What is consumer privacy in marketing and why marketers must care
From GDPR, CPPA and ADPPA, here’s all the information marketers should know.
The U.S. is on the cusp of implementing a new national privacy law, the American Data Privacy and Protection Act (ADPPA). And while we may be late to the party (the EU’s General Data Protection Regulation, or GDPR, was implemented in 2018), it’s now high time for businesses to start paying attention to data and how it impacts consumer privacy.
The new law will have significant implications for marketers, who will need to ensure they are handling consumer data in a responsible and transparent manner. Consumers, for their part, are more invested in maintaining control of their data and reluctant to exchange personal information (even for incentives) unless they trust that you’re being careful with their data. Nearly three-quarters of consumers rank data privacy as a top value, a recent report by MAGNA Media Trials and Ketch found.
In this post we’ll cover:
- What is privacy in marketing?
- Why marketers should care.
- How important is privacy to consumers?
- The four types of consumer data.
- Privacy initiatives marketers should know about.
- Privacy-enhancing technologies.
- What does this mean for marketers?
Estimated reading time: 9 minutes
What is privacy in marketing?
Privacy in marketing is all about data — specifically, an individual’s personal, identifiable or aggregate data and how companies collect it, use it, share it and forget it. The International Association of Privacy Professionals (IAPP) defines privacy as, “the right to be left alone.”
From a data privacy perspective, that means individuals have the right:
- To understand how their data is being used.
- To control who has access to it.
- To tell a company to stop using it.
- To have it deleted if they want.
Privacy is not an all-or-nothing proposition. There are different levels of sensitivity when it comes to the types of data companies collect. For example, a consumer’s name and email address are not as sensitive as their health data (although with the implementation of ADPPA, that could change.)
Why marketers should care
We can’t have all the shiny new marketing things — omnichannel experiences, customer centricity, personalization — without consumer data. But with big data comes big responsibility.
It may have taken consumers and especially U.S. consumers, a long time to become educated about the fact that brands engaged in granular tracking of online behavior, using the data gathered for marketing purposes or even selling it.
Ironically, U.S. brands were forced to take privacy seriously by European legislation (GDPR) because the worldwide reach of the internet meant brands could hardly guarantee to avoid engagement with European data subjects. The new horizon, however, is not just complying with applicable privacy laws — it’s being proactive about consumer privacy to build trust, establish community and secure loyalty.
How important is privacy to consumers?
Consumers care about privacy a lot, according to the MAGNA and Ketch survey, but this doesn’t mean they’re as focused on privacy compliance laws as, say, the entire digital marketing industry.
90% of survey respondents had never heard of the Virginia Consumer Privacy Data Protection Act (VCDPA). But while people may not be closely following government-imposed privacy regulations — or how businesses comply with them — they’re paying attention to companies who get flagged for poor privacy practices.
Even if consumers don’t know the acronyms as well as we do, they’re concerned about how businesses handle their data, with just 5% having no major concerns.
Here are some top concerns, according to a recent survey by Tinuiti:
- More than 50% of consumers agree that there’s no such thing as online privacy.
- Roughly 40% to 50% (depending on age) of people think their mobile phones are listening to them.
- 70% of consumers don’t like receiving targeted ads as a trade-off for providing their information.
- Over 40% of consumers are very worried about criminals gaining access to their data.
While it’s true that consumers are more aware of how companies use their data and have some concerns, they’re still mostly in the dark when it comes to a business’s privacy practices — which makes them suspicious. Nearly 60% of consumers in a recent BCG/Google survey think companies are selling their data even though the reality is that most companies don’t do this.
Marketers need to do a better job of educating consumers about how we use their data and what we do to protect it. We also need to be more transparent about how we use consumer data to personalize experiences. Familiarizing yourself with the types of data you’re collecting — and why — is a good start.
The four types of consumer data
Marketers use four types of data – first-, second- and third-party data. More recently, what has become known as “zero-party data” emerged (although it’s actually a subset of first-party data). Here’s an overview of each.
Zero-party data
The term zero-party data was first coined by Fatemeh Khatibloo, VP principal analyst at Forrester Research. The term “declared data” might be a better descriptor, but Khatibloo placed the concept within the tiered hierarchy of first-, second- and third-party data.
Basically, zero-party data is derived from a customer expressing a personal preference, be it the color of an item, clothing or shoe size, quantity, birthday, how they wish to receive information or even page settings.
First-party data
This is data you collect yourself, usually through your website or app. It includes information like names, email addresses, phone numbers, customer purchase histories, etc. It can also include behavioral, location and customer interaction data (e.g., chatbot transcripts). You own this data. That is, you collected it and you can use it how you see fit within the constraints of your region’s data privacy laws, of course.
Second-party data
This is data that another company shares with you, usually under the auspices of a partnership or some other type of business relationship. It could be something as simple as an email list that you purchased, or more complicated like activity from apps, purchase history and proprietary research. The data, in this case, is owned by the company that collected it, but you have permission to use it.
Third-party data
This is data that you collect from sources that are not affiliated with you in any way — think consumer data gathered by website cookies placed on someone’s browser as they surf the web.
Third-party data is used widely by marketers to target and personalize ads. New privacy regulations require companies to get express permission from consumers to collect and use cookies or risk stiff penalties. Companies like Google, Apple and Mozilla are (or soon will be) eliminating support for cookies to avoid these penalties.
The new cookieless future will make it more difficult to target ads and personalize messaging. It’s the direct result of emerging consumer privacy laws like GDPR and CCPA.
Privacy initiatives marketers should know about
Some privacy laws like the EU’s GDPR, Australia’s Consumer Data Right (CDR) law and California’s Consumer Privacy Act (CCPA) have already been passed.
A fourth initiative, the U.S.’s ADPPA, is currently still cooking on the legislative stove. It’s been approved for a vote in the U.S. House of Representatives, then it must pass in the Senate. If approved, it will be the first comprehensive national law governing how companies collect and use consumer data in the U.S.
Here’s a (very high-level) breakdown of some important consumer privacy initiatives:
- GDPR: The EU’s General Data Protection Regulation went into effect in 2018 and strengthens consumer privacy rights by, among other things, giving consumers the right to know what personal data is being collected about them, the right to have that data erased and the right to object to its use.
- CCPA: California’s Consumer Privacy Act, signed into law in 2018, went into effect in January 2020. It gives Californians the right to know why and how businesses collect their data, plus what data is collected. It also gives consumers the right to opt out/withdraw consent and the right to be forgotten (e.g., have their data deleted).
- CDPA: Virginia’s Consumer Data Protection Act will likely go into effect in 2023. As with CCPA, it gives consumers much more control over how companies obtain and use their data. It also places an emphasis on data security, meaning companies will be required to take reasonable steps to protect consumer data from unauthorized access, destruction, use, modification or disclosure. Here are some differences between CCPA and CDPA marketers should be aware of.
- ADPPA: The American Data Privacy and Protection Act, projected to pass in 2023, would (among other things) give consumers the right to know more about their data, including how companies collect, use and share it. It gives Americans the right to opt-out of targeted advertising and provides “strong protections” for minors which minimize the collection and sharing of minors’ data.
Of note, the ADPPA is the first consumer data privacy and security bill aimed at protecting Americans from what has essentially been unfettered access to and use of their data by U.S. businesses.
It’s focused on reducing “commercial surveillance” and strictly regulates what data can be collected at all. It also limits how data can be used. Businesses absolutely need to understand what’s in this bill, which is why we took a deep dive into the specifics of the ADPPA’s main points, including how it will impact marketers.
Privacy-enhancing technologies
Businesses can get help from technology when it comes to addressing privacy issues. For example, both brands and publishers can take advantage of data “clean rooms.” Clean rooms are a type of privacy-enhancing technology (PET) that allows data owners to share customer first-party data in a privacy-compliant way. Clean rooms are secure spaces where first-party data from a number of brands can be resolved to the same customer’s profile while that profile remains anonymized.
Closely related is “differential privacy.” This uses a cryptographic algorithm to add statistical noise to the data, enabling patterns in the data to be detected while information about individuals is shielded. There are many other types of PET.
What does this mean for marketers?
Consumer privacy laws like GDPR, CCPA and ADPPA impose strict rules around what, how and why data is collected. Meanwhile, consumers are becoming more invested in their own data — and how companies use or misuse it. People want more control and transparency. They want to reclaim ownership of their information from the Googles and Amazons of the world.
In addition to knowing the latest privacy regulations, marketers should better understand how consumers feel about data, including what data they’re willing to part with in exchange for incentives like discounts, freebies and convenience.
Two-thirds of respondents in the BCG/Google survey said they like getting ads customized to their interests, but nearly half are worried about sharing their data. Younger generations will give up more data for fewer incentives versus older consumers. And no matter what data you’re collecting, you need to cultivate trust and transparency with processes and technology that comply with data privacy laws and keep consumers informed.
All of this requires that marketers create a privacy-first, transparent and resilient approach to data usage and data privacy. Increasingly, it also means you’ll have better control over consumer data collection preferences and usage if you have your own data rather than relying on second- or third-party data for your marketing initiatives.
Contributing authors are invited to create content for MarTech and are chosen for their expertise and contribution to the martech community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. The opinions they express are their own.
Related stories