Customer privacy in digital marketing
Updated: Dec 10, 2021
Today's article focuses on the privacy issue of customer data in digital marketing. We will tell you which laws on the protection of confidential data have come into force and how companies are responding to them. Joseph Marc Blumenthal
In the era of digital marketing, the problem of personal data protection is especially acute. For example, the CLOUD Act passed in the United States in 2018 threatened the confidentiality of information held by American companies, regardless of their geolocation. The emergence of such a law suggests that the country's government is becoming a regulator of digital data exchange, and this cannot but affect business.
The Struggle for Data at the State Level
GDPR in the EU
On May 25, 2018, the General Data Protection Regulation (GDPR) entered into force.
The GDPR gives EU citizens and residents full control over their personal data. Even if a person's data is located in another country, he can easily control it. In case of violation of the EU regulation, it has the right to impose a fine of up to 20 million euros or collect 4% of the total income for the previous year.
The largest fines in the past three years have been received by companies:
● Google - €50 million in 2019.
Users complained that the company had no legal right to process their personal data for the purpose of displaying advertisements. Later it turned out that people did not give full consent to the processing, and where it was obtained, Google expressed itself ambiguously.
● Clothing retailer H&M - €35 million in 2020.
H&M was fined for violating employee privacy. The company's managers collected information about vacations and medical diagnoses of employees who were on sick leave. In addition, data from personal conversations were even recorded. The collected information was stored on H&M servers, and at least 50 managers had access to it.
In October 2019, the server crashed, and information about employees was made public, which attracted the attention of regulators.
● Amazon - 746 million euros in 2021.
Amazon has received a huge penalty for collecting and transmitting personal data using cookies. This is not the first time a company has been fined for violating GDPR data protection rules.
Cloud Act in the USA
The CLOUD Act went into effect on March 23, 2018 and immediately attracted attention. The fact is that the CLOUD Act upsets the balance in data protection. How? Let's tell you now.
In 2020, The Court of Justice of the European Union (CJEU) acknowledged that US service providers did not adequately protect the personal information of individuals from other countries. The CLOUD Act allows United States law enforcement agencies, through a warrant, subpoena, or court order, to request access to information about US citizens or residents from US providers located outside the country. However, there is no guarantee that requests will only concern citizens of the United States, and service providers in such a situation will side with their customers.
This law especially affected the General Data Protection Regulation (GDPR) or "General Data Protection Regulation".
The independent European Data Protection Board (EDPB) has concluded that US service providers who are also subject to the EC GDPR cannot legally justify the disclosure and transfer of personal data to the US based on a warrant or other court order. Sending data outside the EU is only possible under the Mutual Legal Assistance Treaty (MLAT).
Therefore, the EU regulation and the CLOUD Act contradict each other, when faced with a strict GDPR rule to have a compelling legal basis for the transfer of data.
China Data Protection Law
On August 20, 2021, the Law on the Protection of Personal Data entered into force in the PRC. Now, online resources are required to provide users with automated data processing options that ensure customer privacy.
On August 22, the People's Bank of China (Central Bank) fined four of the country's financial institutions 11.53 million yuan ($1.77 million) for illegal collection of personal data. Violations were identified in four banks: Postal Savings Bank, Huaxia Bank, Communications Bank and Industrial Bank of China.
The battle for data in the digital realm
In 2020, Google limited Third-Party Cookies in Chrome via the SiteName directive
Google released Chrome v80 in early February 2020 that supports blocking third-party cookies (called SameSite cookies). This feature will not be fully rolled out to all Chrome users until 2022.
A year later, on March 3, 2021, David Temkin issued a statement that after the termination of the use of third-party cookies, Google will not create alternative identifiers to track people who view the web. The company operates under the Privacy Sandbox, that is, it creates a product that simultaneously protects the privacy of people on the Internet and provides developers with the tools to create a thriving business in the digital environment.
Apple blocks Third-Party Cookies from March 24, 2020
On March 24, 2020, Apple released Intelligent Tracking Prevention (ITP) privacy update for Safari 13.1 browser. The browser now blocks all third-party cookies by default. This means that advertisers and analytics companies cannot use third-party cookies to track user activity on the Internet.
On the one hand, this is a big step towards user privacy, on the other hand, without analyzing user activity on the Internet, it will become difficult for companies to offer customers relevant goods and services.
Starting April 26, 2021, Apple in iOS 15 asks customers for tracking permission
On April 26, 2021, Apple introduced a new version of iOS (14.5), in which it prohibited iOS applications from direct access to IDFA (The Identifier for Advertisers). Now applications are required to ask for confirmation, and people will independently decide whether to use IDFA or not.
Thus, Apple broke the existing ad traffic system. If the user refuses to use the identifier, this leads to a decrease in the quality of attribution of mobile traffic and an increase in the cost of attracting users.
Apple offered the market an alternative - its privacy-safe traffic attribution system. It allows you to add install information to add networks but does not explicitly disclose visitor information. Therefore, the capabilities of the system are severely limited and do not cover the basic needs of marketers.
The main problem with the system is that developers and ad systems won't have user-level data. The data will be only in an aggregated form in the advertising office.
Global trend on Privacy First
Big data is popular in organizations for the promise of improved operations and new business opportunities.
More customer data means more sales.
What do customer data give us:
● obtaining new insights;
● improving your product;
● understanding your audience;
● establishing confidential communication with clients;
● improving marketing strategies;
● deep personalization of offers;
● increase in conversion and sales.
At the same time, big data is more easily leaked, which in turn jeopardizes people's privacy and violates data protection laws.
Today users have become concerned about the safety of their personal information. They are increasingly asking companies about data privacy. Companies are responding to this by blocking access to customer data on their platforms.
With the Privacy First approach, the user's privacy comes first. This means that companies no longer collect unnecessary personal data about their customers.
For example, when purchasing a jacket from an online store, you do not need to enter passport information or place of birth, but debit or credit card information is required. When you register for a webinar, you should not be asked for a place of work, unless it is a webinar in your specialty and the organizers need to take into account the position of the visitors.
So, as you may have noticed, today the struggle for data has entered the state level: the GDPR in the EU, the Cloud Act in the US, the Data Protection Law in China, and the closure of ecosystems can completely monopolize the customer data market.
This suggests that in this situation, one right decision has appeared: to build an independent system for collecting and managing customer data for direct and secure communications with customers in a digital environment. We'll talk more about this decision in an article coming out next week.