Legal actions in the U.S. and abroad are shaping the way we rely on data collection for ad targeting. These rulings, and how tech giants are responding, have real-life implications for business owners all over the world.
In 2022, Sephora came to a $1.2 million settlement with the California attorney general over allegedly violating the California Consumer Privacy Act (CCPA) by denying customers the right to opt out of allowing their data to be collected and sold, according to an article published by the American Bar Association.
According to the CCPA, any natural person (not a corporation or business entity) who resides in the state of California is protected, even if they leave temporarily. Essentially, the foundation of the law is that you can only collect and sell a Californian’s consumer data if you disclose what you’re doing in plain language, and allow them to opt out.
California residents also have the right to delete or correct information collected about them, and request that the use of sensitive personal information (financial account information, precise geolocation data, genetic data, etc.) is limited to specific purposes, such as providing services they requested.
In 2022, tech giants Meta and Google were both fined by South Korea’s Personal Information Protection Commission (PIPC) over data privacy violations. According to Reuters, Google was fined $50 million and Meta was fined $22 million for not obtaining lawful consent from users to track their activity for ad purposes.
Rather than pay the fines, both companies have counter-sued, arguing that since they only receive and aggregate the data, individual website operators are the ones who should be responsible for getting consent from end-users to collect their data, according to Security Now.
In 2020, the Court of Justice of the European Union (CJEU) ruled that a transfer of data to U.S. providers violates its rules on international data transfers, which are spelled out in its General Data Protection Regulation (GDPR), according to Security Now. This ruling annulled the Privacy Shield framework U.S. operators relied on for its use of European user data.
In his recent article, data privacy expert Petar Todorovski explains that even if your business is based in the United States, if your business can collect the personal data of at least one European person, the GDPR applies to you.
The EU’s regulations, according to Todorovski, prioritize individual privacy rights where the United States focuses on homeland security and exclusive access to its citizens’ data. The U.S., Todorovski says, “does not prevent any business from transferring data worldwide. If an incident occurs, the business will be held responsible.”
As the digital ecosystem continues to evolve, so should our best practices. With more responsibility shifting to website operators, there are a few simple ways you can give customers a say in their data use to stay ahead of global privacy rights trends and legislation.
Hire a lawyer to write a GDPR and CCPA-compliant privacy policy, familiarize yourself with it, and make sure your practices line up. Your customers should be able to see how their data is being used ― and they shouldn’t have to dig for that information. Put a privacy policy link in a prominent place on your site and review it periodically.
Don’t make automatic data tracking the default on your site. A prominent cookie banner with an ‘accept’ or ‘opt in’ button shows that you’re doing your due diligence to avoid collecting data unlawfully from users in countries with more rigid restrictions.
Make it simple for customers to opt out, delete, or request their information by automating where you can. These processes can be complex, but we can help simplify them with customized solutions.