New Data Privacy Legislation: A Quick Guide for Business Owners

You’ve probably heard rumblings about new legislation to protect data privacy, and as a consumer, you may be glad to hear it – but do you know how it will affect your business? If you’re doing anything as simple as using targeted digital advertising, you could be subject to the new regulations. There is a lot that goes into the collection and storage of data, but for now, we’ll just scratch the surface of this topic to outline what’s happened, recent changes in regulation and what to do next.

“Fasten your seat belts. It’s going to be a bumpy [ride].” – Bette Davis

Why is privacy an issue?

Personal information becomes less and less private with the continual advancement of technology and its integration in everyone’s lives. With interconnectivity across devices and platforms, clear data transfer rarely occurs, and users are left wondering what information is public. Even if the expectation is that no data is “private,” what are companies using that data for?

There are preventions against unlawful search and seizure of a person’s property, so what about their name and identifiable information? That’s where data protection laws come into play.

Several malpractices regarding users’ digital data have pushed lawmakers to action. For example, Facebook was accused of allowing advertisers to exclude certain demographics from employment and housing ads. The American Civil Liberties Union brought the case forward, and it resulted in an overhaul of Facebook’s advertising policies. Other high profile companies, such as Uber, Morgan Stanley and AT&T, have been the culprits of data misuse. And the more these cases pop up, the tougher it is for advertisers to promote a valuable service or product to a unique audience.

Data breaches have also become a worry to many users. From the misuse of individuals’ information to create new Wells Fargo accounts to one of the most notable instances of data breaches from September 2018 – Facebook and Cambridge Analytica – users have every right to worry about global access to their data.

These cases have brought data privacy to the forefront of legislative discussions, and lawmakers are piecing together regulations before having a complete understanding of the ramifications from these regulations – leaving advertisers and individuals with more questions than answers.

“There’s a ton of speculation, but none of us know exactly what to expect moving forward. California’s Consumer Privacy Act is the first of its kind, and it won’t be the last.”

Changes in regulation

Data has typically flown freely between users and vendors without knowledge or consent. But with the introduction of General Data Protection Regulation (GDPR) in 2018, and the recent California Consumer Protection Act (CCPA), individuals have been given more control over the data they provide.


In April 2016, the European Union introduced General Data Protection Regulation to replace its outdated Data Protection Directive from 1995. The compliance requirement was implemented on May 25, 2018 – a day of regulatory infamy in the digital marketing world.

GDPR is a consent-driven regulation that requires sites operating in the EU to receive consent from web users before tracking that user’s cookies (messages with important information such as IP address and browser data passed between the user and the website). This regulation also introduced the concept of “the right to be forgotten” which allows users to tell advertisers and websites to delete their data.


The most impending regulation is the California Consumer Protection Act, signed on June 28, 2018 – just 34 days after the implementation of General Data Protection Regulation. Before having the opportunity to observe and learn from protection laws across the world, California lawmakers developed regulatory action to protect the residents in (and from) California. This act applies to any business that:

  • Collects consumers’ personal data or has someone else collect it
  • Determines the purposes and means of processing personal information
  • Does business in California, and:
    • Brings in an annual gross revenue of $25,000,000
    • Buys, sells, receives or shares, for commercial purposes, the personal information of 50,000 or more consumers, households or devices per year, or
    • Derives 50% or more of its annual revenues from selling consumers’ personal information

Once the regulations were drafted on Oct. 10, 2019, there was an open forum in which individuals and business entities could submit comments until Dec. 6, 2019. The act officially went into effect on Jan. 1, 2020, which has posed an interesting dilemma to website hosts. Private right of action (which allows individuals to file lawsuits in case of data breaches) will be effective immediately, while there will be a six-month grace period during which the California attorney general will review and revise the act.

So, what does this act even do? As opposed to GDPR, where a user must opt in before the website can track and collect that user’s data, CCPA allows users to opt out of specific personal information being gathered. Other provisions include a requirement for businesses to provide a clear and conspicuous link on the homepage titled “Do Not Sell My Personal Information.” This link must outline the business’ data privacy policy and has potential implications for businesses who do not follow these regulations. New consumer rights include:

  • Disclosures of specific data being collected
  • Deletion of data
  • Do Not Sell My Information
    • Opt-in for kids under 16
    • Parental opt-in for kids under 13
  • Nondiscrimination
  • Private Right to Action (for data breaches)

Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This excludes any information made “publicly available” and aggregated data that is “deidentified” in nature – for instance, web traffic analytics that can’t identify a specific customer. Additional provisions include AB-1355 and AB-25, which protect against the harvesting and use of business contacts (i.e., vendors or associates) and employees, respectively. Failure to adhere to these regulations can result in a fine up to $2,500 for the first violation and a fine up to $7,500 for each violation following.

"If you think compliance is expensive – try noncompliance." – Former U.S. Deputy Attorney General Paul McNulty

Due to the severity of the punishments for noncompliance, the Digital Advertising Alliance has established self-regulatory privacy protections to monitor advertisers and hold those in the industry accountable. These protections are in place to notify businesses of noncompliance prior to sanctions from the Federal Trade Commission. The incompliant business will receive a letter, like this one, outlining the violations and actions to take to avoid a formal violation notice.

How could this affect you and your customers?

Assuming these new regulations apply to your business, it could mean extra hours from your web developers to add the necessary opt-outs to your website. If enough people opt out, it could also reduce the information about your customer base – causing advertising to become less targeted, which means going forward, it could cost more to achieve the same number of conversions.

On top of that, the changes could make the web experience less streamlined for your customers. They’ve already been exposed to the “Accept Cookies” boxes popping up on websites they visit; now they may start to see opt-outs and more prominent privacy policy links.

This will ultimately result in poor user experience with regards to digital ads. Not only will advertisers feel the effects of less accurate targeting, consumers will be served ads that won’t be as tailored to their specific needs.

What’s next?

Take a deep breath. There’s a ton of speculation, but none of us know exactly what to expect moving forward. The CCPA is the first of its kind, and it won’t be the last. With varying legislative partisanship, there’s a concern that other states will fall in line before federal lawmakers have the chance to establish overarching regulations. This could cause mayhem in the digital marketing space; however, the hope is that this will spur conversation at the federal level during this test run. One federal law would not only offer more structured regulations for advertisers and businesses, but also set a standard for data protection across industries to alleviate consumer anxiety.

Thankfully, there have been advances in other privacy acts such as The Online Privacy Act of 2019 which “creates user rights, places obligations on companies to protect users' data, establishes a new federal agency to enforce privacy protections, and strengthens enforcement of privacy law violations.” This House bill would provide consumers some clarity around their personal data and allow advertisers to begin modeling their online business practices based on universally accepted standards.

With the ever-growing industry of big data and market research, we have a finite amount of time to get a grasp on how to protect user information while also advancing technology and automation. Consumers will have to ultimately decide what’s more important to them – privacy or convenience. What do you care more about?

Want the experts to handle strategy and compliance? We can help.

Tags: Web & Digital

Put our experts to work

Contact Us