Consumers are increasingly concerned with the life of their data online.
Who has my data? What are they using it for? What rights do I have?
Legislators are listening; they’re taking action to protect consumers and regulate data processing in organizations throughout the country. It’s great news for consumers who want to know about, access, and make certain decisions regarding their personal data.
But what does the new legislative landscape mean for you, as an advertiser who relies on personal data to make critical campaign targeting decisions?
It means you may need to rethink your audience-based media buys and data-driven decision intelligence, as Tunnl has helped countless of other advertisers do. With extensive processes and procedures in place to help maintain comprehensive data compliance for our platform users and audience solution clients, we keep a finger on the pulse of what’s happening in state capitols across the nation.
And we’ve identified a few trends that appear in several states’ data privacy legislation.
What follows is a high-level overview of some common factors being incorporated into consumer data privacy legislation in several states throughout the country. This article is not intended as legal advice, but instead a look at what advertisers and data controllers may see introduced in their states if these trends continue - and how that will impact their campaign targeting.
Which States Are Enforcing Data Privacy Laws This Year?
From the first to the last day of 2023, data privacy laws are going into effect in the U.S. with still more states passing legislation that will come into force in the next few years. Virginia, California, Colorado, Connecticut, and Utah are those that have started or will be enforcing their consumer data privacy laws this year.
Many of these laws are borrowing from each other, setting trends and creating standards that will soon be shared in various parts of the country. Advertisers and data controllers can look to these trends to prepare for the privacy compliance landscape they will soon - or already - find themselves navigating.
Let’s take a look at five trends shared across the active and impending privacy data legislation in the country, so you know what the new normal might look like as more laws pass.
5 Common Trends in U.S. Data Privacy Legislation
Though privacy legislation penned in each respective state offers slightly varied protections to consumers and obligations imposed on organizations, there are a few common trends appearing in data privacy laws across the country. These commonalities indicate what’s important to lawmakers at the moment, sketching the beginnings of a new data privacy picture in America.
Here’s what we’ve seen in several of the new and proposed laws.
1. Disclosure of Data Processing
Data privacy laws are being created, in part, to help consumers retain rights to and control over their personal data. So, it’s par for the course when organization are required to let consumers know what they're entitled to and how to get it.
For example, in the Virginia Consumer Data Protection Act (VCDPA), which went into effect on January 1, 2023, the Virginia government website summarizes consumer rights like this:
“The VCDPA allows for consumers to request that the controller of their personal data:
Confirm if the controller is actually processing their personal data.
Correct inaccuracies in the consumer’s personal data that is collected by the controller.
Delete personal data provided by or obtained about the consumer.
Obtain copies of the personal data collected by the controller.
Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or further profiling.”
The right to know what personal data of yours is being collected, retained, and processed by organizations is a common thread in data privacy legislation throughout the country. That last bullet about opting out is a constant as well, although not all states extend the right to opt out to profiling.
2. Opt-Out Requirements
One of the rights universally respected in data privacy legislation is the opportunity to opt out of certain types of processing. Consumers can submit opt-out requests to organizations in possession of their personal data if they don’t want to be contacted or have that data processed for targeted advertising or sold to third parties. Many laws have additional language about making this consumer request process easy and/or straightforward.
Take the Connecticut Data Privacy Act (CTDPA), which went into effect on July 1, 2023 for example. Connecticut’s official state webpage dedicated to the CTDPA talks about opt-out methods data controllers can provide:
“A controller’s privacy notice must clearly describe how consumers may exercise their rights under the CTDPA. Among other methods, a controller must provide an easily accessible link on its website through which consumers can opt-out of targeted advertising or the sale of their personal data. Soon, consumers will also be able to opt-out through universal opt-out mechanisms.”
The included wording about universal opt-out mechanisms can be spotted in other states’ legislation as well. Universal opt-out mechanisms (referred to as "opt-out preference signals" under California law) allow consumers to submit opt-out requests across multiple websites or to multiple data controllers at a time, instead of one by one. Consumers will be able to increasingly rely on the convenience of universal opt-out mechanisms within the next couple of years as organizations adjust throughout legislated states.
And while opt-outs are a common feature in data privacy laws throughout the country, a handful of states also require consumers to opt in to the use of sensitive data.
3. Required Consent for Sensitive Data
Personal data has varying degrees of sensitivity, and many data privacy laws have been written to address that. While personal data can include anything from a consumer's name and contact information, sensitive data is usually categorized by its more personally specific, uniquely identifiable, or potentially discriminatory nature.
Summarizing various data privacy laws throughout the country, sensitive data may include:
racial or ethnic origin
sex life or sexual orientation
mental or physical health conditions or diagnoses
citizenship or immigration status
genetic or biometric data
specific geolocation data
Sensitive data like this must be collected, processed, and handled with additional care - and, according to consumer data privacy laws in several states (Virginia, Colorado, and Connecticut), organizations need express permission, i.e., opt-in consent, to use it.
By contrast, Utah requires organizations provide consumers with an opportunity to opt out; its Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022 and will take effect on December 31, 2023. Here’s how the Utah State Legislature outlines its parameters on sensitive data processing under the UCPA:
“Except as otherwise provided in this chapter, a controller may not process sensitive data collected from a consumer without:
(a) first presenting the consumer with clear notice and an opportunity to opt out of the processing; or
(b) in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. Sec. 6501 et seq., and the act's implementing regulations and exemptions.”
In addition to provisions about the types of personal data organizations can process and under what circumstances, data privacy laws are also determining whether an organization is even subject to the law based on the number of consumers whose personal data is being processed by the organization.
4. Applicability Thresholds
Organizations have to make their data privacy policies clear and actionable for consumers, and the data privacy laws that institute those requirements are following suit by clearly stating which organizations need to comply with their parameters.
It’s very common for states to apply their data privacy laws based on how many consumers' personal data an organization is controlling or processing. Though the thresholds can vary, they usually look something like those provided under the California Consumer Privacy Act (CCPA).
“The CCPA applies to for-profit businesses that do business in California and meet any of the following:
Have a gross annual revenue of over $25 million;
Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
Derive 50% or more of their annual revenue from selling California residents’ personal information.”
Organizations processing minimal personal data may not be required to meet all the newly introduced data privacy standards, depending on the states in which they advertise, sell, or advocate. Regardless of the volume of data being processed, however, some states indicate that certain types of organizations are exempt from the state's data privacy law altogether.
While not all organizations may be required to meet new data privacy standards based on the minimum applicability thresholds outlined in each piece of legislation, some organizations may be exempt from complying with a law's obligations regardless of the amount of data they are collecting, storing, analyzing, or transacting on. These exclusions and exemptions vary from state to state, but here’s an example from the Colorado Office of the Attorney General's website regarding the Colorado Privacy Act (CPA), which went into effect on July 1, 2023.
“The CPA excludes some types of entities from complying with its requirements. These entities include:
Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act;
Air carriers subject to Federal Aviation Administration regulation; and
National securities associations registered under the Securities Exchange Act.”
Certain types of personal data are also usually exempt from data privacy laws, such as personal data regulated under the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act.
Tracking the trends and understanding exemptions, you may realize that you have more data privacy compliance tasks on your to-do list than before. Is collecting, storing, and using consumer data worthwhile to your advertising strategy if it means meeting complex compliance laws?
The answer is absolutely yes; data-driven, audience-based media buying is still your best bet for achieving a return on your ad investment - but advertisers should be prepared for the implications of data privacy regulation on their campaign targeting.
What the Future Holds for Advertisers Amid Data Privacy Regulation
The legislative landscape is gaining momentum on data privacy protections. Many states that have yet to enact data privacy laws are drafting or considering legislation as you read this. So, what does that mean for your ad targeting options?
Consumer data privacy laws are necessary and even overdue, but they complicate your audience targeting capabilities.
We’ve seen ad platforms make changes to their targeting parameters before, like when Meta disabled detailed targeting based on potentially sensitive topics or the ever-impending death of third-party cookies. Changes like these prevent advertisers like you from reaching audiences who are more inclined to care and align with your message, making it even more challenging to make an impact and achieve positive ROAS. With new and additional data privacy laws entering the industry, further restrictions and requirements may impede your ability to reach the right people quickly, effectively, and efficiently.
But accurate audience targeting is not impossible, just more complex.
Depending on the data privacy law(s) they are subject to, advertisers will need to consult their legal teams to establish or update their consent collection, opt-out, and data processing disclosure procedures - or work with data providers who cover those compliance elements on an advertiser's behalf. That’s the bare minimum of what’s coming down the pike for advertisers amid data privacy regulation.
The next layer of thriving in the new data privacy landscape is identifying reliable sources for issue- and interest-based audiences that enable you to deliver your message to the right people in a maximally efficient, legally compliant manner. Demographic information, though helpful, won’t be enough for advertisers to campaign against, and can lead to budget waste if not supplemented by more personalized audience insights like media consumption patterns, lifestyle behaviors, or personal values.
These detailed audience insights may be harder to come by as data controllers grapple with emerging legislation, but savvy audience providers who are committed to keeping their compliance up to speed will have an extensive inventory of secure, targetable audiences right away.
Find a Compliant Data Provider for Your Ad Campaign Targeting
Any audience data provider, processor, or controller you work with is obligated to comply with applicable existing and emerging data privacy laws.
However, data integrity and data quality can vary from provider to provider, impacting the efficacy of your audience targeting. You need a third-party data provider not only committed to compliance, but to constant, diligent data maintenance, accurate audience building, and secure data transference.
For all that and more, Tunnl leads the industry. Any service you receive from Tunnl - whether it's a custom audience tailored to your niche, first-party data enrichment or enhancement in our audience intelligence platform, or buying against one of Tunnl’s hundreds of prebuilt issue-based audiences in your DSP - privacy compliance is baked into the process, even as new laws are introduced. With audiences built according to consumer and voter sentiments, interests, and media consumption behaviors, you’ll have more than demographics to guide your public affairs, issue advocacy, and purpose-driven ad campaigns when you work with Tunnl.
Thisarticle is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue as to the subject of this article.