The digital marketing industry has placed cookies, pixels, and other trackers on almost every browser and device. But big changes are coming.
With information about people’s browsing activities, preferences, and location, marketing teams can promote their company’s products to a targeted demographic of potential customers. Over the past couple of decades, this activity has become commonplace.
But a recent shift in how US regulators and lawmakers approach privacy regulation suggests the era of collecting and sharing information without appropriate notice or consent is coming to a close.
The warning signs
Below we’ll look at the new laws and enforcement patterns demonstrating how the privacy landscape is shifting in the US.
But for those who have been paying attention, there have been plenty of warning signs that a new era of privacy enforcement was approaching.
For example, in September 2021, the US Federal Trade Commission (FTC) published a policy statement about the dangerous “proliferation” of products capturing and sharing health data.
And last December, the US Department of Health and Human Services (HHS) warned healthcare providers that using pixels and cookies could lead to prohibited disclosures of people’s data.
These warnings were directed at companies in the healthcare sector—but their significance is much wider. The statements show that US regulators are broadening their views on what constitutes a privacy violation.
Indeed, this March, the FTC released new guidance about the dangers of carelessly using pixels and trackers—technology that thousands of companies use to target their marketing efforts.
US regulators haven’t just been issuing stern press releases—this change in tone has been backed by legal action against companies accused of violating people’s privacy.
The first enforcement under the California Consumer Privacy Act (CCPA) arrived last August with a $1.2 million settlement with French cosmetics retailer Sephora.
Sephora allegedly broke the golden rule of CCPA compliance—do not sell consumers’ personal information without offering them an opt-out. The company’s sanction for using cookies without meeting CCPA requirements was a wake-up call for marketing departments.
The following week, in the wake of the landmark Supreme Court case overturning America’s abortion law, the FTC sued Kochava for selling location data that revealed people’s presence at health clinics and other sensitive locations.
Next came the FTC’s December 2022 settlement with Epic Games, accused of violating the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parents’ consent before collecting children’s personal information.
And this February and March, the FTC settled with two health-related apps, GoodRx and BetterHelp.
Like thousands of other companies, these firms shared users’ mobile IDs, hashed email addresses, and IP addresses with Facebook and other advertisers. The FTC deemed some of this data “health information” because it revealed the identities of people using health services.
Changes in behavior
The regulators’ warnings and actions have already started to impact how companies collect and share data.
Late last year, healthcare provider Advocate Aurora Health announced it was turning off pixels and trackers on its sites. The company said it was concerned that its use of pixels could be construed as a data breach affecting millions of people.
This March, Cerebral, another health-related app, notified its customers of a “privacy breach”—again due to the use of pixels and other commonplace online tracking technology.
Five new state privacy laws
We’ve looked at enforcement and regulatory trends. But the most significant development is the introduction of five new state privacy laws that take effect throughout 2023:
Iowa also recently passed a similar state privacy law that will take effect in 2025.
Each of these laws specifically regulates targeted advertising.
Take the California Privacy Rights Act (CPRA), which took effect in January, amending the California Consumer Privacy Act (CCPA). This law requires businesses to:
- Disclose whether they engage in targeted advertising (or “cross-context behavioral advertising”).
- Allow consumers to opt out of targeted advertising (and the sale of their personal information, including via cookies).
- Respond to global opt-out browser tools like the Global Privacy Control (GPC).
Some variation on these requirements applies across all five of these laws. And California’s new privacy regulator, the California Privacy Protection Agency (CPPA), is busy hiring new staff, ready to start CPRA enforcement on 1 July.
Even President Biden advocated new controls on how companies use personal information in this year’s State of the Union Address.
In case you haven’t concluded this already: These are drastic changes. The direction of travel is clear.
Marketing and compliance teams in the US must understand this new environment and get ahead of these new requirements.
Taking privacy seriously is an opportunity to reduce risk, build customer trust, and gain a competitive edge in the new privacy-focused landscape.