As expected, new privacy legislation has made life more complicated for advertisers.
Big platforms like Google and Meta are either working with less data or are keeping it to themselves. At the federal level, President Joe Biden has repeatedly called for privacy legislation, but much of it continues to die, literally, on the Hill.
The patchwork quilt of privacy legislation continues to grow as new state-level legislation gets the green light. Since California’s passing of the California Consumer Privacy Act (CCPA) in 2018, 11 other states have signed their own comprehensive consumer privacy bills into law, including Texas, Delaware, and Tennessee, per Bloomberg Law.
“[2023] made things more complex from a compliance point of view for businesses in the US,” Gary Kibel, a partner at Davis+Gilbert who focuses on privacy and data security, told Marketing Brew. Now that many of these newer laws have begun to go into effect, “enforcement is going to pick up” this year, he told us. Last summer, Sephora became the first company fined under the CCPA after it allegedly failed to disclose that it sold users’ personal information and did not provide an opt-out link in some circumstances.
“It’s a complex and confusing time for businesses dealing with personal information right now, and it’s only going to get more challenging,” Kibel said.
Other states have taken a more narrow approach when aiming to expand consumer protections. In April, Washington State passed a sweeping health data law, which, among other things, aims to fill in the gaps in the data privacy laws already on the books, like HIPAA.
“With the recent Dobbs decision, with the restriction of access to reproductive healthcare in other states, with the privacy landscape changing with that decision, it became evident that women’s health data needed to be protected—that people who were accessing reproductive care, gender-affirming care, and were seeking it in Washington State needed to be protected,” state Rep. Vandana Slatter, who introduced the bill, told Marketing Brew in April, shortly after the bill passed. “There was a gap in that protection on websites, apps, and searches.”
Get marketing news you'll actually want to read
Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.
Unrelated, related: In mid-December, CVS Health, Kroger, and Rite Aid admitted to sharing customers' medical records with law enforcement, the Washington Post reported.
And in October, California Governor Gavin Newsom signed the Delete Act into law, which will require data brokers to delete “all personal information” related to a consumer every 45 days if they ask.
At the federal level, things have largely been stuck in neutral. In an executive order about artificial intelligence, President Biden called for a federal privacy law. This year, Congress has considered several different privacy bills, largely focused on regulating how advertisers target minors. Lawmakers have introduced the Kids Online Safety Act and an updated version of the Children’s Online Privacy and Protection Act, but so far, both have stalled. The IAB has previously voiced concerns about both.
Hyperlink party: Last year, Marketing Brew went to our first privacy conference! Turns out, privacy lawyers are talking about this just as much as advertisers are. Additionally, representatives from the Federal Trade Commission made a rare appearance at an ad conference.
If all this privacy stuff seems complicated, read more of our coverage on how the industry has responded, by phasing out IP addresses as a targeting tool, leaning on contextual advertising tools, and prioritizing clean rooms.