Dig deeper: ChatGPT under threat from European regulators

This is the largest GDPR fine ever handed down, surpassing the previous record of $887 million against Amazon in 2021. The ruling gives Meta five months to put in place measures to halt future transfers of personal data to the United States and six months to stop “the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR.”

Why we care. If the ruling is put in place Facebook would have to delete a huge amount of data and restructure its IT systems at a very fundamental level. It also would have enormous implications for any company transferring data between the two areas.

The best hope for staying the ruling is a new data transfer treaty between the U.S. and E.U.

Until 2020, these transfers were protected by the Privacy Shield treaty between the two governments. That year the E.U.’s highest court invalidated the treaty by ruling it did not sufficiently protect E.U. citizens’ data from American spy agencies. 

Negotiations have been underway since the high court’s ruling. Last year, President Biden and Ursula von der Leyen, the president of the European Union, announced the outlines of a deal, but the details are still being hammered out. No doubt Monday’s decision will increase the pressure on the U.S. to get it done. However, the complexity of the issues makes it difficult to move quickly.

Are you getting the most from your stack? Take the 2023 MarTech Replacement Survey

By the numbers. May 25 will be the fifth anniversary of GDPR, and Privacy Affairs has been tracking the fines – all 1,701 of them, for a grand total of over $4 billion:

• Meta accounts for over 50% of all GDPR fines – the company has amassed $2.5 billion in penalties.
• Meta has been fined seven times – including four just in 2022.
• By comparison, Amazon and Google have combined for more than $800 million in GDPR fines.

Only Facebook. The decision applies only to Facebook and not other Meta-owned platforms such as Instagram and WhatsApp.

The company said it plans to appeal.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global affairs, and Jennifer Newstead, its chief legal officer, said in a statement.

The post EU fines Facebook $1.3 billion for privacy violations appeared first on MarTech.

When the European Union adopted its General Data Protection Regulation in 2018, the law was heralded as a privacy game changer that would usher in a new era of consent around online data collection and put the right to protect personal information directly in the hands of individuals.

It was also meant to standardize privacy laws across member EU nations. GDPR would eliminate the need for individual countries to write their own regulations — as well as requiring any company, regardless of location, that markets goods or services to EU residents to comply with the law.

But five years later, enforcement challenges dog the watershed law, with complaints that were filed the day GDPR hit — alleging that Facebook, Instagram, WhatsApp, and Google forced users to give up personal information without proper consent — still wending their way through the court system.

Meanwhile, technology continues to evolve at a pace with which the glacial legal system simply cannot keep up (this article about GDPR compliance and AI tools like ChatGPT helps paint a picture of the challenges ahead).

This disconnect, along with rumblings over lax enforcement, particularly in countries where big tech vendors are headquartered, are just a couple of the reasons that EU regulators are now looking to fine-tune the way GDPR is administered.

This piece will take a closer look at those procedural changes – as well as other data privacy regulations in the hopper, go over some of the law’s biggest fines to date, and examine what marketers need to know as we head into the second half of 2023.

Procedural changes on the horizon

Earlier this year, the European Commission announced that it would seek to streamline the way data protection authorities across the EU work together when enforcing GDPR in cross-border cases. “This will support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission noted. The initiative — called Procedural Rules of Enforcement — aims to tackle a host of problems, from how GDPR complaints are handled to the duration of proceedings themselves. And when consensus cannot be reached, the proposed enforcement rules will “clarify” the procedural aspects of dispute resolution.

Critics have said the new enforcement rules are light on specifics, but with close to 800 cases pending under GDPR, procedural reform is critical. As the NOYB, or European Center for Digital Rights, a non-profit based in Vienna, Austria, puts it, GDPR is enforced in theory only, with the tech companies finding ways to stall proceedings, appeal rulings, and circumvent fines. (“NOYB” is short for “none of your business.”)

GDPR’s stateside influence

In the U.S., new or amended data privacy laws are on the books in Virginia, California, Colorado, Connecticut, and Utah, with enforcement dates ranging from January 1 of this year (Virginia) to December 31 (Utah), with California, Colorado, and Connecticut effective as of July 1 (in California, the California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA)).

In addition, nine other states have proposed laws that are still pending, but marketers should anticipate eventual enactment.

These laws are notable in the present context because — with the exception of California — they all “adapt terminology” from GDPR, yet diverge in how they are enforced, with district attorneys, attorneys general, and, in the case of California, the California Privacy Protection Agency, all in the enforcement mix.

For marketers, cookie management will be of paramount importance as brands/websites continue to understand how consumer rights around sensitive data are protected under the state laws.

At the federal level, there’s a bipartisan effort to establish a new privacy law — called the American Data Privacy and Protection Act (ADPPA) — that would create a national standard around individual rights. And on March 1, the House Committee on Energy and Commerce held a hearing on the proposed law.

While no vote was held, privacy groups and other stakeholders note that the desire for federal privacy legislation exists and may ultimately result in action.

Dig deeper: Only 11% of US businesses fully comply with CCPA privacy law

GDPR lobs hefty fines

Back in Europe, GDPR enforcement issues aside, some complaints have resulted in large fines, levied against companies like Meta, Amazon, and Google.

The year started with a $413 million fine against Meta for GDPR violations by Facebook and Instagram. Delivered by the Irish Data Protection Commission (DPC), which, incidentally, has faced extensive criticism for how it handles GDPR complaints, the agency’s actions affirmed a decision by the European Data Protection Board that said “contractual necessity” isn’t an appropriate reason to run behavioral ads. (Behavioral ads refer to online advertisements or marketing messages that are delivered to consumers based on their search history).

For years, Meta had been bundling its user-consent agreement into its apps’ contractual terms of services, which effectively forced users to agree to data harvesting if they wanted to use the platforms.

Meta’s early January fine came on the heels of a very expensive 2022 for the company, which saw penalties doled out to the tune of more than $800 million. It was also told it had three months to put measures into place to ask users for permission to run behavioral ads; at the end of March, the Wall Street Journal reported that Meta would allow users in Europe to opt out of targeted ads. But the company isn’t making it easy, requiring users to submit an online form stating their objections.

Along with the Meta fines, other notable GDPR sanctions include:

• $785 million against Amazon, decided in July 2021 by Luxembourg’s data authority. This decision — to date the largest penalty under GDPR, and which centers on how the company processes personal data — is currently under appeal.
• $237 million against WhatsApp (the Meta-owned messaging service), decided in September 2021 by DPC which signaled the culmination of a three-year inquiry into how the app shared user data with Facebook.
• $52 million against search giant Google, an early GDPR fine (January 2019) that was later upheld on appeal in French court. That country’s National Data Protection Commission determined Google was not in compliance with GDPR’s data transparency guidelines and that the company did not sufficiently make clear how user data was collected and used for targeted ads.

What marketers need to know

Two words need to be high on every marketer’s list when it comes to GDPR: compliance and consent. Compliance, of course, refers to the need for companies with any sort of web presence that market to customers in the EU to understand the regulation, keep up to date on changes as they happen, and be able to react quickly when issues arise.

Of course, tangential to that is the need for marketers to understand the types of data their companies collect, and, more importantly, how that data is processed, stored, and what kind of sensitive personal information it contains. Compliance also hinges on collecting necessary data only.

Top of mind for marketers should be the other key word: consent. Broadly speaking, companies are more likely to remain in compliance with GDPR when they have gotten the proper permission to gather or use users’ personal information. It may sound obvious, but GDPR has a specific definition for consent, which is “any freely given, specific, informed, and unambiguous indication” that the subject agrees to allow websites to gather and process their personal data.

Unsurprisingly, marketers have a big role to play, not only in understanding, but in enabling compliance with GDPR and the US-based rules and regulations it has influenced. While the regulatory landscape continues to evolve, so does consumers’ desire to safeguard their privacy.

In the five years that it has been on the books, GDPR has proven if nothing else that protecting data is a corporate responsibility. Companies that handle data with care and show users that their concerns over online privacy are valid will have an edge over their less prudent competitors.

Dig deeper: Build trust, gain sales

---

Get MarTech! Daily. Free. In your inbox.

Business email address

Subscribe    Processing...

See terms.

---

The post MarTech’s guide to GDPR: The General Data Protection Regulation appeared first on MarTech.

Researching identity resolution vendors

Once you determine an enterprise identity resolution platform makes sense for your business, spend time researching individual vendors and their capabilities by doing the following: 

• Create and prioritize a list of identity resolution use cases, from essential to not necessary. 
• Use that list as a basis for your research — many of the vendors profiled in this report also provide blogs, ebooks and interactive tools that can help. 
• Make a list of the vendors meeting your criteria, reach out to them and set a deadline for replies. 
• Decide whether or not you need to engage in a formal RFI/RFP process.

Identity resolution is not only critical to marketing success but is essential for compliance with consumer privacy laws such as CCPA and GDPR. Explore the platforms essential to identity resolution in the latest edition of this MarTech Intelligence Report.

Click here to download!

RFI/RFP process

The RFI/RFP process is an individual preference, however be sure to give the same criteria to each vendor to facilitate comparison. The most effective RFPs only request relevant information and provide ample information about your brand and its identity resolution needs. It should reflect high-level strategic goals and KPIs. For example, mention your company’s most important KPIs and how you will evaluate the success of your efforts. Include details about timelines and the platforms in your existing martech stack. 

When written properly, an RFP will facilitate the sales process and ensure everyone involved comes to a shared understanding of the purpose, requirements, scope and structure of the intended purchase. From the RFP responses, you should be able to narrow your list down to three or four platforms to demo.

Demo the platforms

Schedule demos as close together as possible for the best comparisons. Make sure all potential users are on the demo call and pay attention to the following: 

• How easy is it to use? 
• Does the vendor understand our business and marketing needs? 
• Are they showing us our “must-have” features?

Questions for vendors

Here are some questions to ask vendors that touch on important considerations in your identity resolution search:

Data onboarding and privacy 

• Does the platform support first-party data onboarding? 
• Can we incorporate any of our private customer IDs into the platform? 
• Do you use probabilistic, deterministic or a hybrid approach to matching? 
• How do you validate the accuracy of your deterministic matches? 
• What match rate can we expect, given our vertical market and database size? 
• How do you comply with privacy regulations and consumer choice? 

Identity graph 

• Do you own or license your referential identity data? 
• What are your identity data sources? 
• How do you validate the quality of your identity graph? 
• How much of your data is addressable? 
• How is your identity graph linked to offline PII? 
• Do your identity capabilities apply to non-U.S. markets? 

Martech and adtech integration 

• How does the platform integrate with martech platforms (i.e., CRMs, DSPs, CDPs)? 
• Does the platform feature any built-in data activation capabilities (i.e., personalized email or ad campaign execution)? 
• Do you have APIs available for data import/export? 
• What reporting do you provide that will document the ROI from our identity efforts? 

Customer support 

The post 24 questions to ask identity resolution vendors during a demo appeared first on MarTech.

Does our customer data reside in disconnected silos throughout the organization?

Organizational silos between departments such as sales, marketing, procurement or customer support can lead to inconsistent customer experiences with a brand. An identity resolution platform can connect these systems. It will integrate consumer identifiers across channels and devices in a way that is accurate, scalable and privacy compliant to create a persistent and addressable individual profile.

Do we have customer knowledge gaps that could be filled with trusted second- and third-party data?

First-party data is essential for building a strong relationship between your brand and customers. However, identity graphs using anonymized second- and third-party data can provide valuable demographic, location, financial and other information that can fill gaps in customer insights. As data collection and matching techniques improve, creating a 360-degree view of customers through identity resolution platforms may make sense.

Are we in compliance with CCPA, GDPR and other data privacy regulations?

Data breaches and misuse of consumer data continue to make headlines, leading to an increase in privacy regulations. It’s crucial to ensure your data governance practices comply with the EU’s General Data Protection Regulation (GDPR) and/or the California Consumer Privacy Act (CCPA). While collecting and using consumer data is an essential part of marketing, it also escalates the risk of damaging your brand and incurring legal consequences.

Can we successfully integrate our existing customer data systems with an identity resolution platform?

Your various martech and ad tech systems absolutely must be able to communicate with each other. If they can’t, your organization likely would benefit from an identity resolution platform. This platform can incorporate identifiers and profiles between and within these systems for consistency and accuracy, creating a persistent and addressable individual profile

Does our C-suite support identity resolution initiatives?

Most C-level executives overestimate their marketing organization’s customer identity accuracy and persistence, according to a Forrester study. This can lead to inadequate budgeting, campaign measurement and performance, and broken customer experiences. Therefore, it is critical to secure C-suite support for identity resolution initiatives across the organization.

Identity resolution is not only critical to marketing success but is essential for compliance with consumer privacy laws such as CCPA and GDPR. Explore the platforms essential to identity resolution in the latest edition of this MarTech Intelligence Report.

Click here to download!

How would we use identity resolution?

Identity resolution has many marketing use cases, from complying with data privacy regulations to developing more accurate lookalike audiences to improved marketing segmentation and targeting. Identifying the use cases that would most benefit your organization is fundamental for establishing and prioritizing the capabilities you’ll need.

What KPIs do we want to measure and what decisions will we make based on the data?

It’s critical to measure the impact of an identity resolution platform on your marketing ROI. Resolving customer identities will provide new cross-sell and upsell opportunities because your marketing team knows more about your customers. Although KPIs vary by organization and/or industry, you should be able to measure incremental lift in metrics such as average order value, average revenue per user, basket size, response rates or customer retention.

What is the total cost of ownership?

Most of these platforms use on-demand pricing, meaning customers pay a monthly subscription price that will vary by usage. Pricing is typically based on the number of data records or customer profiles under management or the number of matches or API calls. Some also have add-on customer support options.

The post Does your organization need an identity resolution platform? appeared first on MarTech.

Why we care. Can marketers or consumers trust CARU’s seal of approval? If we take Walmart at its word — and so far there is no reason not to — CARU reviewed and approved Universe of Play. The retail giant likely thought this would protect them not just from the FTC, but from charges like those made by the consumer groups. 

Those complaints were significant and should arguably have been foreseen. Now both marketers and consumers must wonder if CARU is providing meaningful oversight or just a fig leaf?

What it was. Universe of Play was one of two Walmart marketing efforts launched in Roblox, a metaverse platform, last September. It featured interactive games where users could win virtual coins to buy virtual merchandise. 

The company said the marketing was aimed at consumers between the ages of 17 and 24. However, the key brand tie-ins for Universe of Play were Jurassic World, Paw Patrol and Razor Scooters, which appeal to a significantly younger audience.

Dig Deeper: Walmart launches Roblox metaverse experience 

The complaints. In January, the ad watchdog truthinadvertising.org and several other consumer groups, sent a letter to CARU saying Universe of Play targeted young children and was marketing products without providing proper disclosures that site and its content are actually ads. 

The groups also said Walmart’s use of CARU’s COPPA Safe Harbor Program seal conveyed the message the game was compliant with the organization’s guidelines.

CARU is one of a dozen industry self-regulation programs run by the nonprofit BBB National Programs. In 2001, CARU’s advertising program was the first to be certified by the FTC as a Safe Harbor under the U.S.’s children’s online privacy law, COPPA. Participants who adhere to CARU’s guidelines are considered to be in compliance with the law and protected from any FTC enforcement action.

An unsafe harbor. The consumer groups’ letter also asked CARU to audit Walmart’s Roblox games. The retailer issued a statement saying this had already been done: “In December 2022, Walmart was approved to join CARU’s COPPA Safe Harbor Program after demonstrating that Universe of Play, a new immersive Roblox experience, complies with the stringent requirements of COPPA and CARU’s Guidelines.”

Some time after that Walmart removed the game from the site. Walmart hasn’t responded to a request for comment. CARU has refused to answer questions.

The post Walmart pulls Universe of Play off Roblox platform after consumer groups’ complaint appeared first on MarTech.

There have been indications that other European regulators may swiftly follow suit. Reports suggest that France is conducting its own inquiry; Ireland has asked Italy for more details about the basis for the ban; and the German data commissioner has said that the same action could “in principle” be taken in Germany.

Why we care. Given the immense excitement created by the availability of ChatGPT and similar tools, it was perhaps too easy to overlook warnings emerging from the legal profession over the last few months that it could run afoul of European data regulations — regulations which, in many ways, have become a de facto global standard.

If the questions that arise need to work their way through the European legal system for adjudication, that could take some time, of course. But it’s clear that regulators in European nations can take swift action in the meantime.

Dig deeper: ChatGPT: A marketer’s guide

Lawful bases for processing data. One fundamental challenge for large language models like ChatGPT is that under European law, specifically the GDPR, there are only six lawful bases for processing personal data at all (data that can be used directly to identify an individual or indirectly to identify an individual in combination with other information). The bases are:

• Consent.
• Performance of a contract.
• A legitimate interest.
• A vital interest (a matter of life and death).
• A legal requirement.
• A public interest.

To the extent a large language model is being trained on data obtained without explicit consent, it’s by no means clear that any of these bases are applicable — unless, perhaps, one makes the bold assumption that the availability of AI solutions is in the public interest.

Data erasure. Another challenge is whether a solution by ChatGPT is competent to support the “right to be forgotten.” Under GDPR, in certain circumstances, an individual can request the erasure of their data. To be clear, ChatGPT is not scraping the web and heedlessly collecting large quantities of personal data. But it is being trained on very large sets of texts, and the question OpenAI might have to address is whether it knows what’s in those sets in terms of personally identifying information or data it might be asked to erase.

The post ChatGPT under threat from European regulators appeared first on MarTech.

“Once brand marketers began to truly adopt TikTok, the two became inseparable,” says Kyle Wong, chief strategy officer of customer experience platform provider Emplifi. “The platform offers brands a way to show a side of themselves that isn’t possible on the more traditional platforms. Now that TikTok has officially become an important piece of a brand’s overall strategy, marketers and users would be the ones taking a hit if a ban were implemented.”

Why we care. Public concern about data protection is real and substantial. An Ipsos poll last year found 84% of Americans at least somewhat concerned about the safety and privacy of the personal data that they provide on the internet. 

Several states, including California, Virginia, Illinois, Colorado and Utah, passed privacy protection laws and many others are considering doing so. Each of these means a different set of requirements digital marketers must follow. A national law would eliminate this problem and make it easier for consumers to know exactly what protection they have.

The argument for a ban. Those who want to ban TikTok, which is owned by the Chinese company ByteDance, say it poses a national security risk. They are concerned China’s government, which wields a lot of power over the nation’s businesses, could exploit user data to spy on American users and feed them misinformation. 

The ban was first proposed by President Trump, and President Biden supports a ban if TikTok’s Chinese owners don’t sell their stake in the company. A number of members of Congress from both parties support it, as do some current and former national officials. However, Congress — like the public at large — remains divided on the issue.

The argument against a ban. Excluding TikTok executives, those who oppose the ban mostly agree with the charges made against the company. However, they believe banning TikTok wouldn’t solve the real problem.

Dig deeper: 5 reasons why marketers should consider TikTok for B2B

“Nearly all social media platforms and other online businesses collect a lot of personal data from their users,” The Electronic Frontier Foundation’s Adam Schwartz and David Greene recently wrote. “TikTok raises special concerns, given the surveillance and censorship practices of its home country, China. Still, the best solution to these problems is not to single-out one business or country for a ban. Rather, we must enact comprehensive consumer data privacy legislation. By reducing the massive stores of personal data collected by all businesses, TikTok included, we will reduce opportunities for all governments, China included, to buy or steal this data.”

Everyone else is doing it. In short, they say the real problem with TikTok is it is behaving like every other social media platform. It’s not an unreasonable accusation. Consider, among the things the company has been criticized for is spreading misinformation on climate change, COVID-19, the war in Ukraine, the neurodevelopmental disorder ADHD and eating disorders. Facebook and YouTube have been criticized for doing exactly the same.

Support for national privacy law. Last year, a federal data protection act with substantial bipartisan support died in Congress because it was opposed by then-Speaker of the House Nancy Pelosi (D-CA). It looked likely to stay that way as the incoming GOP majority in the House of Representatives said nothing about it before, during or after the election. TikTok has given it new life.

It isn’t impossible that Congress would ban a popular, profitable private business, but it is far from a sure thing. As noted previously, while the ban has bipartisan support, it also has bipartisan opposition. There’s also the substantial number of users and businesses on TikTok to be considered.

“One important element in this conversation needs to be around the users,” says Emplifi’s Wong. “With nearly 87 million US-based users on TikTok, it’s clear the platform and its innovative content format hold appeal to users and brands are running as fast as they can to tap into that buzz.”

Compromise candidate. There are indications that a data protection law could succeed as a compromise. Consider what Rep. Cathay McMorris Rodgers (R-WA), chair of the Energy and Commerce Committee, said last week.

“Whether it’s TikTok, Big Tech, or other data brokers to restrict the amount of data that they’re collecting to begin with,” she said on CNN. “We need to ensure that individuals have the right to know what their profile might be or to be alerted if their information, their personal data is being accessed or transferred to another country like China.”

The post The fight over banning TikTok could result in something good for marketers appeared first on MarTech.

The 21st century changed much of that. Data got faster, cheaper and more voluminous. Search engines, social networks, tracking widgets and more have made it easy for even the most novice of two-bit marketing organizations to get the most direct form of customer insight — in the form of something akin to outright surveillance.

It’s not exactly a secret. One of the biggest developments to happen in the world of marketing is that the average consumer has become increasingly aware of the kind and volume of data that’s being collected, analyzed and used to market to them.

Martech bulls have clung to this realization as a justification for going further in their bids to move from buyer personas to buyer dossiers. They cite research purporting customers demand that marketers focus on personalization and seamless omnichannel experience. Marketers have entered an arms race of who can suck up and best use the most personal data.

But just as CX-focused consumers have noticed these trends, so too have the privacy-focused ones and their government representatives.

As never before, marketers need to be alert to consumer sensitivity about data and privacy issues — and need to recognize that trust is supremely important when consumers decide which brands they want to engage with.

Dig deeper: Build trust, gain sales

In this article:

• The EU’s GDPR.
• GDPR analogs.
• Common privacy law provisions.
• Other duties.
• Other laws.

The EU’s GDPR

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. This is in no small part the culmination of European sentiment toward data handling practices in the U.S. and general antipathy towards Big Tech. The law was notable for governing behavior that did not actually take place in the EU.

One of the fundamental premises of GDPR is that if a company controls or processes data belonging to an EU subject, that company is violating GDPR and is liable for penalties. Regardless of where in the world that company is located and where in the world its data collection, controlling or processing took place.

And those penalties can be steep. GDPR drastically elevated the maximum fines for which companies would be liable under prior European privacy laws. A GDPR violator may face a fine as high as €20 million (~$21.7 million) or 4% of total annual revenue globally.

GDPR was the broadest, most severe and most sweeping data protection law worldwide — at the time.

GDPR analogs

Although it’s been less than five years since GDPR was enacted, the world has become increasingly privacy-conscious. More laws and regulations, each with their own regional (and nationalist) quirks, have sprung up, including in Canada, Brazil, Indonesia and elsewhere. In the wake of Brexit, the UK ditched EU governance but kept its own version of GDPR (UK GDPR).

One of the most recent and, arguably, the most significant of major privacy laws is China’s Personal Information Protection Law (PIPL). PIPL is China’s analog of GDPR for that country’s own citizens, but stricter in some areas. For instance, the handling of “sensitive information” (i.e.,  categories of personal information receiving enhanced protection, including but not limited to data involving health, race, politics, religion and more) requires the data subject’s express consent — a high bar not even necessarily required in the EU under GDPR.

But what makes PIPL stand out even more from GDPR is the potential severity of the penalties. Under PIPL, grave violations may put a perpetrator in debt to the Chinese government to the tune of the greater of ¥50 million (equal to about $7.37 million) or 5% of their total global annual revenue, plus any and all “unlawful income.”

Additionally, employees and directors of the violating company may face personal liability up to ¥1 million (~$147,000), be suspended from the same kind of employment in China and/or have their social credit scores in China negatively impacted.

Meanwhile, the United States has gotten into the privacy act (so to speak). There are a few niche laws and regulations affecting privacy at the federal level in the U.S. For instance, the Children’s Online Privacy Protection Act (COPPA) impacts how companies can collect data involving or potentially involving minors, while a variety of other laws may incidentally overlap with data privacy concerns. But a U.S. version of GDPR at the federal level has yet to come into being.

Stateside, there has been more action. It all started with the California Consumer Privacy Act (CCPA), which came into effect about a month after GDPR did. The law was openly a GDPR-lite adaptation, applying not just within California but worldwide to certain businesses handling the data of California residents.

Since then, other states — Virginia, Colorado, Connecticut and Utah — have promulgated their own versions, all going into effect this year. (Virginia’s Consumer Data Protection Act (CDPA) has already gone into effect this year, as of January 1.) 

Each state’s consumer privacy law is a bit different, not so much that you can’t glean the gist once you know the requirements of one of them, but more than enough if you’re a marketing, IT or compliance organization that has to stay abreast of these things.

California, too, has passed yet another privacy law, the California Privacy Rights Act (CPRA). Going into effect in July of this year, CPRA updates and amends CCPA. The amendments add and more clearly define new consumer data rights. They also establish a new state agency dedicated to handling the administrative enforcement powers of CCPA and CPRA.

And it’s all just the tip of the iceberg stateside. Other states are at various stages of developing their own respective privacy laws.

“State-level momentum for comprehensive privacy bills is at an all-time high,” reads a statement from the International Association of Privacy Professionals (IAPP). “Although many of the proposed bills will fail to become law, comparing the key provisions helps to understand how privacy is developing in the United States.”

Indeed, Virginia’s CDPA recognizes “sensitive information” and provides special protections for such information — but California’s CCPA in its original form does not. Now, California’s CPRA rectifies that, taking a cue from Virginia and providing enhanced rights for California residents related to sensitive categories of personal data.

Common privacy law provisions

Obviously, not all privacy laws and regulations are alike. Even laws and regulations that share similar provisions may differ in the bounds and mechanics of those provisions. 

That said, here is a general overview of some of the rights and duties that may be found in some of these laws.

Consumer/data subject rights. An individual variously may be able to demand:

• Confirmation: …that a data handler confirm or deny whether or not it possesses/handles/processes their data.
• Access: …to their data such as a data controller may hold.
• Portability: …that a data handler disclose the data subject’s information in a common file format.
• Correction/rectification: …that a data handler correct their personal information if outdated or otherwise wrong.
• Deletion: …that a data handler delete their personal data.
• Opt-out: …that a data handler refrain from or stop processing their personal information in some way, such as selling the data subject’s data, constructing a personal profile of a data subject based on their information or making decisions about that data subject through automation (i.e., without human input).

Additionally, some data privacy laws grant a data subject or consumer a right of private action (i.e., the right to sue a data handler or other entity for violations of the given law). Notably, some data privacy laws, like Virginia’s CDPA, do not grant this right.

Other duties

Under various privacy laws, data handlers owe duties not only to individual consumers or data subjects but also to the government itself. These may include duties to:

• Give consumers/users/data subjects notice about the data handler’s data practices and related information.
• Conduct a privacy and/or security risk assessment.
• Refrain from processing certain kinds of data in certain ways.
• Disclose breaches, data exposures and similar events.
• Develop and abide by policies for collecting and/or handling minors’ personal data in an even more protected manner than other personal data.

Other laws

While data privacy laws across the world are perhaps the most nascent and complex to impact marketing practices, there’s more to marketing compliance than data privacy and data stewardship. Much older laws continue to place limits on what is considered acceptable marketing.

While this list is in no way exhaustive, it is common for various jurisdictions to have laws proscribing the following:

False advertising

In general, advertising must be truthful. Marketers constantly look for ways to stretch this (under English common law, the UK and the  U.S. have long allowed for “mere puffery” — for instance, that a product is “the best”). But if you’re claiming that your product is, say, compatible with iOS devices, it better be compatible with iOS devices.

Misleading, deceptive or unfair claims

General consumer protection laws are a heightened version of false advertising laws, banning what are called “unfair” and “deceptive trade practices.” This can include misleading claims, even if “technically true.” These laws are far broader than even that, affecting business practices in general. For instance, paying for online reviews may be prohibited by such laws.

Industry-specific laws and regulations

Other laws and agencies, as well, generally prohibit misleading claims. For instance, in the  U.S., the FDA regulates advertising claims related to health and medicine, while the SEC regulates statements, disclosures and advertising about investments. 

Companies in highly regulated industries like healthcare and finance are restricted not only in what they can say but the context of what they say and how they can say it. 

Pharmaceutical advertising, even if as innocuous as a piece of conference swag with the brand name and logo of a drug featured on it, may need clearance from the FDA. An investment firm may face SEC action if it makes embellished claims or if it makes subject claims in violation of disclosure regulations.

Trademark infringement

Trademark laws are often less about banning anyone in the world from ever using a word or phrase or logo (or sound or color or even smell) and more about:

• Avoiding customer confusion.
• Preventing businesses from trading on the goodwill of another business. 

To that end, even advertising that is deceptively similar to an in-effect trademark, even if not quite the same, can be infringing. 

Sometimes (though not always), PPC and backend SEO practices that use a competitor’s trademark can be deemed an infringement. (For instance, bidding on your competitor’s company name).

Influencer marketing disclosures

If you’re working with a social media influencer, generally that influencer should clearly and conspicuously disclose that they were compensated for posting about your company, product or service. Failures to do so may create liability for both the company and the individual influencer, as per FTC regulations.

Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney authorized to practice in your jurisdiction.

The post Why we care about compliance in marketing appeared first on MarTech.

“Having inserted itself into all aspects of the digital advertising marketplace, Google has used anticompetitive, exclusionary, and unlawful means to eliminate or severely diminish any threat to its dominance over digital advertising technologies,” the lawsuit says.

Why we care. Google simultaneously acting as broker, supplier and auctioneer of online ads has always been problematic at best. As Sen. Mike Lee (R-Utah) put it, “The conflicts of interest are so glaring that one Google employee described Google’s ad business as being like ‘if Goldman or Citibank owned the NYSE.’” Cracking down on monopolistic business practices does great things for the consumer and the economy. The breakup of AT&T in the 1980s is why communication is so inexpensive and widespread today.

In the past, Google has rebutted monopoly claims by pointing to the large number of other companies which facilitate online advertising. The company did not respond to a request for comment today. 

Dig deeper: Google offers adtech unit changes to fend off antitrust lawsuit

This is the fifth antitrust lawsuit filed by state and federal officials against Google since 2020. That year a group of states led by Texas filed an antitrust lawsuit over the company’s advertising technology, while the DOJ and another group of states sued Google over claims that it abused its dominance over online search. In 2021, several states also sued over Google’s app store practices.

Dig deeper: Antitrust bill could force Google, Facebook and Amazon to shutter parts of their ad businesses

Google and other tech giants are currently under pressure from governments around the world trying to restrain their power over online information and commerce. In the European Union, Amazon, Google, Apple and others have faced antitrust investigations and charges, as well as new laws limiting the use and collection of consumer data.

The post Feds finally file anti-monopoly suit over Google’s adtech appeared first on MarTech.

Meta’s offense, the board concluded, was to incorporate user consent to use data for targeted advertising purposes within its terms of service, effectively forcing anyone using Facebook or Instagram, for example, to give up their data as a condition of using the platform. The board found this to be in violation of the EU General Data Protection Regulation (GDPR).

Why we care. The reaction of marketers to this news might be mixed. The rich trove of first-party data collected by Meta’s social media platforms allows for precision audience segmentation and targeted advertising — even if the exact processes used are largely opaque to advertisers. On the other hand, brands will expect user data to be collected, managed and activated responsibly.

Of course, the U.S. doesn’t have anything in place quite like GDPR — yet, anyway. CCPA is much less constraining.

What happens next. What the board has not done is tell Meta how to solve the problem. Rather, it has set out a three month deadline for Meta to tell them the changes they will make. The obvious solution is to separate consent from the terms of service, allowing users to refuse permission to collect data while still having access to the platforms. If large numbers of users opt out, it could have a depressive effect on the value of Meta’s inventory — but the social media giant is already dealing with the tracking opt out on iPhone apps. This just adds to the pain, and so far in only one — albeit large — jurisdiction.

The post EU hits Meta with $414m fine over advertising practices appeared first on MarTech.