This document summarizes a presentation on cross-contextual advertising and data privacy regulations. It discusses how advertising and data privacy can work together given increasing regulations. Regulations like CCPA, CPRA, and state privacy laws require consent for data sharing and targeting ads. Cookie alternatives like first-party data and contextual advertising are discussed. The presentation emphasizes transparency, choice, and understanding data use to ensure digital marketing can coexist with privacy.
3. 3
Agenda
● The laws and regulations governing advertising technologies
● How advertising and data privacy can work together
● How to address the privacy issues related to cross-contextual
advertising
● Q&A
6. 6
How is your Brand Ensuring Digital Privacy for
Customers, Leads, and Website Visitors?
● Consumers are empowered with the knowledge about how
their data is stored, shared, and collected during
interactions with businesses.
● Consumers have to provide their consent before data can
be obtained.
● Consumers have the right to request that a company stop
using their data for marketing, commonly referred to as a
"right to be forgotten" in all systems.
Privacy laws are moving towards providing
individuals more control than even over their
personal data, requiring:
8. 8
Action at the State Level
● 2018: 2 bills were introduced from 2 states
● 2019: 16 bills were introduced from 13 states
● 2020: 25 bills were introduced from 16 states
● 2021: 29 bills were introduced from 23 states
● 2022: ~60 bills were introduced or carried over from 2021 in 29 states + DC:
○ 23 states held committee hearings.
○ 14 states passed bills out of committee.
○ 7 states passed a bill through one chamber.
○ 2 states passed laws:
■ Connecticut
■ Utah
The number of state privacy legislation bills introduced since 2018 makes it
clear that states are getting increasingly serious about data privacy:
9. 9
Which Regulations Address Digital Marketing?
● California - California Privacy Rights Act (CPRA):
○ Adds rights - correction, restriction of use, and opt-out of the use and
disclosure of sensitive personal information.
○ Requires opt-out for sharing data for use in cross-context behavioral
advertising:
■ Add the “Do Not Sell or Share My Personal Information” link on all digital
locations (e.g., web pages) where personal information is collected OR
■ Comply with a global opt-out signal (details to follow)
● Virginia - Consumer Data Protection Act (CDPA):
○ Required rights - access, correct, delete, data portability, to opt out from sales
of data to third parties, targeted advertising, and certain profiling, to opt-in to
processing “sensitive” data, and right to appeal.
○ Requires data protection assessments to evaluate risks associated with
processing activities related to sensitive data, targeted advertising and
profiling, and the sale of personal data.
■ Goes into effect January 2023.
10. 10
Which Regulations Address Digital Marketing?
● Colorado - Colorado Privacy Act (CPA):
○ Requires the right to opt-out of personal data targeting and a
universal opt-out mechanism.
○ Requires data protection assessments for any personal data
processing that may have risk to individuals.
○ Goes into effect July 2023.
● Connecticut - Connecticut Data Privacy Act (CTDPA):
○ Requires opt-in for processing “sensitive data” and opt-out for
targeted advertising, data sale and profiling.
○ Goes into effect July 2023.
● Utah - Utah Consumer Privacy Act (UCPA):
○ Requires opt-out of processing for targeted advertising and the
selling of personal information.
○ Goes into effect December 2023.
11. 11
CCPA in the News
● On August 24, the Office of the Attorney General (OAG) first settlement under the
CCPA, alleging that Sephora failed to:
○ Disclose to consumers that it was selling their personal information
○ Process user requests to opt out of sale requests via user-enabled global
privacy controls
○ Provide a clear and conspicuous “Do Not Sell My Personal Information” link
enabling consumers to opt -out of the sale of their personal information; and
○ Provide two or more designated methods for submitting requests to opt -out.
● The OAG also alleged Sephora violated California’s Unfair Competition Law by
“making false or misleading statements of facts concerning Defendants’ sale of
consumers’ personal information and unfairly depriving consumers of the ability to
opt-out of this sale.”
Sephora Fined $1.2 Million in California AG’s First CCPA Settlement
12. 12
CCPA in the News
● Sephora installed third-party software on its website and app to track online consumer
activity - the OAG notably called it “commercial surveillance.”
● The OAG asserted the software could track all types of data and could build behavioral
profiles of users, allowing Sephora to more effectively target potential customers.
○ By receiving this data, Sephora engaged in selling - benefitting from “other
valuable consideration” in the CCPA’s definition of “sale”.
● The OAG also asserted there were no valid service-provider contracts in place, which is
one exception to “sale” – contractually limiting the third-party tracking companies to
processing requirements to establish them as “service providers” under the CCPA.
● What’s next? CPRA may provide more risk to online tracking activities – bringing the
right to opt out of the sale of personal information AND of the transfer of personal
information to a third party for cross-context behavioral advertising.
What Happened?
14. 14
Cross Contextual Advertising
“The targeting of advertising to a consumer based
on the consumer's personal information obtained
from the consumer’s activity across businesses,
distinctly-branded websites, application or services,
other than the business, distinctly-branded websites,
application or services which the consumer
intentionally interacts.”
CPRA defines Cross Contextual Advertising as…..
15. 15
Cross Contextual Advertising
“It means….. “The digital ad industry must adhere to a far higher regulatory standard as it relates
to targeting and retargeting”
What does that mean?
16. 16
Business Purpose
A business that uses personal information for
“cross-context behavioral advertising” and relies on a
vendor to process the data, now falls outside the
scope of a permitted “business purpose”.
What does that mean?
17. 17
Business Purpose
● Auditing
● Data Security
● Debugging
● Internal research
● Quality Control
● Advertising and Marketing services (THAT ARE NOT CROSS CONTEXT BEHAVORIAL
ADVERTISING).
18. 18
Fundamentals Are The Same
● Transparency
● Choice
● Data Classification
● Contractual Obligations
● Collecting and using data securely
● Understanding what vendors, partners and others are doing
19. 19
Understand Data Collection/Use
● Know what is being collect
● Know how it is being used
● Understand what data is being shared and with whom
● Roles are included in agreements (business, service providers and third parties)
● Vet all!!
● Data security, transparency and choice
20. 20
CPRA New Contractual Requirements
1. Limited and specified purposes.
2. Comply with applicable obligations of the CPRA
3. Grants right to ensure that the third party, service provider or contractor uses the personal
information transferred in a manner consistent with the business's obligations.
4. Requires the third party, service provider or contractor to notify the business if it decides it
can no longer meet its obligations under this title.
5. Grants the business the right, upon notice to take reasonable and appropriate steps to stop
and remediate unauthorized use of personal information.
6. As noted, this new requirement extends the duty to contract to third-party transfers, which
is currently not required
21. 21
How Can Digital Marketing Coexist With Data Privacy?
Legal
IT
Marketing
3rd Party
Partners
● Learning
● Collaborating
● Leveraging Technology
23. 23
What is a Cookie?
● Information saved by web browsers that helps sites recognize a user’s
device in the future - sites read cookies to remember the previous visit(s)
and track behaviour over time.
● Privacy-driven changes to the technology landscape:
○ Google plans to phase out and ban cookies extended to late 2024
○ Safari and Firefox already did so in 2020
○ However! The ban only applies to third-party data cookies - so not all targeting hope is lost.
● First-party cookies are still fair game! – so what’s the difference between
the two:
○ Third-party cookies are cookies that are set by a website other than the one you are
currently on.
■ They are mostly used to track users between websites and display more relevant
ads between websites.
○ First-party cookies allow site owners to collect basic analytics data to create a
better user experience.
■ A website remembering login information and language settings, but not sharing
the user’s information with other platforms – all data is siloed by domain.
24. 24
Cookie Alternatives?
● Leverage First-Party Data:
○ First party cookies - useful tool in retargeting, as it provides valuable information
about who interacts with your business most - basic demographic information
about visitors and how they interact with your content.
○ First-party data can also be collected through:
■ Surveys
■ Customer feedback
■ Social media insights
■ Email lists
■ Not the most technologically advanced, but still give a clear glimpse into
wants, needs and tendencies.
● Contextual Advertising - matches ads to specific users based on keywords to put the
right content in front of the right user at the right time.
○ Token-based approach
Now is the time to consider some alternatives:
25. 25
Marketing & Privacy
● Consent & Opting Out
○ Consent must be granular, affirmative, and freely given - ask for consent for
each marketing effort individually using a consent mechanism, like a
checkbox.
○ Marketing consent must be distinct from any consent to a Terms and
Condition agreement or Privacy Policy.
○ Make it as easy to opt-out as it was to opt-in – consent is freely given at all
times during the customer relationship, not just within your sign-up
mechanism.
○ Manage direct marketing consent with an Unsubscribe function on texts
or emails and by using a communication preference page within the
customer's account – track the time, date, country, and source through
which individuals opt-in and opt-out.
26. 26
Marketing & Privacy
● The Risks of Lists
○ Generally, users must knowingly consent to be contacted via email before a company can
legally do so.
○ Relying on purchased email lists as a cornerstone of email marketing is a risky move -
instead, gather email addresses directly, e.g., through a subscription form on your website.
○ Email on a purchased list could be inactive or outdated – don’t risk a regulatory violation just
to contact an inactive inbox!
● Data Retention, Purpose Limitation & Minimization
○ Personal data may only be kept for as long as necessary to carry out the particular purpose.
○ A data retention policy should outline:
■ Data collected
■ Why it was collected
■ How long it will be retained for
■ How it will be securely destroyed
27. 27
Consent and Preference
Management is a single source of
trust enabling organizations to
capture and manage real-time
customer consent and
preferences.
Save time, increase quality
conversions, comply with
privacy laws.
29. 29
Thank You!
See http://www.trustarc.com/insightseries for
the 2022 Privacy Insight Series and past
webinar recordings.
If you would like to learn more about how TrustArc can support
you with compliance, please reach out to sales@trustarc.com for a
free demo.