Between a potential—but unlikely—national privacy bill and both state and federal regulators beginning to crack down on the use of personal data, the privacy landscape has shifted underneath the feet of marketers.
In August, Sephora agreed to pay a $1.2 million fine for allegedly violating the California Consumer Privacy Act (CCPA). Separately, the data broker Kochava is in a legal tussle with the FTC over a disagreement around selling location data to advertisers. And several states have enacted privacy legislation.
Slowly but surely, targeted advertising is going from a largely unregulated industry to one that’s in the crosshairs of legislators. And last month, the IAB warned that few in the ad industry “seemed truly prepared for ongoing data-privacy legislation changes.”
So, what’s a chief marketing officer to do?
“There’s no question that the whole operation of marketing is changing under the weight of these new privacy restrictions,” said Andrew Frank, VP distinguished analyst at Gartner. “Whether it’s changing the fundamental job function of a marketing leader strikes me as a more difficult question.”
Nobody is expecting a CMO to replace a company’s legal team or to become a chief privacy officer. But at the heart of privacy laws are the mechanisms that power targeted advertising. With regards to Sephora, California’s attorney general accused it of sharing data through commonly used web-analytics tools, which enabled it to see a customer’s precise location, what device they were using, and what they had in their shopping cart.
“That was like the first shot over the bow—like, you guys better pay attention,” said Laurel Rossi, CMO of the digital advertising company Infillion, who said she was surprised how small the fine was.
Bad press is sometimes just bad press
With its own in-house media team, Andrea Brimmer, CMO and PR officer at Ally Financial, doesn’t rely exclusively on agencies to do the dirty work for her marketing team.
Brimmer has embedded compliance within the marketing department, bringing compliance staff into marketing meetings and all-hands. Ally has also hired three roles responsible for what it calls “first-line risk” for the marketing and communication department, tasked with following “all of the laws and legislation…[and] identifying any potential risks.”
“Over the last two years…We’ve really doubled down on our knowledge as a marketing team in this space,” she said.
But no amount of compliance can improve the more tangible performance issues that’ll likely result from less and less available data.
“It’s going to be harder to retarget people, it’s going to be harder to get people’s data, you’re going to have to just work smarter to be able to get it, and it’s going to cost you more in the end,” she said.
Get marketing news you'll actually want to read
Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.
Victoria Vaynberg, CMO of Zola, said the wedding platform’s handling of consumer privacy is a “cross-collaboration effort, but certainly something that hits my plate, too,” as the company manages “through CCPA and opt-ins and all those things.”
“As a brand in general, you have to continue to think about the value that you’re adding into people’s daily life, because I think we’ll continue to be in a world where advertising continues to have more privacy and more protections and more options for the user,” she said.
Ultimately, whether a CMO is involved in privacy conversations or not, protecting a brand’s reputation is generally the responsibility of the marketing department, explained Joshua Palau, SVP of growth marketing and media at LendingTree. Headlines about settlements and fines related to data privacy aren’t usually in a company’s media plan.
“If you’re the CMO, you have to have a very good, functioning knowledge of privacy laws and what’s happening,” he told Marketing Brew. “If, god forbid, you’re in the wrong space, then you’re the ones in the Wall Street Journal.”
Check-up
On top of complying with laws, companies are also trying to figure out the best approach to take to privacy, whether it’s a one-size-fits-all approach, which could leave dollars on the table, or a more tailored one that is designed to comply with a patchwork of state laws.
“Brands are trying to figure out whether they’re taking a jurisdiction-specific approach or not. Obviously, the broader industry is saying jurisdiction-specific would really be really onerous. For brands, it also raises some concerns or questions about differential treatment of their customers,” said Arielle Garcia, chief privacy officer at UM.
Spurred by the leaked Supreme Court draft opinion on Roe, Garcia and her colleagues began asking the agency’s individual partners, like clients, DSPs, SSPs, and data partners, about their own privacy policies, like whether they had policies that defined sensitive locations and how they would respond to law enforcement if asked to share that data.
The intention was to “make sure that they had this on their radar and they were connecting internally,” she said. Still, a CMO might not have the depth of technical knowledge to understand specific legislation around things like tracking pixels or the technicalities around Meta’s CCPA-compliant Limited Data Use tool, she said.
But that might not be the case for long—Jessica B. Lee, a privacy lawyer and chair of Loeb & Loeb’s privacy, security, and data innovations practice, told Marketing Brew that she was recently asked to speak with undergraduate marketing students at Louisiana State University.
“It seems like this is really getting integrated into the core of what marketers are doing,” she said.