In the era of digital marketing, the issue of personal data protection is particularly acute. For example, the CLOUD Act, adopted in the United States in 2018, jeopardized the confidentiality of the information stored by American companies, regardless of their geolocation. This Act shows that the government of the country has become a regulator of digital data exchange, and this cannot fail to affect business.
Let’s talk about which laws on the protection of confidential data have come into force, and how companies are reacting to this.
The Struggle for Data at the State Level
GDPR in the EU
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force.
GDPR provides EU citizens and residents with full control over their data. Even if a person’s data is located in another country, they can easily control it. In case of violation of the regulation, the EU may impose a fine of up to €20 million or recover 4% of total revenue for the preceding financial year.
The largest fines over the past three years have been received by the following companies:
1. Google — €50 million in 2019.
Users complained that the company had no legal right to process their data to show ads based on it. Later it turned out that people hadn’t given full agreement on the data processing.
2. Clothing retailer H&M — €35 million in 2020.
In 2020, H&M was fined for violating its employees’ privacy. Supervisors of the company collected information about vacations and medical diagnoses of employees on sick leave. Even data from workers’ conversations were recorded and stored. The collected information was stored on H&M servers, and at least 50 managers had access to it.
In October 2019, a server error made the information publicly available, which caught the attention of regulators.
3. Amazon — €746 million in 2021.
In 2021, Amazon received a huge fine for collecting and transmitting personal data using cookies. This was not the first company’s fine for violating GDPR data protection rules.
The CLOUD Act in the USA
The CLOUD Act came into force on March 23, 2018, and immediately caught public attention. The fact is that the CLOUD Act violates the balance in data protection. How? Let us tell you.
In 2020, The Court of Justice of the European Union (CJEU) recognized that US service providers did not adequately protect the personal data of people from other countries. The CLOUD Act allows law enforcement agencies of the United States to require access to information about US citizens or residents from US providers located outside the country. They need a warrant, a subpoena, or a court order to require it. However, there’s no guarantee that these requests will concern US citizens only, and providers will side with their customers in such a situation.
This Act particularly affected the General Data Protection Regulation (GDPR).
The European Data Protection Board (EDPB), an independent European body, concluded that service providers from the USA, also subject to the EU GDPR, cannot legally justify the disclosure and transfer of personal data to the United States based on a warrant or other court order. Personal data can be transferred outside the EU only based on a Mutual Legal Assistance Treaty (MLAT).
Therefore, the EU regulation and the CLOUD Act contradict each other in terms of the strict GDPR rule to have solid legal grounds for data transfer.
Data protection law in China
On August 20, 2021, the Personal Information Protection Law (PIPL) came into force in China.
Network resources are now required to provide users with automated processing options that ensure customer privacy.
On August 22, the People’s Bank of China (Central Bank) fined four financial institutions of the country 11.53 million yuan ($1.77 million) for the illegal collection of personal data. Four banks were found to be in violation: Postal Savings Bank of China, Huaxia Bank, Bank of Communications, and Industrial and Commercial Bank of China.
The Struggle for Data in the Digital Sphere
In 2020, Google restricted Third-Party Cookies in Chrome via the SiteName directive.
In early February 2020, Google released Chrome 80 that supports blocking third-party cookies (called SameSite cookies). This feature is fully available to all Chrome users until 2022.
A year later, on March 3, 2021, David Temkin announced that even after removing third-party cookies from Chrome Google would not build alternative identifiers to track people who browse the web. The company operates within Privacy Sandbox, which means it creates a product that both protects people’s privacy on the Internet and provides developers with the tools to create a thriving business in the digital environment.
Starting from March 24, 2020, Apple blocks the installation of Third-Party Cookies.
On March 24, 2020, Apple released an Intelligent Tracking Prevention (ITP) update for Safari 13.1. The browser now blocks all third-party cookies by default. This means that advertisers and analytics companies cannot use third-party cookies to track users’ online activity.
On the one hand, this is a big step towards user privacy. On the other hand, without analyzing user online activity, it will be difficult for companies to offer relevant products and services to customers.
Since April 26, 2021, Apple has been requesting tracking permission from customers using iOS 15.
On April 26, 2021, Apple introduced a new version of iOS (14.5) in which it banned iOS apps from direct access to IDFA (The Identifier for Advertisers). Apps are now required to request confirmation, and people will decide for themselves whether to use IDFA or not.
Thus, Apple has broken the current advertising traffic system. If an iOS user refuses to use the identifier, it leads to a decrease in the quality of mobile traffic attribution and an increase in the cost of customer acquisition.
Apple has offered the market an alternative — its privacy-safe traffic attribution system. It allows you to add information about installations to advertising networks, but it does not explicitly disclose information about the visitor. Therefore, the capabilities of the system are very limited and do not cover the basic needs of marketers.
The main problem of the system is that developers and advertising systems will not have data at the user level. The data will be only in aggregate form in the ads account.
The Global Trend: Privacy First
Big data is popular with organizations because it promises improved operations and new business opportunities.
More customer data means more sales.
Customer data gives us:
- new insights;
- improved products;
- understanding of the audience;
- trustworthy communication with customers;
- improved marketing strategies;
- more personalized offers;
- increased conversion and sales.
At the same time, big data is easier to leak, which in turn compromises people’s privacy and violates data protection laws.
Today, users are concerned about the safety of their personal information. They are increasingly asking companies questions about data privacy. Companies are responding by blocking access to customer data on their platforms.
With the Privacy First approach, the user’s privacy comes first. This means that companies are no longer collecting unnecessary personal data about their customers.
For example, when buying a jacket in an online store, you do not need to enter passport data or place of birth, but debit or credit card data is required. When you register for a webinar, you should not be required to enter your workplace, unless it is a webinar in your specialty and the organizers need to know the position of the visitors.
So, as you may have noticed, today the struggle for data has reached the national level: GDPR in the EU, the CLOUD Act in the United States, the Personal Information Protection Law in China, and ecosystems shutdown can completely monopolize the customer data market.
This suggests that in the current situation, there is one right solution: to build an independent system for collecting and managing customer data for direct and secure communication with customers in the digital environment. We’ll talk more about it in next week’s article.