Navigating Digital Advertising With Limited Consumer Data: Lessons From the GDPR and California Consumer Protection Act

Lisa SwinsonBlog

For years, consumers have shared their personal data with digital marketers as they browse the internet and enjoy social media sites. It’s what has made digital advertising a no-brainer and now 47% of all national brand ad dollars.

Every time you hit “accept” on terms and conditions you never read, every time you connect a new app to your Facebook account, and every time you submit your email address to get results on a trending quiz, you are giving away valuable information allowing advertisers to target you in the most personalized way (for you) and most profitable way (for them). Until recently, we Americans have continued to trade convenience and ease for our personal data, even though 59% admit they don’t fully understand how that information is ultimately used by companies.

But the pendulum is now swinging the other way. The rest of the world watched as Europe implemented the General Data Protection Regulation (GDPR). Some of us who work in digital advertising and marketing felt grateful that we didn’t have to navigate those complexities here in the United States. Recently, however, American marketers have experienced our own version of the GDPR with the unrolling of the California Consumer Protection Act (CCPA), the largest privacy act for the most populous state in our country. And now, California has passed the California Privacy Rights Act (CPRA), which will implement even more robust restrictions starting in 2023.

While this affects California, the impact is significant, and we don’t think it’s stopping in the Golden State. We anticipate that marketers across the United States will be faced with navigating these privacy policies once consumers become more aware of how their data is collected and used. Anticipating this, some companies like Apple are proactively offering consumers the ability to limit how much data they share.

To stay a step ahead of this trend, marketers should adjust strategies now to prepare for the changing privacy landscape. Here are some steps to take.

  1. Give clear choice: Implement a clear opt-in and opt-out experience. You’ve probably seen many of these banners on websites you visit every day, offering options to decline cookies and promises to not sell your data. We recommend including these banners if you aren’t already. You also need to make it possible for users to request and access their data. Some customer relationship management tools (CRMs), like HubSpot, make this easy to implement, so look at your options and keep an eye out for updates and new features as CPRA evolves and is enforced.
  2. Update your campaign settings: Make sure you stay up to date on how platforms are adapting and what changes you need to make to be compliant within them. Determine whether you need to implement Limited Data Use (LDU) within your Facebook pixels and implement restricted data processing within your remarketing Google campaigns. If you’re not going to rely on the advertising platforms themselves to make you CCPA-compliant, you can actually remove the LDU restrictions to collect data on California users again. However, you will also assume liability for keeping up with user requests to remove or review their data. 
  3. Be transparent: Be straightforward about why you’re collecting consumer data. If you have an email sign-up on your website, make sure you clearly say what types of communications the user should expect. If you’re going to retarget email subscribers with ads, make sure they know that.
  4. Don’t forget the basics: Make sure your privacy policy and terms of use are up to date and easy to find. Make it easy for users to understand how you’re using the data you collect on them. And make sure you’re specifically addressing Californians if they are part of your target audience.
  5. Adjust national targeting: At the communications agency where I work, we’ve segmented California out of all national advertising campaigns, managing it separately for better analysis and to preserve our performance at the national level. For an example of the CCPA’s impact, if 50% of a company’s customers live in California, the LDU feature has made it so that the brand is unable to see details on half of its audience.
  6. Reevaluate audience targeting: Now that we’ve pulled California out of national campaigns, we treat California targeting differently too. Fewer people in that state are allowing data about their interests and behaviors to be used, so we’re finding that simpler is better (so far) when it comes to setting audience parameters. In some cases, we’ve also adjusted our campaign optimizations. With less data sharing between our clients’ websites and ad platforms, we don’t see the same results with conversion optimizations (i.e., optimizing for more people who look like the people who have already bought our product, signed up for our service, registered for our program, etc.). So if we’re relying on the platforms to make us compliant, we may also have to change how we are optimizing our campaigns.

Ultimately, this puts a renewed emphasis on the importance of having a multifaceted, integrated marketing campaign that doesn’t become completely reliant on one channel or tactic. Laws and regulations about data protection and privacy are only going to become more robust and far-reaching. This is a trend marketers must be closely monitoring in order to continue reaching desired audiences through digital advertising.