Data privacy regulations deconstructed

15 June 2022
Privacy & Consent

With everything being technologically based today, online privacy is now the focal point of all digital issues and concerns.

We use robotic vacuums, automatic pet feeders, smart home devices, and even smart appliances. They’re all connected to our phones via apps and they all have their own business websites.

Of course, with the luxury of having everything at our fingertips, we also face the burden of our information being out there. Hence the reason for online privacy coming to the forefront of our concerns.

That’s where data privacy regulations come in. By law, you likely have your website set up to prompt users about their data privacy preferences. However, you may not fully understand what these regulatory prompts are, how they work, or what the consequences of mishandling user data are.

So let’s deconstruct data privacy for you — including the most prominent data privacy regulations out there.

Contents hide
1 What exactly does data privacy mean?
2 The importance of data privacy
3 Data privacy vs. data security
3.1 Data privacy
3.2 Data security
4 The consequences of non-compliance
5 A breakdown of the various data privacy regulations
5.1 The General Data Protection Regulation (GDPR)
5.2 The California Consumer Privacy Act (CCPA)
5.3 The California Privacy Rights Act (CPRA)
5.4 The Utah Consumer Privacy Act (UCPA)
6 What can publishers do to stay compliant?
7 While you're here...

What exactly does data privacy mean?

Data privacy falls under the umbrella of worldwide data protection and deals with the proper handling of user data online. The “proper handling of data” refers to the compliance regarding data protection regulations by website owners. With that being said, the actual concept behind data privacy refers to how data should be collected, stored, managed, and shared with any third parties.

However, data privacy doesn’t only concern the proper handling of data from one end to another. It’s also about managing the public’s reasonable expectation of privacy. That’s why all websites must now comply with the General Data Protection Regulation (GDPR) and several other regulations.

Data privacy revolves around three very important elements:

  • An individual’s right to have control over their personal data, which includes the right to simply be left alone.
  • The procedures are in place for the proper collecting, handling, and sharing of users’ personal data.
  • Ensuring compliance with the various data protection laws.

Essentially, when we talk about data privacy and data protection, we’re talking about protecting both private and general user information. This would include everything from their location and demographics to account and credit card information.

The importance of data privacy

Data protection laws exist around the world with the specific purpose of giving individuals control over their own data. This means empowering them to understand how and why their data is being used as well as by who.

As a publisher, you likely have an understanding of the concept and importance of the user experience (UX). Therefore, you know that it’s crucial to deliver on users’ expectations to build trust and increase your return visitor metric.

Well, the same goes for data privacy.

According to recent survey statistics, 73% of respondents stated that having trust in a business matters more now than ever. What’s more, 84% of respondents stated that they cared about their privacy, especially over their own data. They wanted more control over how their personal data was used.

Whether you are a publisher or an eCommerce owner, the importance of privacy and building trust still applies to you. Publishers need to learn how to handle the personal data of users while ensuring the protection of privacy preferences among their website visitors.

Data privacy vs. data security

Data privacy

Interestingly enough, there’s no strict definition of what data privacy is — only a general understanding.

It actually wasn’t until GDPR came around that we were finally given a comprehensive data protection law that reflected today’s digital era in regards to how data is created, collected, and managed alongside modern business processes.

However, it still does not provide a strict definition. Neither do its related laws, which would include the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), or even the Children’s Online Privacy Act (COPPA). Additionally, to properly comply with all the data privacy laws out there, you need data security as well.

Data privacy and data security are two terms that seemingly overlap because they fall under the data protection umbrella.

Moreover, you can’t have data privacy without data security. So far, we know that data privacy focuses on the individual user’s rights regarding the purpose of data collection and processing, their privacy preferences, and how website owners and businesses alike manage this personal data.

Therefore, data privacy equates to collecting, processing, archiving, sharing, and deleting user data in accordance with the privacy laws set forth.

Data security

Data security, on the other hand, revolves around a certain set of standards and safeguards for user data. More specifically, data security is the act of measuring the standards and safeguards for website owners and organizations to prevent any unauthorized access to digital data by third parties.

The primary focus here is to protect user data of all kinds from malicious attacks and data breaches as well as the subsequent exploitation of that information. This would include managing access controls, implementing encryption, maintaining network security, and so on.

While data security is something that may seem more important for businesses and large organizations, it’s equally as important for publishers using plugins on their websites and offering subscription-based content or even the option to create a user account.

Essentially, if the data you’re collecting isn’t secure from unauthorized access as you collect, handle, and store it, then you’re already violating the various data privacy laws.

The consequences of non-compliance

New and intrusive ways of collecting users’ personal data emerge every day as our use of technology continues to increase. Eventually, it’ll get to a point where not understanding data privacy laws becomes dangerous as organizations, businesses, and website owners are already at risk for fines and lawsuits if found non-compliant.

What’s more, your reputation is on the line as are the trust and loyalty of your recurring visitors.

Being found non-compliant can mean several things:

  • You’ve ignored data privacy regulations and users’ rights while collecting and handling personal data.
  • You’ve been subject to a data breach.
  • You’ve been subject to a data breach and failed to report it to the proper authorities.

The consequences of being found non-compliant with data privacy regulations will depend entirely on which laws you’re being penalized for. For example, under the GDPR, any business that fails to comply is at risk of being fined a minimum of 4% of their yearly earnings.

Non-compliance with COPPA can land you upwards of $400,000 in fines while the maximum civil penalty for non-compliance with the CCPA is $2,500 for each unintentional violation and $7,500 for each intentional violation.

Put simply, if you’re found non-compliant for any reason, the consequences are some hefty fines that can put you out of business. Your business or website may also be put on an indefinite suspension from collecting and processing information — not to mention, it can negatively affect your reputation and scare away returning customers and visitors.

A breakdown of the various data privacy regulations

The GDPR has set the tone for data privacy regulations and other countries, including the United States, are following suit. In fact, the United States is beginning to implement data privacy laws on an individual level, meaning that regulations and consequences will vary independently by state.

Let’s take a look at a few of the most prominent data privacy laws out there and how they compare:

The General Data Protection Regulation (GDPR)

The GDPR is the European Economic Area (EEA) data protection framework that became active on May 25th, 2018. This data privacy law has a proactive and consent-first approach to collecting and processing user data to ensure that companies don’t collect and process data without lawful and valid reasoning.

The GDPR includes the broadest definition of what personal data entails and is extremely important for companies selling products or services within the EEA.

Under the GDPR, you can track user activities, however, you need to first obtain consent from each user and tell them who you plan to share their data with. The data in question includes the following:

  • Person information, such as name, address, day of birth, etc.
  • Web-based data, such as the IP address, cookies, etc.
  • Genetic and health-related data.
  • Demographic data, especially ethnic and racial data.
  • Biometric data, including sexual orientation and political opinion.

The California Consumer Privacy Act (CCPA)

The CCPA was implemented in January 2020, and this law maintains that all consumers/users have the right to decide who gets to see their personal data and how much of it. It also allows users to “opt-out” of data collection if they wish, meaning they can keep all of their data from being shared.

Under the CCPA, personal data includes the following:

  • Names, addresses, phone numbers, social security numbers, etc.
  • Email addresses, IP addresses, cookies, etc.
  • Demographic information.
  • Behavioral data, such as browsing history, interactions, purchases, etc.

Unlike the GDPR, however, the CCPA doesn’t require the user’s initial consent. Instead, it gives the user control of who sees their data. Therefore, publishers collecting user data to share it with ad tech partners must disclose their purpose immediately and offer the option to delete the information that has been collected.

The California Privacy Rights Act (CPRA)

The CPRA is a newer data privacy law that’s set to become active in January 2023. This law is meant to provide additional legislation to the CCPA to amend certain shortcomings.

For example, under the CPRA, companies and website owners are required to prompt visitors with a visible “Do Not Share or Sell My Personal Information” message to give them more control over who sees and uses their data.

The Utah Consumer Privacy Act (UCPA)

The UCPA will make Utah the fifth state to pass its own data privacy regulations rather than wait for the federal government to enact its (eventual) upcoming nationwide privacy law. This law will become effective in December 2023 and will fall in line with existing state privacy laws, with several shifts in a different direction as it takes into consideration small and mid-size publishers — not just business owners.

In short, the UCPA primarily applies to businesses that earn an annual $25 million or more and process the personal information of 100,000 users minimum. This law also applies to publishers who control or process the data of a minimum of 25,000 users and generate at least 50% of their gross revenue by selling said data to third parties.

Additionally, the UCPA does not require user consent before processing data as long as a notification is provided allowing users the option to opt-out of having their data collected and shared.

What can publishers do to stay compliant?

Keeping up with the growing body of data privacy laws is challenging to say the least. As a publisher, you’ll need to keep up with privacy-forward advertising, and to do that, you’ll need to do the following:

  • Implement a Customer Data Platform (CDP). A CDP can give you a detailed view of the information you’re collecting. It can also help you clean up said data and create unified records of individual users to understand how their data is being used by third parties.
  • Implement a Consent Management Platform (CMP). CMPs are the easiest way of setting up consent and opt-out prompts on your website while ensuring that third-party trackers don’t continue to collect the data upon refusal.
  • Don’t collect data you don’t need. Focus less on collecting all the possible data and more on exactly the type of data that’s relevant to your revenue needs. The less data you collect, the less chance of a violation.
  • Be vigilant about privacy updates. Data privacy laws will continue to evolve and multiple. Therefore, you need to pay attention to any new changes coming your way via ad tech news blogs and anywhere else you get your adtech information.

While you're here...

Did you know that the average publisher loses 10-40% of their revenue to ad blocking? What you may not know is that ad blocking has largely shifted to ad-filtering, with over 300M users allowing a safer, less interruptive ad experience to be served to them—in turn supporting their favorite sites and creators.

Blockthrough's award-winning technology plugs into publishers' header bidding wrapper and ad server to scan ad creatives for compliance with the Acceptable Ads Standard to activate this "hidden" audience and generate incremental revenue, while respecting the choice and experience of ad-filtering users.

Want to learn more?

GET STARTED