Long gone are the days of marketers using customer data to target, retarget, and sell to other businesses as they please. Today’s consumers have caught on to exactly what’s happening with their personal data — and they’re not pleased with what they see.
It’s no wonder, then, that the last decade has been a record-breaking one for new data privacy regulations, restrictions, and best practices.
While the changes have been embraced by consumers craving more control over their personal information, they’ve also required significant pivots from digital marketing teams to meet legal requirements and build trust with an ever-wary audience of users.
Today, we’ll help you update your team’s strategy by detailing the most important marketing data compliance laws out there, including their impacts on popular digital marketing tools and systems.
You’ll also find three proven tactics for creating a privacy-centric marketing strategy that adheres to these regulations and builds stronger targeted campaigns.
Laws Regulating Marketing Data Privacy
Consumer data protection is an evolving legal field, and new laws are continually being passed on state and federal levels.
However, when it comes to data privacy laws that most impact digital marketers at this time, there are two that lead the pack: the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Note: We are not legal experts, and nothing in this article should be considered legal advice. Please consult a local data privacy attorney to ensure your consumer data practices comply with necessary laws and regulations.
General Data Protection Regulation (GDPR)
Since it was first passed in May 2018, the GDPR remains the strictest privacy and security law in the world. While it technically governs E.U. member countries, the global nature of the internet means that even U.S.-based digital marketers must abide by its rules.
The official GDPR documentation is more than 80 pages long and makes for some dry reading We recommend every digital marketing team review it with a legal professional to ensure privacy compliance — but, in the meantime, here’s a summary of what it means for marketers:
- Customer data must be gathered and processed legally, fairly, and transparently. This means businesses can only obtain user data after receiving permission and must be explicit about the policies through which that data is maintained. Data can only be stored for as long as necessary for the specified purpose and must be protected per GDPR regulations.
- Customer data must be handled securely. Brands must take “appropriate and organizational measures” (such as two-factor authentication and end-to-end encryption) to safeguard user data.
- Consent must be freely given and specific. Businesses must keep clear documentation of consent. If a user does not give you explicit consent for a certain marketing activity (email communication, activity tracking, etc.), you cannot engage in those efforts.
These rules don’t just apply to first-party data collection; they regulate the collection and use of any third-party data, too.
In 2019, the court associated with the GDPR ruled that users in the EU must actively consent to all analytics cookies when they log onto a website. If they don’t, the website can’t drop analytics or web tracking cookies in the user’s browser.
This spelled trouble for those marketing platforms (such as Google Chrome and Meta) that relied on data collected via third-party cookies for audience targeting.
It’s important to note that these global privacy protections also affect first-party cookies, requiring users to actionably opt-in to a website’s tracking when browsing (rather than the “implied consent” of ignoring “do not track” in the past).
Since its creation, the GDPR has changed the way marketers work. You’ve likely noticed that analytics platforms like Google Analytics 4 and CRM systems like HubSpot integrate these regulations into their processes. You may even receive reminders from those platforms when your activities don’t adhere to GDRP rules.
While many tools do the hard work for you, we recommend researching GDRP regulations yourself to see where your business fails to comply. Leave those privacy issues unresolved, and your brand could face lawsuits and significant financial penalties.
Continue your learning with these guides:
California Consumer Privacy Act (CCPA)
The same year that the European Union released GDPR, the state of California passed its own set of privacy-related restrictions, called the California Consumer Privacy Act.
While not as all-encompassing as the GDPR, the CCPA grants consumers similar rights when it comes to their personal information, including:
- The right to know about the personal information a business collects about them and how it is used and shared
- The right to delete personal information collected from them
- The right to opt out of the sale or sharing of their personal information
- The right to non-discrimination for exercising their CCPA rights
- The right to correct inaccurate personal information that a business has about them
- The right to limit the use and disclosure of sensitive personal information collected about them
Many of these regulations overlap with the privacy requirements of the GDPR, and they may not necessarily require extra work from marketing teams that are already in compliance with the GDPR. However, like with all legal regulations, we encourage your team to consult an experienced attorney to keep your marketing and data collection processes up to standard.
Note: The CCPA currently only applies to those providers who conduct business in the state of California (either digitally or through brick-and-mortar locations) and meet one or more of the following criteria:
- Have revenue of $25 million or higher
- Receive information of 50,000+ consumers, households, or devices annually
- Derive 50% or more of annual revenue from selling consumers’ personal information
That said, due to the overlap between the CCPA and other data privacy laws, meeting CCPA requirements will help your brand better comply with those existing (and any future) privacy regulations.
How Marketing Platforms Regulate User Privacy
For many marketing businesses, the threat of legal action and fines was the motivation needed to implement new privacy-centric processes. Some platforms, such as Google Analytics, actually built these legal requirements into brand-new iterations of their products.
Below, we’ve detailed a few of the updates rolled out by commonly used platforms over recent years. **** are, if you’ve been running digital campaigns over the same period, these policy changes have required major strategy pivots — so we’ve also included some of our team’s recommendations for embracing them and maximizing your marketing returns, regardless of these changes.
Apple’s App Tracking Transparency (iOS 14.5)
In the spring of 2021, Apple rolled out a new data privacy policy allowing iOS users to opt in or out of third-party activity tracking by downloaded apps. While advertisers initially anticipated an opt-out rate of 50%, users overwhelmingly chose to protect their privacy data, with more than 90% of users opting out of third-party tracking.
The results for marketers: Smaller audiences, incorrectly attributed conversions, and delayed attributions on key channels such as Meta.
With fewer third-party data to lean on, pay-per-click marketers saw a huge drop in their retargeting campaigns’ efficiency. Today, advertisers must target a much broader audience to generate pre-iOS-14.5-level results, as well as rely heavily on their first-party customer lists to create effective lookalike audiences for their ad campaigns.
Struggling to generate positive returns with your Meta ad campaigns? Schedule a free consultation with our team to see how we can help.
Google Analytics 4 Thresholding
As part of its efforts to improve upon Universal Analytics, Google Analytics 4 incorporated a new privacy-centric design, with features such as user consent options and data deletion controls, all of which serve to meet the requirements of legislation like the GDPR and CCPA.
However, these features can (and frequently do) withhold data from marketing teams.
Just one example: Depending on the size of your audience and which Google Signals option you’ve selected, you’ll likely experience what’s known as “thresholding” in your GA4 reports.
In short, thresholding is Google’s way of protecting individual users’ proprietary data by withholding certain information — page visits, conversions, etc. — that could be too easily traced back to a single user.
The video below is hosted on YouTube. If you need assistance with viewing the video, please contact info@goinflow.com.
While you can’t completely eliminate thresholding from your reports, you can make changes in GA4 that decrease the likelihood of it occurring, including adjusting the **** range or exporting your data to an external source like BigQuery.
GA4 Limits on Personally Identifiable Information (PII)
Similarly, Google Analytics 4 also prohibits marketers from collecting and/or storing any personally identifiable information (PII) of users. This is any information (names, email addresses, phone numbers, social security numbers, etc.) that could be used to directly identify, contact, or precisely locate an individual.
Just because PII is prohibited, however, doesn’t mean it can’t slip into your GA4 property by mistake.
When PII ends up in your data, it not only violates privacy standards but also opens the door to potential legal repercussions. By excluding PII, you create a safeguard against personal data breaches, unauthorized access, and privacy breaches.
To ensure that your GA4 property is not collecting or storing personally identifiable information, use the three-step process outlined in our blog.
Google Chrome’s Privacy Sandbox APIs
After years of doomsaying about the deprecation of third-party cookies, Google Chrome officially backtracked on its promise in the summer of 2024.
Although third-party cookies are here to stay (for now), Chrome has pledged to move ahead with its Privacy Sandbox initiatives, an alternative to third-party cookies that aims to better protect customers’ privacy.
The video below is hosted on YouTube. If you need assistance with viewing the video, please contact info@goinflow.com.
While the Privacy Sandbox has gone through several iterations over the years, it has three main goals:
- Keep user personal information private while browsing the internet
- Enable publishers and developers to keep online content free without relying on intrusive tracking
- Build new internet privacy standards in collaboration with members of the advertising and digital publishing communities
As it currently stands, advertisers can continue to use third-party cookies in their audience targeting (although we highly recommend building up and leaning on a library of first-party data for better results).
But, as Google continues to test its Privacy Sandbox, users will likely be able to opt in or out of third-party cookies in the future — which means advertisers can’t rely on this data indefinitely.
In addition to building up your first-party data, we recommend auditing your use of third-party cookies on Chrome and testing for breakage to simulate performance when users eventually do opt out of tracking.
Note: Firefox and Safari did away with their third-party cookies back in 2013; Google is the last (and largest) man standing on this frontier.
Google Ads
As a platform, Google Ads has historically made it easy for marketers to adhere to data privacy restrictions using default settings. But, with new consumer protection laws coming into effect, the platform has introduced a few additional features that could impact advertisers serving ads in Florida, Texas, Oregon, and Montana.
- Restricted Data Processing: By acting as a data processor instead of a controller, Google relinquishes its use of audience data in these states. Ads will be more general and no longer tailored to a user’s interests or browsing history.
- Colorado Universal Opt-out Mechanism: Users can send Global Privacy Control (GPC) signals, which will opt out of having their data used for personalized Google Ads.
These updates will be made automatically, and no further action is required from advertisers.
Unfortunately, these changes will continue to limit the amount of data that Google Ads provides advertisers, potentially resulting in:
These effects can be minimized by a strong first-party data library and a privacy-centric PPC marketing strategy (more on that below).
3 Ways to Create a Privacy-Centric Marketing Strategy
These digital marketing privacy regulations may seem to exist solely to make your job harder — but what are marketers if not inventive thinkers who can roll with the punches?
You’ll need to do extensive research to make sure your campaigns abide by these regulations, but there are also some general steps you can take to put your marketing efforts on the path to success in a privacy-first world:
1. Invest in your first-party data.
As marketing platforms feed you less data about your customers, it will be up to you to gather the information needed to build effective targeting lists. The more you have, the better your remarketing campaigns will perform.
Start gathering as much data as possible by:
2. Use your existing data sources.
If your brand has been in the game a while, you probably already have significant audience data gathered in platforms like Google Analytics 4 and Meta — but you may not know where to find it.
GA4 tools like exploration reports and purchase funnel ****** are great for taking a closer look at your customer behavior. With Predictive Audiences, you can lean on your existing customer data to build stronger retargeting lists based on predictive behavior analytics.
The video below is hosted on YouTube. If you need assistance with viewing the video, please contact info@goinflow.com.
If you need help finding this data, we offer personalized Google Analytics 4 training that can uncover the insights hiding in your account. Contact us today to learn more or schedule your live training session.
3. Consider server-side tracking.
Server-side tracking is a popular alternative to client-side tracking (i.e. tags and pixels). When implemented correctly, it can deliver a more complete and accurate picture of your audience data — without running afoul of digital marketing privacy regulations.
In a nutshell, server-side tracking/tagging sends user data to a domain or subdomain of your website before passing it to your analytics platform. This creates an additional layer between your website and your data collection platform, providing increased security and control of user information.
Server-side tracking is technically complicated and requires an experienced team to configure properly. That said, once it’s done, you’ll be able to confidently and legally capture first-party user data and incorporate it into your marketing campaigns.
Learn more about setting up server-side tracking with Inflow’s team (or with our recommended third-party programs) by scheduling a consultation today.
—
Data privacy protection in digital marketing is here to stay — and, based on recent developments, will likely get more stringent as time goes on. Therefore, it’s critical that your digital marketing team create a plan today to prevent impacted performance in the future.
You can read more of our team’s recommendations in the guides linked below, or, if you want a professional’s take on improving your first-party data strategy, schedule a free consultation with our experts anytime.
