Another day. Another privacy law. *Cue emergency marketing meeting.*
Marketers might as well go ahead and add “tightrope walker” to their list of skills. The delicate balance between personalization and stringent privacy laws is just as precarious as a high-wire act.
Research shows that 66% of consumers want personalized ads, but nearly half of them are uncomfortable sharing any data. And with Utah and Connecticut joining California, Virginia and Colorado to become the fourth and fifth states to enact data privacy laws, marketers can’t seem to catch a break.
While experts believe these new laws are similar to those already in effect, any new regulations can potentially throw a wrench into your operations. Prepare for what’s to come with this breakdown of what these laws are and their effects on marketing strategy.
Utah’s Privacy Act (UCPA): Narrow scope, broad exemptions for SMBs
Utah’s Privacy Act (UCPA) that goes into effect on December 31, 2023, bears a close resemblance to Virginia’s Consumer Data Protection Act. If you switched up your strategy to align with that law in 2021, you should be able to pivot quickly for UCPA.
Like Virginia’s privacy act, UCPA gives consumers the right to access personal information that businesses collect on them. It also allows them to request deletion or to obtain a “portable copy” of the data. Additionally, consumers can also opt out of sharing their data for targeted advertising.
Utah’s act is being hailed as more business-friendly than Virginia’s. Thanks to its narrower scope, it offers some exemptions to SMBs.
Does this law apply to your business?
The UCPA only applies if:
- You conduct business in Utah
- Your annual revenue exceeds $25 million USD and
- Your company deals with fewer than 100,000 consumers or
- Less than 50% of your gross revenue comes from selling consumer data
In general, nonprofits are excluded from this law. Any data covered by another privacy law, such as HIPAA, or a public records law, such as tax rolls, would also be exempt.
Connecticut’s Privacy Act (CTDPA): Similar but stringent?
Provisions in the Connecticut Data Privacy Act (CTDPA) that allow consumers to opt out of targeted advertising, profiling and data sales are stricter than in similar laws passed in California, Colorado, Virginia and Utah. The law also prevents “the right to cure,” meaning companies won’t be able to fix violations to avoid penalties. The law goes into effect on July 1, 2023.
Does the act apply to your brand?
The Connecticut law only applies if:
- You conduct business in Connecticut
- Your company handles the personal data of 100,000 consumers or more (not including data used to make payments) or
- Your company handles the personal data of 25,000 consumers or more and made over 25% of its gross revenue from selling personal data.
Though the exemptions in this law are similar to Utah’s, there is no annual revenue threshold, so there’s no relief for small businesses.
Importantly, both the Connecticut law and the Utah law require explicit consent to obtain children’s data.
How to prepare for these laws: Save this checklist
If you’re a data privacy champion and are GDPR compliant, you’re likely already in compliance with these new regulations. If not, here’s a checklist to get ahead of what’s to come:
- Provide a clear and easily accessible privacy policy that contains:
- Categories of personal data you collect and reasons for collecting it (FYI: Consumers are more likely to share data if you’re transparent)
- Categories of personal data you share with third parties (if applicable) and the categories of third parties you share data with
- An active email address or online form consumers can use to contact you
- Provide users with a clear and prominent way to opt out of the sale of their personal data to third parties, and an equally simple way to opt out of targeted advertising (the link or button must be clear and conspicuous on your site)
- Collect only relevant and necessary data and ensure data is used only for intended purposes; don’t collect any sensitive data
- Obtain explicit consent from all users, especially for consumers 16-19 years old
- Don’t obtain consent through “dark patterns” and offer an easy way to revoke consent; stop processing data after consent is revoked
- Work with data governance teams to:
- Document all data collected
- Identify what falls under “personal data”
- Design data architecture to minimize data collection
Sidestep the privacy-personalization paradox
In addition to the five states that have already signed privacy bills into law, there are 21 considering privacy legislation. More are sure to follow.
These fragmented privacy laws mean marketers will have a harder time developing loyal relationships with customers. And as consumers become aware of the dangers of being constantly surveilled, they’ll adopt privacy measures like VPNs. Measuring your marketing efforts could become a tall order.
Opt out of the waiting game. Stop hoping new privacy laws won’t make both customer-facing campaigns and internal measurement harder. Future-proof your marketing by making privacy the focal point of your marketing efforts.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow AppsFlyer and AdExchanger on LinkedIn.
