Digital privacy and ad tracking have finally entered the mainstream conversation in the United States. Two years after GDPR went into effect in Europe – something we discussed back in 2018 – the US is beginning to take a sober look at what identity on the internet means, how we as a society want to approach its safeguarding, and what impact that will have on the advertising and publishing industries.

As of January this year, the US took its first stride since the 90s as the California Consumer Privacy Act (CCPA) went into effect. Constituting 14% of the entire US’s GDP, California’s new law is bound to alter how the rest of the country approaches digital privacy and data protection, so media buyers and publishers are closely monitoring what impact this will have across the rest of the nation.

Whether it’s tracking your ad performance, or optimising your branding, we’ve got data covered. www.dcmn.com

HOW WE GOT HERE: US DIGITAL PRIVACY SO FAR

The US has traditionally been much laxer than the EU when it comes to the privacy of its citizens. However, the effects of GDPR’s implementation in the EU were felt even an ocean away with US-based international companies scrambling to implement separate EU privacy policies or, in some cases, merely shutting off access to EU visitors so as not to run afoul of the new law. It also sparked a conversation in some sectors about what a US version of the law would look like when it was inevitably implemented.

The current rules here in the US are either comically out of date, often predating mass adoption of the internet. Others only regulate very specific areas, such as medical or financial records, in stark contrast to the kind of all-encompassing data protection GDPR was intended to be.

While some states have implemented laws related specifically to how companies must handle reporting data breaches to their users, these also tend to be conflicting and out of touch with the reality of the internet in the 21st century.

the big shift: ccpa

This all is what makes the CCPA all the more compelling, and potentially problematic for advertisers in the US. As the largest state and economy, California has an outsized influence on the national conversation – they have similarly used this weight to put pressure on auto industry emissions when the Trump administration started to roll back these standards on a federal level. So California planting a flag for digital privacy and rights will undoubtedly move the conversation forward here and likely inspire other states to adopt their own laws or push the federal government to pass a nationwide law à la GDPR.

As a quick primer on the key tenets of CCPA, here’s what you would need to know. The law states that California internet users have a right to:

• Know what data is being collected and what happens with that data.
• Decline the sale of their data,
• Request to receive a copy of the data collected on them and/or have that data deleted and…
• Not to be discriminated against for opting out of being tracked.

HOW CCPA COMPARES TO GDPR

In contrast to GDPR, CCPA focuses more on what happens to the data AFTER it is collected, rather than on the collection itself. Data protection advocates point out that CCPA places the burden of opting out on the individual user, as compared to a universal opt-in
as GDPR created. This is bad news for consumers but good news for advertisers as many people likely won’t realise that they are able to restrict the amount of data that is collected about them or how that data is used. So targeting capabilities of some major platforms may be less impacted by this than initially feared.

Another point of distinction is that, while GDPR requires all companies and organisations to comply, which places a disproportionate burden on smaller companies, CCPA only impacts business over a certain size or revenue amount. This is good news for smaller brands who would be less equipped to create the kind of infrastructure needed to handle data requests and deletion.

And as CCPA’s guidelines only stipulate that you have to inform users if you are selling their data, this has opened up a loophole, most notably for Facebook. Their current position is that, although they allow advertisers to use the data they collect to target their ads they don’t sell the data directly and therefore are not bound by this law. Clearly, this is a tenuous position but currently, no significant changes have happened on Facebook’s side.

OTHER DIGITAL PRIVACY LAWS ON THE HORIZON

Given the limitations and shortcomings of CCPA, other states and the federal government have springboarded off this to begin crafting their own laws. Washington state is considering a privacy law that would include regulation around facial recognition and data-based decision making, while a potential law in the U.S. Senate includes provisions for algorithmic decision-making, biometric data, and limiting the types of data that can be collected. It’s not clear if or when any of these laws will be enacted or implemented and what the impacts would be.

THE REAL INNOVATION IS HAPPENING IN THE PRIVATE SECTOR

As the government has been slow to implement these data regulations, in a typically American way, private-sector businesses have been stepping up to shape the conversation. This has taken a number of shapes, from Apple’s Intelligent Tracking Prevention initiative to publishers like the Washington Post creating their own programmatic platforms.

In what seems like it will be the most impactful in the short-term, Apple and Google’s respective changes to the Safari and Chrome browsers to limit 3rd party cookies are already causing headaches for advertisers and publishers. These changes make advertising targeting and attribution increasingly more difficult and are limiting the targeting capabilities of advertising platforms. As a result, many media buyers are beginning to look at returning to tactics viewed as outdated, namely research studies and programmatic guaranteed deals. Until a solution or common ground is reached, this will likely reduce the apparent effectiveness of advertising which will, in turn, hurt ad-supported publishers and the brands that rely on them.

There have been some attempts by players other than the major tech companies to alter this contentious dynamic. A more recent browser, Brave, ships with a built-in adblocker but also uses a blockchain-based token to reward both users and publishers for seeing or serving ads, all paid for by the advertiser.

Additionally, DigiTrust, a non-profit consortium, owned by IAB and with many ad-tech partners, has been working to create universal ad ID standard. Their goal is to create a standard anonymised ID that is stored on first-party cookies and can be accessed by other DigiTrust members. This would allow users to set tracking preferences from a central point that would be carried across publishers. However, Mozilla and Apple view the DigiTrust cookie as another tracker to be blocked.

what’s next in us privacy?

So, it’s become clear that the current state of digital privacy in the U.S. is tumultuous. Laws rolling out with unknown impacts, possibly competing laws on the horizon, private sector companies playing games of cat and mouse trying to retain basic functionality of their platforms, and the media publishing unnuanced takes on how big tech is watching you. Until some of these broader questions are answered, most plausibly thought a federal privacy law similar to GDPR, the future of digital privacy in the US will remain unclear. Advertisers and publishers will continue to try to navigate this complex and changing world to keep the lights on. And ultimately users will likely bear the brunt of the uncertainty.

Written by Joshua Fulfs, a Senior Digital Marketing Manager at DCMN NYC (and a data nerd to boot!)

Data. It’s complicated. Look to us to clear up the confusion. Email us over at hello@dcmn.com.