Consumer Data Privacy: The Wave About to Hit Retail

The consumer data privacy topic may feel like a slow rolling, deep water wave, far offshore without imminent threat, but in reality, there are many waves rapidly gaining in size and speed, and they’re hitting all at once. The first ripples started several years ago in the European Union with an abstract-sounding acronym “GDPR” and have steadily grown here in the U.S. with a word-salad of terminology: “CCPA,” “CPRA,” “ITP” and now “IDFA.” Confused? That’s understandable. However, ignoring them will have severely negative consequences, so let’s break them down one by one.

It’s important to know that much of the momentum around data privacy started in Europe a few years ago, with the first significant consumer data privacy regulation enacted to create guidelines for the collection and use of personal information. In this case, for citizens residing in the EU. The regulation, named General Data Protection Regulation (GDPR), gave new rights to individuals to keep their data private. Going live in May 2018, GDPR quickly caught large players such as Oracle and others in its crosshairs and rapidly forced businesses to alter their own consumer data practices.

Why is GDPR important in the U.S.? The GDPR was used as the framework for the first significant consumer data privacy regulation in the U.S., created by the state of California. California’s Consumer Privacy Act (CCPA), established for the first time rights of consumers to request that they not be tracked, the right to be “forgotten,” and new regulations on the sale of consumer data. CCPA was approved in 2018 and went live on Jan. 1, 2020. If your business runs a digital property, has at least $25 million in revenue in California, or gathers data on more than 50,000 users in California, you're probably aware that you're subject to CCPA regulations, and you probably made changes to your public-facing digital properties to include a “Do Not Sell My Personal Information” opt-out. But there hasn’t been as much news on the CCPA enforcement front, and this shouldn’t be interpreted as a regulation brands can safely ignore. Because the state of California didn't include funding for enforcement, CCPA actions have been slow. This funding shortfall has now been addressed in the new version of CCPA, the California Privacy Rights Act (CPRA) or Proposition 24.

CPRA was approved by voters in November 2020, and significantly expands the definition of CCPA, closes key loopholes and, importantly for brands, dramatically increased funding for enforcement. Among many new provisions, the CPRA gives consumers the right to demand their data be corrected if it's inaccurate, as well as more privacy rights covering sensitive religious, race, sexual orientation and geolocation data. The CPRA also takes aim at the “do not sell” loophole in CCPA, where many companies that trade data without a direct financial transaction have skirted the law.

Why should you and your brand care about these regulations? For starters, most brands collect, share and transmit consumer identity data for a wide variety of purposes, such as marketing measurement, personalization, targeting, profiling and other analytic pursuits. These same brands now have new, direct regulatory and financial risks as a result of the CCPA and CPRA. Think about these chilling considerations:

• Most retail brands use dozens (or even hundreds) of vendors and service providers, all of whom have a slice or aspect of the retailer’s consumer profiles. What happens when a consumer “opts out”?
• Retailers also frequently share their customer databases with third parties to enhance the data profiles of each consumer record. What happens to the breadth of this data over time as regulations expand?
• Retail marketers use personally identifiable information (PII) to track consumers across devices, conduct ad retargeting, and personalize digital experiences. This profiling and targeting degrades over time with more data gaps. What happens if a brand mistakenly profiles consumers who have opted out?
• Most retail marketers use the same PII to measure the effectiveness of their advertising. The one aspect of this that most brands aren’t thinking about: their marketing measurement is becoming less accurate with each consumer opt-out, putting new holes, gaps and disconnects in the retailer’s measures. And it's going to get worse over time as other states in the U.S. adopt their own versions of CCPA and CPRA.

Complicating matters even more, the technology market is getting serious about consumer data privacy as well. Apple singlehandedly is disrupting the market with a spate of privacy restrictions. Apple started this process a few years ago with the rollout of Intelligent Tracking Prevention (ITP). ITP first killed third-party cookies, expanded to first-party cookies, and even grew in sophistication over time as marketing technology vendors created work-arounds to circumvent ITP.  Apple has released several versions of ITP and has shown it is deadly serious about stopping tracking on its devices. And now Apple is taking that level of seriousness to new heights by changing an arcane part of the Apple operating system: the IDFA.

IDFA, or “Identifier for Advertisers,” is a mechanism to uniquely identify an Apple device and allow advertisers and publishers to use the ID for tracking and measurement purposes. A publisher can serve an ad to a consumer on their iPhone, and when that consumer buys something, installs an app from the app store or other activity, the advertiser can connect the purchase outcome to the original advertisement using the IDFA.

While Apple isn’t killing the IDFA, it has announced that it will require that its users expressly opt into tracking using IDFA for any app that uses it for tracking. If market research is even close to being correct, the vast majority of consumers will NOT opt in to such tracking. This is why Facebook has picked a major fight with Apple. Facebook stands to lose billions in ad revenues as a result of Apple’s planned IDFA change. Brands also need to take notice: mobile advertising targeting and measurement will become much more difficult and far less accurate as a result — especially if the brand is using tracking mechanisms for performance measurement. With Apple maintaining a large share of the mobile market in the U.S., the changes in IDFA will create a massive hole in the advertising ecosystem.

So what does all of this say about our future as retail marketers? It's clear that the consumer data privacy wave is getting larger, not smaller. Risks for brands are increasing as these forces gain ground in state legislative pipelines. And tracking-based measurement approaches used by marketers will falter as a result of gaps created. Brands need to be proactive right now to prepare for a future of data privacy and all of its implications, impacts and consequences. Waiting is not a strategy for success — the wave is already hitting shore.

Matt Voda is the CEO of Optimine Software, an industry leader in cloud-based cross-channel marketing analytics and optimization.