What do Marketers Need to Know About Data Privacy?

digital transformation course with tom goodwin

Marketers love data. At first glance, it’s a panacea, making it possible to hyper-personalise campaigns and messages, customise content down to the individual customer, and accurately attribute marketing spend to outcomes.

We call this data-driven marketing and it can’t happen without, well, lots and lots of data.

But there’s a dark underbelly to the proliferation of data that marketers are increasingly being forced to face—data privacy. New laws, regulations, and initiatives focused on protecting consumer data and complying with local data legislation are changing how companies collect and use consumer data.

Consumer sentiment is part of the renewed scrutiny about data privacy and security. Consumers are increasingly concerned with how their data is being used, whether it’s secure, and how much of it they really want to part with. Views on data privacy differ depending on where consumers are located.

A recent study by Deloitte revealed that UK consumers are generally relaxed about data privacy, which translates to a willingness to share data with more companies.

data privacy chart deloitte

US consumers aren’t as trusting. A survey from Consumer Reports’ Digital Lab revealed that Americans’ concerns about privacy and data security are increasing, with a whopping 96% of American consumers agreeing that companies should do more to protect consumer privacy.   

Regardless of how consumers feel about privacy, maintaining trust and data security is the responsibility of the marketer—and company—that’s collecting and using consumer data in the first place.

What is data privacy and why is it important? 

Data and information privacy focuses on the secure handling and use of data (e.g., data security). Data privacy addresses three main data security concerns.

  1. How companies collect and store data.
  2. Whether or not consumer data is shared with third parties.
  3. Regulatory privacy laws such as GDPR, CCPA, and others.

Data privacy and data security are inextricably linked, but they aren’t the same things. While data security protects data from being compromised, data privacy is focused on the collection of data and how it’s governed, shared, and used. 

This should matter to marketers not only because mishandling consumer data is increasingly illegal, but because betraying consumer privacy is bad for business. Collecting more data than needed also has a “creepiness” factor that can harm a brand’s reputation.

This is a fact that Sleep Number beds learned the hard way when consumers noticed a passage in their privacy policy saying their smart bed might record customers while sleeping.

This was, apparently, for the purpose of detecting snoring and other sleep conditions. The issue of beds collecting data while people was so creepy, that it made national headlines, including a feature in Time Magazine about the data collected (and potentially shared) by smart beds, mattress pads, and sleep apps.


Data privacy focuses on obtaining proper consent, but also on clearly communicating what data will be collected and how that data is used.

Ensuring that the right procedures and processes are in place to collect, share, and use sensitive data is part of this process (and is mostly what data privacy regulation is all about.)

Before we get into some of the specific data privacy regulations, we want to acknowledge the importance of data in today’s modern marketing ecosystem.

Why data matters to marketers

Data improves, optimises, and informs every part of the marketing ecosystem. Data-driven marketing is a necessary consequence of an increasingly fragmented consumer journey that incorporates between 20 and 500 touchpoints.

In Invoca’s 2020 State of Data-Driven Marketing Report, 64% of marketing executives surveyed strongly agreed that data-driven marketing is crucial in the current marketing landscape. Key reasons that data matters to marketers are:

  1. Data improves customer experience: A data-driven approach to marketing enables companies to unify their messaging, content, and overall marketing approach across the many touch points, channels, and devices consumers use to research products and interact with brands. New tools, platforms, and technologies exist to streamline and personalise customer journeys—all of it powered by data.

  2. Data enables companies to advertise more effectively: Advertising is more effective when it’s personalised and targeted. The best way to ensure that your ads are targeting the right people (at the right time and in the right place) is by capturing customer data across all touch points and unifying it in a central location. Tools like CRMs, CDPs, and CXPs (customer experience platforms), exist for this purpose.

  3. Data is needed for measurement and optimisation: Different types of data is needed to optimise different customer touch points and interactions. CRM data collects customer interactions in one central location, while web analytics platforms collect and analyse website visitor behaviour, demographics, and other visitor attributes.

    Transactional data from customer purchases helps retailers understand past customer purchasing behaviour which can be used to make product recommendations and create content that better resonates with shoppers. All of this data is used collectively to optimise, improve, and streamline websites, customer journeys, and improve customer service approaches.

  4. AI, machine learning, and automation require data: AI and machine learning drive automation and—you guessed it—data is needed for these technologies to work. Many marketing automation tools and platforms rely on AI and machine learning to automate various aspects of the marketing ecosystem—from building audiences to personalising content to communicating with prospects and customers. Scaling personalisation requires automation and automation requires AI and machine learning. 

When companies don’t embrace a data-driven marketing strategy, the risks are high. A 2019 report by Havas Group predicted that 81% of European companies risk going out of business if they don’t create relevant content and offer personalised discounts. 

Obviously, there are less dire consequences of not using data. For example, you risk annoying your customers and falling behind your more data-savvy competitors.

Combining marketing with data is a given. That’s why staying on top of data privacy regulations and requirements is just as important (if not more so) than leveraging customer data in the first place.

Data regulations

Data regulations vary depending on country and region, but there are some data privacy provisions that are stricter—and more ubiquitous—than others.

While it’s everyone’s job to stay apprised of data privacy requirements, your marketing approach is directly impacted by many of the newest laws. Here are three data laws with details on regulations marketers should consider.

GDPR: The EU’s passage of the General Data Protection Regulation (GDPR) in 2018 was a game changer. GDPR had far reaching implications for anyone in Europe and those doing business in Europe. If you want to read the full GDPR regulations, here they are, but keep in mind they’re exhaustive. You may want to hydrate and pack a lunch. 

Here’s a summary of some of the things that the GDPR addresses. Keep in mind there are many more provisions – this is just a taste of what marketers must consider when ensuring privacy compliance. 

  • The GDPR applies to anyone who has data on EU citizens, even if you're outside of the EU.
  • The GDPR applies to any file or database with personally identifiable information across all departments (marketing, research, customer service, etc.)
  • Personal data must be kept current, accurate, and secure. 
  • Companies must be transparent about how personal data is used.
  • Personal data collection should be kept to a minimum (e.g., only collect what’s needed to get the job done).
  • Companies must get consent before collecting personal data.
  • Companies must not do anything with the data they collect other than what they tell people they plan to do with it.
  • You must have a way to prove that consent for data collection was.
  • Anyone under 16 years old cannot legally give consent. In this case, consent is needed from a parent or guardian.
  • Companies cannot collect sensitive data (e.g., race, political party, religion, union status, health information, criminal offenses/convictions, etc.)

cookie notice

CCPA: The California Privacy Rights Act (CCPA) was passed in 2018. Like GDPR, the CCPA was created to give consumers (in this case, Californians), more control of their  personal information.

The law applies to any for-profit business that operates or does business in California with some additional stipulations (e.g., business size, data collection practices, etc.) Privacy rights included in the law include:

  • The right for consumers to know what information a business collects about them and also how this information is used.
  • The right to delete personal information that’s already been collected.
  • The right for consumers to opt out of the sale of their personal information.
  • The right to non-discrimination for exercising CCPA rights.

Under the CCPA, businesses must clearly explain their privacy practices to California residents and honour opt-out requests from consumers who don’t want their personal information sold. Businesses must also notify consumers that they’re collecting information at or before the time of collection.

COPPA: Another US law, the Children’s Online Privacy Protection Act (COPPA) was passed way back in the dinosaur days of 2000.

The law regulates the collection of personal information from minors. It was updated a few years ago to broaden the type of personal information protected to include things like screen names, email addresses, and video chat names. It also extends privacy restrictions to photos, audio files, and street-level geo coordinates. 

From the US Federal Trade Commission’s website:

“COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.”

There are other privacy laws in the US, though they tend to be less centralised versus Europe’s overarching GDPR. Some of them include regulations for specific verticals like the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GBLA) which protects financial non personal information. 

While all of these privacy laws differ by region, they share some commonalities that can help marketers address data privacy in a comprehensive, proactive way.

For example, both GDPR and CCPA give consumers the right to access, delete, and opt-out of providing their data. The following table compares some of the differences between the two laws.


The balance between privacy and experience

Now that you’re thoroughly freaked out about the many laws that exist, take a deep breath. Users want privacy, but they also want personalised, relevant experiences. They’re willing to give up their data if it’s used to improve their experience. 

A survey by PwC found that consumers were willing to pay up to a 16% price premium on products or services when they’ve had a good experience with a brand.

They’re also more loyal to that brand. Good experience means different things to different people, but generally includes convenience, consistency, speed, and friendliness. 

Delivering good experiences requires collecting and leveraging customer data (and, increasingly, first-party data). Which brings us to a future without cookies.

The demise of the third-party cookie

We’d be remiss if we didn’t address the impending death of the third-party cookie. Third-party cookies are bits of code that contain information about a website visitor.

Cookies are placed on the user’s computer when they visit a website and recalled by ad serving (and other) software to deliver targeted advertising to visitors after they leave the website where the cookie was generated.

They’re called “third-party” cookies because they’re created by a domain different from the one the user is on. Once placed on a user’s computer, the third-party cookie lives in the user’s browser and is accessible by any website loading the third-party server’s code. 

Third-party cookies are used extensively by digital ad platforms to target ads and track consumers as they navigate the web. The problem with third-party cookies is that they make it difficult for users to control their personally identifiable information, which means companies can’t reliably remain in compliance with privacy laws.

The inherent conflict third-party cookies have with privacy laws like GDPR and CCPA essentially spells their doom. Apple Safari and Mozilla Firefox browsers already block third-party cookies by default. Google was supposed to follow suit this year (they announced plans to block the use of 3rd party cookies in March 2021). Alas the cookie isn’t dead (yet). 

On June 25, 2021, Google announced they were delaying their plans to block the use of third-party cookies to late 2023. Money is a big motivator.

Almost 90% of Google’s revenue is earned from advertising, much of it targeted via the use of third-party cookies.

The demise of third-party cookies is particularly relevant for marketers who have relied on this method of tracking to create targeted ad campaigns for nearly two decades. Without third-party cookies, marketers can’t create audience targeting or frequency capping.

This will undoubtedly reduce campaign efficiency and effectiveness. But never fear! First-party data promises to replace the reliance on third-party cookies and allow advertisers to customise and target their ads.

Using first-party data for marketing

First-party (1P) data is any data about a company’s customers that’s collected and controlled by the company. This might include purchase history, past interactions, loyalty program information, user preferences and profiles, and behavioural data. 

Marketers can begin to build robust customer profiles by encouraging users to register on their website, then implementing progressive profiling (collecting more information about a user over time).

Companies can further build customer profiles by using event-based tracking, such as tracking user calls and connecting call data to an existing user profile.

How tech can help marketers manage data privacy

The process of building customer profiles and making them available for marketing initiatives is a complex one. Luckily, there are many new tech tools on the market that can help you leverage 1P data for use in the digital ecosystem. Here are a few examples.

Customer data platforms help companies create a persistent, unified customer database by pulling data from various sources then cleaning it and combining it into one single “source of truth.” The profiles created can then be used by other systems (e.g., for the segmentation and targeting of ad campaigns).

  • Customer experience platforms track every interaction a customer has with your business so that you can design and implement better customer interaction goals. The magic of a CXP is that it connects actual customer interactions with automated rules to deliver relevant, personalised experiences across all touch points.

  • First-party identity graph software connects customer identities across all touch points, devices, and channels. It also maintains and updates customers’ identities over time.

  • 2nd Party Data Enrichment with private data exchanges and data provider marketplaces enables companies to enrich first party customer data and create more targeted campaigns without relying on third party data. Second party data marketplaces are made up of companies who want to monetise their proprietary datasets and generally contain high-quality data.

Data privacy and marketing are connected

There’s no getting around it. Data privacy now falls well within the purview of the marketing department. Marketers need data to create personalised, targeted campaigns and orchestrate seamless omnichannel experiences for their customers. 

But consumers are pushing for more transparency with how companies use their data and governments are implementing new laws and regulations around data collection, usage, and sharing.

Complying with laws and maintaining consumer trust falls squarely at the feet of companies who now, more than ever before, are collecting data via a dizzying array of touch points, devices, interactions, and channels.

Companies who prioritise data policies that emphasise transparency, good communication, and governance will be poised to address key developments that impact data privacy, such as the phasing out of third-party cookies.

The future of marketing will inevitably include data. This means that marketers must balance data privacy with the need to deliver exceptional customer experience. The first step to achieving this balance is to create consumer-first data privacy policies and approaches that comply with privacy laws and put consumers at ease about the safety of their data and how it’s being used. 

Download our Data Privacy Best Practice Guide