; ANA Masters of Marketing Conference, 10/26/18.

"Protecting Your Data and Staying Out of Jail." Keri Bruce, Partner at Reed Smith LLP. 2018 ANA Advertising Financial Management Conference, 5/1/18.

"The CCPA and Digital Advertising." Gerry Stegmaier, Partner, IP, Tech, and Data at Reed Smith LLP; Erika Kweon, Associate, IP, Tech, and Data at Reed Smith LLP. Media Leadership Committee, 10/29/19.

"The CCPA Is Here — Now What?" Sarah Bruno, Partner, Reed Smith LLP. ANA Legal Affairs Committee Meeting, 1/22/20.

"The DAA's New CCPA Opt-Out Tool." Lou Mastria, Executive Director, Digital Advertising Alliance (DAA). ANA Legal Affairs Committee Meeting, 1/22/20.

"An Introduction to 'Privacy for America.'" Stuart P. Ingis, Partner at and Chairman of Venable LLP. ANA Government Relations Committee, 5/7/19.

"Newly Endangered Species: GPS Data and Cookies." Chris Theilen, Media Manager at QDOBA. ANA Digital and Social Committee Meeting, West Coast Chapter, 1/30/20.


"Consumer Data Privacy: Promise and Peril for Marketers." Insight brief compiled by Morgan Strawn, Manager, Marketing Knowledge Center. Designer: Amy Zeng, Marketing and Communications, ANA. Editor: Matthew Schwartz, Senior Manager, Marketing and Communications, ANA. © Copyright 2020 by the Association of National Advertisers, Inc. All rights reserved.