The data privacy law landscape evolves constantly, which leaves us with two big questions: What does this mean for advertisers? And more importantly, how does it impact consumers?
The California Privacy Rights Act (CPRA), the amendment and expansion of the California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA) officially went into effect on January 1, 2023. These pertain to many businesses that process personal information about consumers residing in those states. Colorado and Connecticut have since had their own privacy laws go into effect, with Utah following suit on December 31, 2023.
More recently, privacy legislation was passed in Iowa, Tennessee, Indiana, Montana, Texas, and Oregon, though those laws won’t go into effect this year. Delaware has also passed privacy legislation that has yet to be signed. Collectively, these 12 states include the two largest and are home to more than 114 million people.
Representing 34% of the total U.S. population, the impact may still seem limited. However, as of August, privacy law is currently under consideration in four more states with a combined population of nearly 40 million or an additional 12% of the U.S. population. California and Virginia were just the beginning.
Reviewing the Historical Data Privacy Law Landscape
Privacy laws typically focus on regulating the collection, storage, and processing (usage) of people’s data, ranging from personal data such as name and device identifiers to more sensitive data like health or racial information. Although laws protecting the most sensitive data have existed for some time, the General Data Protection Regulation (GDPR) — the world’s most sweeping, comprehensive privacy legislation — set the precedent for granting people control over their most basic data, including data companies collect online. Most notably, the GDPR provides consumers with the right to access, delete, and edit their consumer data in a company’s possession.
While the GDPR led the wave of new and updated privacy laws across the globe, the GDPR and current U.S. privacy laws have some distinct differences. For example, the GDPR heavily emphasizes the requirement of capturing consent before using consumer data. U.S. privacy laws tend to focus more on easy, accessible opt-out rather than just consent. In other words, U.S. standards focus on giving consumers the ability to stop unwanted use of their data rather than putting all of the information in front of the consumer — an approach that has led to a phenomenon dubbed by some as “consent spam” in the European Union. However, Virginia, Colorado, and Connecticut have bucked this trend with respect to the use of sensitive data, which now needs an opt-in from consumers.
Both the CCPA/CPRA and VCDPA give consumers the right to know what personal information a business collects about them, the option to have that information deleted, and the ability to opt out of having that information sold. California’s privacy law also applies to data sharing, while Virginia’s gives consumers the ability to opt out of profiling and targeted ads.
Privacy Law From One State to the Next
Each state’s privacy law is designed to improve transparency around how consumer data is used by companies and allow consumers to make informed decisions about how their data is used and shared by and between companies. Consumer rights to access, delete, and opt out of certain uses of their personal data is now a foundation of privacy rights. Further, principles like “data minimization” and “purpose minimization,” borrowed from the GDPR, ensure that companies are mindfully using data and collecting it for a specific purpose.
The five states enacting privacy laws in 2023 have similar legislation. There are a few differences, however. One commonality is that “personal data” is defined similarly, generally as information that is linked, or reasonably linkable, to an identifiable person, though California also includes households. The five states also define “sensitive data” similarly, including health information, genetic data, and biometric data used to identify a person.
No definition includes data that is de-identified or publicly available, such as that in government records. Most states explicitly exempt aggregated data as well.
For the five states with privacy legislation going into effect this year, here is how some key requirements around processing vary:
What DeepIntent Has Already Implemented
Because the pharmaceutical industry is so heavily regulated, DeepIntent’s privacy compliance standards have been modeled closely after GDPR requirements. These provide a strong foundation for compliance with existing privacy laws as well.
Staying ahead of the curve, we’re able to give advertisers and publishers confidence in DeepIntent and our platform. Here’s what we’ve already implemented so far:
- Transparency. We maintain a comprehensive policy and contractually require publishers and other downstream partners to do the same. We also include an AdChoices Icon, which takes users to our opt-out page, above each creative to notify users that our creatives are serving personalized advertising.
- Access and deletion. We share or delete personal information belonging to users with such users who submit access or deletion requests.
- Opt-out. Our opt-out page enables consumers to stop seeing personalized advertising from DeepIntent’s network. However, we may still serve contextual ads, which target based on page content rather than by user.
- Consent framework. We participate in the Interactive Advertising Bureau’s (IAB) U.S. privacy consent strings, including the CCPA Compliance Framework and other state-specific privacy strings. As part of these consent strings, we can communicate and receive consent-related signals from publishers, partners, and advertisers that are also part of the framework.
- Internal assessments. Our compliance team has evaluated major data processing activities within the DeepIntent platform to determine the best compliance practices to preserve user privacy. The team also regularly conducts internal assessments, and reviews of data flows and categorizations to measure privacy risks and determine whether we can improve upon methods of compliance.
- Security incident policy. We have documented protocols for handling data breaches and reassess our standards regularly. This ensures we’re covering practices proportionate to the standards available for each type of breach that might occur.
How Advertisers Can Leverage Data Privacy Law to Benefit Their Business
Although California and Virginia’s privacy laws are active, three more state laws will take effect in 2023. Thus, advertisers should dedicate time and resources to continuing to evaluate their privacy compliance framework. Particularly for those working for healthcare and life sciences companies, dealing with sensitive health data means it’s important to keep track of each state’s unique approach to sensitive data.
That may also mean continued updates to privacy policies, revisiting contracts, and ensuring databases are optimized for traceability, accessibility, and modification of data based on updated definitions and treatment of different types of data. For example, if a user submits a deletion request, does your business have the ability to trace the partners with whom you may have shared such data? Can you easily find all data tied to a user to delete the data without costing a fortune in engineering resources? Of that data, do you know which data is considered “sensitive” under new privacy laws? Will this data be treated differently for users in different states?
While every privacy law is ultimately intended to benefit consumers, companies can also leverage these compliance frameworks to improve business efficiency and stand out. Actively assessing and improving the way your business stores and uses data can reduce duplicate datasets, make datasets more accessible, and allow your teams to consider better ways to store, share, or use data.
The process of assessing and organizing data translates to educating your team on where data sits and how it is used within your business. This can result in lower data storage costs, innovation in data use, and improved efficiency for teams that regularly need to engage with data and user requests.
How Prioritizing Privacy Helps Improve Reach
At DeepIntent, we’ve also found that balancing privacy considerations with determining the best ways to use and process data can result in improved outcomes for our clients (and consumers). Take our patented Patient Modeled Audiences process, which uses data science to allow us to determine the most relevant demographics to create campaign-specific audiences. These custom-built audiences allow clients to target those with a higher likelihood of relevance when compared with targeting patients across the U.S. population while preserving user privacy.
The machine learning algorithms that support the Patient Modeling Audiences process rely on differential privacy. Founded on cybersecurity principles of preserving privacy, this technology not only preserves but improves privacy, while still enhancing the algorithms’ ability to recognize the correlations that determine demographic relevance for campaigns. This means healthcare advertisers can benefit from DeepIntent’s strong privacy practices while also improving their reach.
When advertisers improve their reach, individuals can also experience better health outcomes. Last year, we found that personalized advertising has the potential to have a huge impact on their health and wellness. More than half of the patients we surveyed said pharmaceutical ads are more memorable when they’re relevant to their medical needs and conditions. Conducting an earlier survey, we also found that patients are more likely to take treatment recommendations for something they recognize from advertising.
Searching for relevant health information can be like finding a needle in a haystack. The good news is that DeepIntent can be your partner in helping to deliver positive, potentially life-changing, messaging to individuals who may really need it, all while keeping their privacy front of mind.
To learn more about how DeepIntent prioritizes privacy law, click here.