close up of Target shopping carts
PHOTO: Kristi Blokhin / Shutterstock

General Data Protection Regulation (GDPR) enforcement began in the European Union (EU) 18 months ago. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. More than a dozen other US states have introduced or passed increased privacy legislation including Nevada, Maine, New York and Washington, and material discussions surrounding a US federal data privacy law are underway. We now read stories about data privacy almost daily, and as a result, people are more aware of their privacy rights than ever before. Trust and transparency are the new currency of business. Needless to say, data privacy regulations are here to stay, so companies must learn to adapt to the changing regulatory landscape and the new social reality that accompanies it.

You may be wondering how we got to this point. There are many reasons that span many years, so a quick primer should be useful to help you and your company thrive in this ultra-privacy sensitive environment.

Cookies first. Teenage pregnancy later.

History of Cookies

In short, these laws are a reaction to a general erosion of trust in brands over the past couple of decades. To understand why that erosion has occurred, a great place to start is by considering the browser cookie. Browser cookies were created in the mid-1990s to solve one of the core issues that plagued the fledgling internet: every visitor and every visit to a website looked the same to that site, and companies couldn’t offer customized experiences or easily recall stateful information to provide virtual shopping carts and similar functionality.

Cookies solved this issue by allowing a website to write a unique identifier to a browser, which could then be retrieved every time that browser was used to visit the site. This allowed sites to customize the visitor experience. Simple. Practical. Effective. These personalization and preference settings paved the way for ecommerce and shopping carts that you can leave and return to, to find your items still held for you. You can thank cookies for your living room-based holiday shopping experience, and your holiday season sanity. 

Soon third-party cookies, which could be used to track a person’s web surfing activity across sites, became ubiquitous. They allowed companies to create very large, detailed profiles of people’s online activities and build entire industries around the collection, sale and use of this data for personalized advertising and other purposes. Companies bought data from brokers who sold profiles rich with data culled from browsing histories including information about what you’re interested in, what sites you visit, and what your online behaviors were. These profiles got more and more detailed, especially when combined with offline data, and problems emerged due to inadequate transparency. Many companies who placed cookies and performed detailed cross-site tracking didn’t make their existence known and nothing compelled them to be transparent.

Companies began to rely heavily on third-party data, and its popularity skyrocketed by the mid-2000s. For relatively little money, businesses could buy the profiles of millions of people without ever giving a thought to how that data collection impacted the individuals whose data was being purchased. The notion of asking people for their data wasn’t valued and in many respects, was considered a surefire path to reduced revenue. The guiding principle was quantity over quality, profiles over people.

These practices continued in part because the public knew very little about them, but stories about data collection practices kept popping up in the mid- to late-2000s. As more and more people started learning about online data profiling, it freaked them out, and they began to lose trust in brands.

Stories like this one from 2012 …

Related Article: How to Handle the Crisis of Consumer Trust

Teen Pregnancy and Target Coupons

In early 2012, The New York Times ran an article entitled, "How Companies Learn Your Secrets," which uncovered Target's ability to predict a shopper was pregnant by assigning a “pregnancy prediction” score. The score was generated based on buying patterns including common items purchased together. According to the article, once the retailer determined a shopper was likely to be pregnant, they would mail her coupons customized to include items that would appeal to the specific stage in her pregnancy.

In one case, a Minneapolis father found out his teen daughter was pregnant not because she told him, but because Target had mailed her coupons for baby items. As Forbes put it in its own story based on the Times article, Target was able to “data mine its way into your womb.”

For clarity, the Target article was not the catalyst for any specific, large-scale change in public opinion, nor was it directly responsible for any change in legislation. I highlight it here to point out the fact that increasingly sensational stories were emerging about what brands could learn about individuals using complex, often secretive profiling practices. In essence, it was one of the better “Oh crap” moments in recent memory, and another example of how people were learning that their private lives weren’t private and that businesses seemed to know more about them than some knew about themselves. This felt invasive, even though Target acted within the boundaries of the law. Government surveillance seemed to pale in comparison. 

Related Article: Data-Privacy Regulations: Marketing Symptom, Setback and Solution

Privacy Laws Followed Suit

Regulators create laws to address the concerns of their constituents, and they had been hearing the concerns of individuals worried about invasions of their privacy for years. Around the same time the Target story was published, two significant developments were already underway in the EU.

  1. The EU’s cookie law requiring companies to disclose their use of cookies and collect affirmative consent before placing them had been adopted, to the delight of web design fanatics everywhere (sorry — I couldn’t help myself). The law, which was the result of a surprisingly small change to a pre-existing privacy directive, was intended to curb surreptitious cookie tracking.
  2. The EU introduced its initial proposal for the GDPR to modernize the privacy regime in its member countries and to replace the patchwork of privacy laws created under the Data Protection Directive already in force. The existing laws, created in the 1990s, were simply not suited to the modern internet age and were badly in need of a rework. 

After GDPR went into effect in May 2018, California promptly followed suit in June by passing the CCPA. People demanded privacy protections they didn’t have, and desperately wanted. With its passage, CCPA provided California residents with the most comprehensive set of privacy rights in the US.

Both GDPR and CCPA require companies to:

  • Provide detailed privacy notices.
  • Explain entities with whom they share personal data.
  • Outline the types of personal data they collect.
  • Tell consumers the rights they can enforce against the business.
  • Give people access to their personal data, making it easy for people to take their data with them (emphasizing that personal data belongs to consumers, not businesses).
  • Erase personal data, when requested.
  • Provide significant data protection, with companies subject to massive financial penalties for violations.

CCPA also goes further by giving consumers the right to opt out of the sale of their personal data, and businesses are required to create dedicated, prominent functionality to accommodate that right.

Related Article: Let 'Ethical by Design' Guide Your Use of Consumer Data

How to Thrive in This Environment

Things will get more complex before they get better. People are tired of traditional data privacy practices, and because they know the value of their data, they know their rights and are happy to exercise them. They want to do business with brands they believe are truly focused on doing the right thing because it’s right, not because the law mandates they do so. Many laws still fall short of the bar that people set for the protection and respect of their digital lives. It’s not enough to be compliant when dealing with personal data. You need to exceed expectations. Remember the importance of consent, even when it’s not mandatory.

A business can seize the opportunity to differentiate itself by building trust with its customers based on transparency. If you can explain the value you provide someone in exchange for their data, and you can give them assurance that you will handle that data appropriately and respectfully, you have the foundation of a trusted consumer-brand relationship.