A silhouetted  man in front of a sunset. His hands are over his head as he breaks the chains
PHOTO: Shutterstock

The European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) changed the playing field for businesses around the world.

Businesses that collect customer data now have to comply with a host of new laws and regulations aimed at giving customers more control of their personal data. Web browsers increasingly feature added privacy controls and encryption. Third-party cookies are on the way out.

There’s a cultural shift happening and customers are gaining greater control over who gets to access their data and how it can be used. The long-term effects are still coming into focus but what’s increasingly clear is that businesses will need to redefine their relationship with their customers.

A Quick Legislative Catch-Up

Consumer privacy protection is the broad term for the set of rules that protect the privacy and data of consumers against abuse or misuse by businesses. It started when regulators recognized how much personal data the telephone industry had access to and progressed to the protection of online consumer data.

Lawmakers are typically late to the party and create legislation without a fundamental understanding of how these technologies work, which creates problems for practitioners. “Legislation has been written by bureaucrats who have no concept of the technical implementation challenges,” said Marcus Kirsch, author and founder of The Wicked Company. Kirsch shared that from his perspective, keeping the data safe is a growing issue due to increase in cyberthreats.

The European General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is one of the strictest data privacy regulations to pass, and went into effect on May 25, 2018. While it’s a European regulation, it applies to any business that processes the personal data of EU citizens or residents. Fines for noncompliance are significant — capped at €20 million (approximately $23 million) or 4% of global revenue.

While GDPR changed the entire global regulatory landscape, it was only the beginning, said Dana Simberkoff, chief risk, privacy and information security officer at AvePoint Inc. “With the California Consumer Protection Act (CCPA), China’s CyberSecurity Law and a number of other security and data breach notification laws, as well, the Schrems II decision [where the Privacy Shield data-sharing agreement between the U.S. and European Union was invalidated], it’s clear that the new normal for privacy laws will require clear, tangible and operational IT security controls,” she said.

Typically, businesses complied with the GDPR through a website pop-up or overlay that will not go away until the user clicks to agree or not agree to the use of cookies. If the user doesn’t agree, they must be presented with a cookie-free version of the website. It’s an implied consent tactic that removes the liability of the business by having the user acknowledge the use of cookies.

The California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 (CCPA), which went into effect on January 1, 2020, provides consumers with protections against data collection, including restrictions concerning the use of unique identifiers such as cookies and IP addresses, along with notification requirements and opt-in/out functionality similar to GDPR.

There are several differences, however. CCPA only applies to for-profit businesses that meet any of the following conditions:

  • Gross annual revenue of more than $25 million
  • Buys, receives or sells personal data of 50,000 or more California residents, households or devices
  • Derives 50% or more annual revenue from selling California residents’ personal information

Additionally, the CCPA only protects consumers who live in California although it applies to businesses in any location that meet the above criteria.

What’s Ahead: Proposed Privacy Laws

There have been legislative bills or bill drafts introduced or filed in at least 25 states in the U.S. as well as in Puerto Rico. The National Conference of State Legislatures’ Consumer Data Privacy Legislation page lists all the current and proposed privacy legislation and regulations.

Legislation introduced in 2020 addressed new and emerging privacy issues, including the collection and use of biometric or facial recognition data by businesses. Fourteen U.S. states introduced or are considering restrictions that require internet service providers (ISPs) to keep specified user information confidential.

COVID-19 forced many legislators to hit pause on new bills, but once the crisis subsides data privacy legislation will be back in the spotlight. The goal is to allow customers to exercise more control over who can access their data and how it can be used.

“Thanks to a perfect storm of events – namely, an increased amount of data breaches, heightened consumer awareness and some very serious and ethically questionable choices from large technology vendors – I believe we’ll come closer to seeing a U.S. federal privacy legislation within the very near future,” said Simberkoff. “And if not that, then we’ll definitely see increased regulatory scrutiny within the U.S.”

Targeted and Advertising Cookies in the Mix

Many businesses that run advertisements on websites use third-party cookies to track the effectiveness of campaigns or monitor the pages visited by a user. These cookies gather information about users to display relevant targeted ads. Think of the online shopper browsing for a new pair of shoes who sees an ad for that very pair of shoes when they visit their favorite news site.

The data gathered may be shared with other advertisers who do the same type of targeted marketing. Third-party cookies are also used to build user profiles that allow advertisers to gather statistics on ad performance. They are persistent cookies, meaning the cookies originate from a website outside of the one the user is currently on and follow that user to other websites, allowing marketers to collect more data and build a more detailed user profile.

Many browsers have begun using cookie blockers that restrict third-party cookies and users often have the ability to block third-party cookies in their user settings.

In 2019, Facebook began allowing advertisers to use first-party cookies, which originate from the domain of the website the user is currently on. Additionally, first-party cookies can generally be stored longer on a device than third-party cookies which enables advertisers to track consumers for a greater length of time.

The stakes are high for business, both in terms of reputation and revenue. In July 2019, Facebook agreed to adopt new user data protections when it was hit with a $5 billion fine from the Federal Trade Commission for violating consumers' privacy rights related to the 2018 Cambridge Analytica scandal. To date this was the largest fine levied for privacy violations, and does not even include the $100 million Facebook agreed to pay to settle data misuse charges from the Securities and Exchange Commission.

What Does Customer-Controlled Data Look Like?

Despite the increased protections, it’s still challenging for customers to control their data online. Too many variables remain out of their control and doing business online still requires the use of data-gathering cookies.

Major web browsers are taking steps to make it easier and more consumer-friendly. The September 2019 release of the Firefox web browser began blocking third-party cookies by default as part of its Enhanced Tracking Protection feature. Also in 2019, Apple decreased the lifespan of third-party cookies in its Safari browser to seven days as a part of its Intelligent Tracking Protection policy and, in March 2020, updated Safari’s anti-tracking technology to allow users to completely block third-party cookies. Likewise, Google announced in January 2020 that it will phase out third-party cookies over the next two years in its Chrome browser.

The days of third-party tracking cookies are coming to an end. But the days of customer-tracking are not. None of the major web browsers are trying to get rid of a website’s ability to track its own customers. Businesses may instead go back to using their own website analytics, a move that will at least limit the ability to track customers from site to site.

The long-term picture is clear. It’s time to move away from cookies and toward personalized interactions with customers who willingly make the choice to share their data in exchange for a valuable service. Businesses need to be transparent with consumers about how their data is being collected, and how it is going to be used.

“Transparency and accountability are key to building consumer confidence. The pillars of good data governance [are] based on principles of individual’s rights to and for their own data, and corporate responsibility to maintain ethical and responsible data principles for security, privacy, transparency, control, accountability, integrity, innovation and social impact,” said Simberkoff.

For businesses, they will once again need to build direct relationships with customers that enable them to gather valuable first-party data. For customers, they’ll have the choice to opt in to personalized services, subscriptions, mobile coupons and access to premium content through the use of privacy-first methodologies and interactions with a business.