Privacy regulation: Things to know while we wait for Australian reforms

As the United States is set to pass a new bipartisan federal privacy bill, UM Worldwide’s Chief Privacy Officer Arielle Garcia spoke to ADMA about what marketers need to know.

There is a new global pandemic that isn’t related to a virus, but involves governments, politicians and regulators making a raft of new laws to reign in digital data collection and protect citizens’ privacy in major digital economies across the world. 

By 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020, according to Gartner

While the internet has no borders, countries – and their citizens that rely on the proliferation of technology that collects, tracks and stores data – do.

The United States has announced its new federal American Data Privacy and Protection Act (ADPPA), while the United Kingdom deals with its Data Protection and Digital Information Bill (DPDIB), both of which have the potential  to create a ripple effect through the digital marketing and technology ecosystem across the world.

Australia is also overhauling its privacy laws with new Attorney General Mark Dreyfus confirming his commitment to sweeping reforms in his first term.
 

Regulation might seem dull, but the conversation it ignites is not

The raging abortion controversy in the United States after overturning Roe V Wade has catalysed American momentum to protect the data rights of individuals and break the 20-year stalemate Congress had around privacy regulation.

“There is this cultural moment where sensitive health information – even inferred – can pose a risk to liberty and safety,” UM Worldwide Chief Privacy Officer Arielle Garcia explains.

She says there are now important industry conversations around the risk of harm in collecting data that unintentionally may identify someone, harm them, undermine civil liberties or even contravene human rights.

For example, if a publisher tracks a female who reads an article about abortion, or uses algorithms to infer someone is pregnant, this may reveal sensitive women’s health information.

Governments and courts around the world are trying to protect their citizens’ health data and precise geo-location, while also prohibiting - or strengthening existing prohibitions - on targeting advertising to children and teenagers.

Garcia also predicts that the potential for artificial intelligence (AI) to enable inferences of sensitive personal information or perpetuate discriminatory outcomes will lead to increased demands to make algorithms:

• more transparent,

• and embed rules that prevent discrimination based on sexuality, health status, politics, or other sensitive topics.
   

Privacy is moving out of the legal office and into the business arena

Unlike most Chief Privacy Officers, Garcia works on the ‘business side,’ leading UM’s privacy practice, where she helps clients develop business-facing approaches to privacy that nurture their relationships with customers.

“A big part of my role is supporting our clients in navigating the evolving space. There's a lot of ambiguity and different approaches and interpretations and thus varying standards and requirements,” she says.
 
“At UM, we work with our clients on privacy and responsible data use in the same way we do with media, identifying the appropriate solutions, recommendations, and partnerships that align to our client's position and business needs.”

ADMA not only applauds UM Worldwide’s approach to collaborate with cross-functional teams to deliver effective consumer, privacy, and trust outcomes, but also advocates for the same approach.

“Many of the breaches around data privacy stem from a disconnect in the right conversations about operationalising principles of data privacy best practice” says Sarla Fernando, ADMA’s Head of Regulatory and Advocacy Advisory. 

Businesses that perform well not only have talented in-house compliance teams but also take privacy seriously throughout their business. Most privacy breaches or failures are not usually malicious but tend to happen when compliance and marketing are disconnected from each other. 

“The disconnect often leads to either the wrong questions being asked, or advice being given. The gap is often a misunderstanding of how Compliance programs will align to the operational processes in place. UM’s approach is refreshing and is exactly what is needed to develop Best Practice around data privacy,” Fernando says.
 

What do Australians need to know about America’s ADPPA

Given the United States is one of the leading economies of the world - and home to many giant tech companies - what happens with ADPPA will impact the data ecosystem of publishers, brands, marketing, and advertising.

Even if the bill fails to pass in the US, it serves as a springboard for other nations’ lawmakers considering privacy reforms.

Garcia reinforces the need for businesses to recalibrate the way they deliver marketing to be fairer and more responsible to consumers.

Data provenance should become a more critical issue for advertisers and marketers - how is a digital ID used for targeting actually created?

She says digital identity solutions and cohorts (or segmentation) – along with the lowest risk marketing - contextual advertising - will continue to evolve.

For identity solutions to be durable, regulators will need to be satisfied consumers have meaningful transparency and choice.

For consumers to choose to share their information, the fairness of the value exchange will be central, with trust as the cornerstone. 

Marketers must watch, adopt, and identify partners that provide a more granular and consistent way for consumers to understand how data is used to empower people to make the right decisions about the brands and companies they want to engage with.

“There is a disconnect between marketing, privacy, consumer experiences, and the realities of IT and what is possible,” she says.

“Only through collaboration – true cross-functional governance around data strategy – can we get to a place where those things converge.”
 

What else is going on with regulation outside of America?

A vast array of discussion drafts, exposure drafts and proposals to regulate citizens’ privacy, data collection and artificial intelligence has been released or developed during 2022 across the globe.

Europe’s GDPR established in 2018 is only one piece of the privacy puzzle, with harsher penalties for breaches and new European legislation such as:

• The Data Governance Act, adopted in May 2022

• Digital Services Act, which effectively bans targeting on sensitive personal information and demands the user understands how a targeted ad is delivered as well as given a non-profiling option for content recommendations

• The Digital Markets Act, safeguarding competition and fair markets 

• The Network and Information Security Directive (NIS2).

Japan’s Act on the Protection of Personal Information (APPI) - the first global legislation to reach ‘adequacy’ with Europe’s GDPR - also had tighter amendments that came into effect in April 2022.

The upshot is that regulation in the largest markets will likely have the greatest impact on the various technologies, techniques and tactics used by digital marketers.

 To complicate matters, the big tech companies are also making moves to get ahead of regulation.

• Google has announced it will delay the deprecation of third-party cookies until the second half of 2024

• Apple continues its privacy-first hardware play but looks like it is also building its own ad tech platform.

What does all this global legal talk about privacy mean for marketers?

In an increasingly regulated world, data-driven businesses will:

1. Have increased certainty about what they need to do to continue to operate

2. Plan and act on privacy compliance, juggling the time, staff effort and costs associated with it.

 All marketers and businesses need to be aware that privacy is not just a ‘compliance’ issue, but increasingly a risk and consumer trust issue, too.

 “It is time that we consider our data practices through more than just the lens of the privacy legal framework,” Fernando says.

“If we are to truly build a futureproof strategy around data in a landscape that is constantly developing its technology capabilities, consumer expectations and value of insights, then we need to reframe our thinking and look more holistically at data governance instead.”

 Data governance includes compliance with privacy laws, but it goes beyond that to also consider the nuances of why, when and what data is collected, the value exchange that takes place and understanding the expectations of all parties - the consumer, the business, and any intermediaries - when collecting, using, and managing data.

Garcia recommends brands and businesses adopt a cross-functional governance approach to holistically examine:

• -       Emerging regulation: in your own country’s market and countries where your data collection takes place, but also outside of countries in which you operate that may serve as a signal of what may follow.

• -       Evolving consumer expectations.

• -       Industry and platform-driven change.

• -       Adopting technology infrastructure that enables data and privacy management

• -       Transparency and choice for consumers in your business’s marketing data usage for example, see Twitter’s new gamified privacy and consent experience.

• -       Integrating with martech solutions and ad tech partners that effectuate the best consumer preferences and experiences to honour consumer’s right to privacy

“Heightened consumer expectation breeds opportunity for marketers that deliver to these demands to bolster consumer trust, build deeper connections with their customers and differentiate their brands,” Garcia says.

Andrea Martens, CEO of ADMA, says the various changes taking place right now is an opportunity for Australian marketers to reset its practices around data-driven marketing and make improvements that will undoubtedly improve the consumer experience and build trust in the brand and the brand’s digital marketing practices

“While we may not know exactly when the Privacy reforms will be introduced or when third party cookie deprecation will actually happen, we can look at some learnings from developing regulatory regimes around the world and take this opportunity to examine our current data practices to better understand what may need to change. It’s an exciting time to be a data-driven marketer. We have an opportunity, through the way we embrace and embed compliance best practice into all we do, to build on the sustainability and value of the industry,” Martens says.