TrustArc Webinar - Cross-Contextual-Advertising: Rethinking How Consumer Data Is Managed
0 likes•878 views
This document summarizes a presentation on cross-contextual advertising and data privacy regulations. It discusses how advertising and data privacy can work together given increasing regulations. Regulations like CCPA, CPRA, and state privacy laws require consent for data sharing and targeting ads. Cookie alternatives like first-party data and contextual advertising are discussed. The presentation emphasizes transparency, choice, and understanding data use to ensure digital marketing can coexist with privacy.
TrustArc Webinar - Cross-Contextual-Advertising: Rethinking How Consumer Data Is Managed
- 1. 1 © 2022 TrustArc Inc. Proprietary and Confidential Information. Cross-Contextual Advertising: Rethinking How Consumer Data Is Managed
- 2. 2 Speakers Janalyn Schreiber Privacy Consulting TrustArc Sal Tripi Vice President - Digital Operations & Compliance Publishers Clearing House
- 3. 3 Agenda ● The laws and regulations governing advertising technologies ● How advertising and data privacy can work together ● How to address the privacy issues related to cross-contextual advertising ● Q&A
- 5. 5 Privacy management is complex. Laws Storage Collection Processing Compliance People
- 6. 6 How is your Brand Ensuring Digital Privacy for Customers, Leads, and Website Visitors? ● Consumers are empowered with the knowledge about how their data is stored, shared, and collected during interactions with businesses. ● Consumers have to provide their consent before data can be obtained. ● Consumers have the right to request that a company stop using their data for marketing, commonly referred to as a "right to be forgotten" in all systems. Privacy laws are moving towards providing individuals more control than even over their personal data, requiring:
- 7. 7 Regulators Are Adding Pressure
- 8. 8 Action at the State Level ● 2018: 2 bills were introduced from 2 states ● 2019: 16 bills were introduced from 13 states ● 2020: 25 bills were introduced from 16 states ● 2021: 29 bills were introduced from 23 states ● 2022: ~60 bills were introduced or carried over from 2021 in 29 states + DC: ○ 23 states held committee hearings. ○ 14 states passed bills out of committee. ○ 7 states passed a bill through one chamber. ○ 2 states passed laws: ■ Connecticut ■ Utah The number of state privacy legislation bills introduced since 2018 makes it clear that states are getting increasingly serious about data privacy:
- 9. 9 Which Regulations Address Digital Marketing? ● California - California Privacy Rights Act (CPRA): ○ Adds rights - correction, restriction of use, and opt-out of the use and disclosure of sensitive personal information. ○ Requires opt-out for sharing data for use in cross-context behavioral advertising: ■ Add the “Do Not Sell or Share My Personal Information” link on all digital locations (e.g., web pages) where personal information is collected OR ■ Comply with a global opt-out signal (details to follow) ● Virginia - Consumer Data Protection Act (CDPA): ○ Required rights - access, correct, delete, data portability, to opt out from sales of data to third parties, targeted advertising, and certain profiling, to opt-in to processing “sensitive” data, and right to appeal. ○ Requires data protection assessments to evaluate risks associated with processing activities related to sensitive data, targeted advertising and profiling, and the sale of personal data. ■ Goes into effect January 2023.
- 10. 10 Which Regulations Address Digital Marketing? ● Colorado - Colorado Privacy Act (CPA): ○ Requires the right to opt-out of personal data targeting and a universal opt-out mechanism. ○ Requires data protection assessments for any personal data processing that may have risk to individuals. ○ Goes into effect July 2023. ● Connecticut - Connecticut Data Privacy Act (CTDPA): ○ Requires opt-in for processing “sensitive data” and opt-out for targeted advertising, data sale and profiling. ○ Goes into effect July 2023. ● Utah - Utah Consumer Privacy Act (UCPA): ○ Requires opt-out of processing for targeted advertising and the selling of personal information. ○ Goes into effect December 2023.
- 11. 11 CCPA in the News ● On August 24, the Office of the Attorney General (OAG) first settlement under the CCPA, alleging that Sephora failed to: ○ Disclose to consumers that it was selling their personal information ○ Process user requests to opt out of sale requests via user-enabled global privacy controls ○ Provide a clear and conspicuous “Do Not Sell My Personal Information” link enabling consumers to opt -out of the sale of their personal information; and ○ Provide two or more designated methods for submitting requests to opt -out. ● The OAG also alleged Sephora violated California’s Unfair Competition Law by “making false or misleading statements of facts concerning Defendants’ sale of consumers’ personal information and unfairly depriving consumers of the ability to opt-out of this sale.” Sephora Fined $1.2 Million in California AG’s First CCPA Settlement
- 12. 12 CCPA in the News ● Sephora installed third-party software on its website and app to track online consumer activity - the OAG notably called it “commercial surveillance.” ● The OAG asserted the software could track all types of data and could build behavioral profiles of users, allowing Sephora to more effectively target potential customers. ○ By receiving this data, Sephora engaged in selling - benefitting from “other valuable consideration” in the CCPA’s definition of “sale”. ● The OAG also asserted there were no valid service-provider contracts in place, which is one exception to “sale” – contractually limiting the third-party tracking companies to processing requirements to establish them as “service providers” under the CCPA. ● What’s next? CPRA may provide more risk to online tracking activities – bringing the right to opt out of the sale of personal information AND of the transfer of personal information to a third party for cross-context behavioral advertising. What Happened?
- 13. 13 Game Changers
- 14. 14 Cross Contextual Advertising “The targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, application or services, other than the business, distinctly-branded websites, application or services which the consumer intentionally interacts.” CPRA defines Cross Contextual Advertising as…..
- 15. 15 Cross Contextual Advertising “It means….. “The digital ad industry must adhere to a far higher regulatory standard as it relates to targeting and retargeting” What does that mean?
- 16. 16 Business Purpose A business that uses personal information for “cross-context behavioral advertising” and relies on a vendor to process the data, now falls outside the scope of a permitted “business purpose”. What does that mean?
- 17. 17 Business Purpose ● Auditing ● Data Security ● Debugging ● Internal research ● Quality Control ● Advertising and Marketing services (THAT ARE NOT CROSS CONTEXT BEHAVORIAL ADVERTISING).
- 18. 18 Fundamentals Are The Same ● Transparency ● Choice ● Data Classification ● Contractual Obligations ● Collecting and using data securely ● Understanding what vendors, partners and others are doing
- 19. 19 Understand Data Collection/Use ● Know what is being collect ● Know how it is being used ● Understand what data is being shared and with whom ● Roles are included in agreements (business, service providers and third parties) ● Vet all!! ● Data security, transparency and choice
- 20. 20 CPRA New Contractual Requirements 1. Limited and specified purposes. 2. Comply with applicable obligations of the CPRA 3. Grants right to ensure that the third party, service provider or contractor uses the personal information transferred in a manner consistent with the business's obligations. 4. Requires the third party, service provider or contractor to notify the business if it decides it can no longer meet its obligations under this title. 5. Grants the business the right, upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. 6. As noted, this new requirement extends the duty to contract to third-party transfers, which is currently not required
- 21. 21 How Can Digital Marketing Coexist With Data Privacy? Legal IT Marketing 3rd Party Partners ● Learning ● Collaborating ● Leveraging Technology
- 23. 23 What is a Cookie? ● Information saved by web browsers that helps sites recognize a user’s device in the future - sites read cookies to remember the previous visit(s) and track behaviour over time. ● Privacy-driven changes to the technology landscape: ○ Google plans to phase out and ban cookies extended to late 2024 ○ Safari and Firefox already did so in 2020 ○ However! The ban only applies to third-party data cookies - so not all targeting hope is lost. ● First-party cookies are still fair game! – so what’s the difference between the two: ○ Third-party cookies are cookies that are set by a website other than the one you are currently on. ■ They are mostly used to track users between websites and display more relevant ads between websites. ○ First-party cookies allow site owners to collect basic analytics data to create a better user experience. ■ A website remembering login information and language settings, but not sharing the user’s information with other platforms – all data is siloed by domain.
- 24. 24 Cookie Alternatives? ● Leverage First-Party Data: ○ First party cookies - useful tool in retargeting, as it provides valuable information about who interacts with your business most - basic demographic information about visitors and how they interact with your content. ○ First-party data can also be collected through: ■ Surveys ■ Customer feedback ■ Social media insights ■ Email lists ■ Not the most technologically advanced, but still give a clear glimpse into wants, needs and tendencies. ● Contextual Advertising - matches ads to specific users based on keywords to put the right content in front of the right user at the right time. ○ Token-based approach Now is the time to consider some alternatives:
- 25. 25 Marketing & Privacy ● Consent & Opting Out ○ Consent must be granular, affirmative, and freely given - ask for consent for each marketing effort individually using a consent mechanism, like a checkbox. ○ Marketing consent must be distinct from any consent to a Terms and Condition agreement or Privacy Policy. ○ Make it as easy to opt-out as it was to opt-in – consent is freely given at all times during the customer relationship, not just within your sign-up mechanism. ○ Manage direct marketing consent with an Unsubscribe function on texts or emails and by using a communication preference page within the customer's account – track the time, date, country, and source through which individuals opt-in and opt-out.
- 26. 26 Marketing & Privacy ● The Risks of Lists ○ Generally, users must knowingly consent to be contacted via email before a company can legally do so. ○ Relying on purchased email lists as a cornerstone of email marketing is a risky move - instead, gather email addresses directly, e.g., through a subscription form on your website. ○ Email on a purchased list could be inactive or outdated – don’t risk a regulatory violation just to contact an inactive inbox! ● Data Retention, Purpose Limitation & Minimization ○ Personal data may only be kept for as long as necessary to carry out the particular purpose. ○ A data retention policy should outline: ■ Data collected ■ Why it was collected ■ How long it will be retained for ■ How it will be securely destroyed
- 27. 27 Consent and Preference Management is a single source of trust enabling organizations to capture and manage real-time customer consent and preferences. Save time, increase quality conversions, comply with privacy laws.
- 28. 28 28 Q&A
- 29. 29 Thank You! See http://www.trustarc.com/insightseries for the 2022 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to [email protected] for a free demo.