Well-Considered Data Strategies Will Win In An Era Enhanced Privacy Experiences

The technology industry is getting overwhelmed with a litany of new privacy regulations and proposals. companies need to make every effort to help consumers understand the value of their data.

Jodi Masters-Gonzales


Ashton Krebs


Over the last six months, advertising executives and C-suite leaders have had to weather a litany of new privacy regulations and proposals by government officials as well as myriad privacy-protecting enhancements by Big Tech platforms themselves. In some cases, these proposals are upending entire industries — especially marketing and advertising. As we move forward, companies have a choice to make: exist on the edge of compliance, holding on to a dying industry for as long as they can get away with it, or reexamine their data practices and properly address the sweeping differences that are sure to come in the future.

One of the most notable laws in the last six months is the California Privacy Rights Act (CPRA), which activated in January of this year. If you haven’t already taken a pass at the CPRA, you should know that the biggest update is that consumer rights have been expanded, a larger amount of businesses will be effected, and “sensitive information” has been redefined to be more specific and protected. In short:

  • Consumers now have the right to limit “sensitive information” used by businesses to deliver goods and services, and businesses must give those consumers a clear, transparent way to opt-out or share limited information.
  • Consumers also have the right to correct information businesses have about them, and must make reasonable efforts to update records with accurate information.
  • The law contains updated information about consumers rights to opt-out, delete and get access to the information any business has stored about them currently or in the past, as well as gives them expanded rights to data sold downstream.

The good news for businesses is that the CPRA won’t go into effect until January 2023. However, it could take businesses the entirety of the next two years to prepare — planning a strategy to become compliant, building a team to produce the work, and reconfiguring budgets to ensure smooth operations is a massive undertaking in and of itself. So, while two years sounds like a lot of time, the reality is that the clock has already started ticking and we all know what happened with the runway Europe gave companies with the GDPR.

A Minimum Viable Compliance Strategy Will Fail

Those that aim to simply meet the new CPRA’s minimum requirements are missing the mark. States from Nevada to Massachusetts to Maine have adopted new, fractionally different data privacy and security laws in the last two years. Dozens more have made proposals, many of which are under consideration at the moment. There’s no doubt all of this will roll up into a federal policy.

In California, many who did the least to comply with CCPA are now finding themselves unprepared for CPRA — and it’s a trend Charles Farina, Head of Innovation at Adswerve (a digital marketing analytics and cloud consulting firm specialized in Google GOOG +0.3% solutions), says doesn’t have to be repeated. Farina predicts a push for national privacy legislation to occur sometime within the Biden presidency, and as such, preparation must begin now. He said he sees a tipping point occurring as other states, including New York and Washington, consider their own legislation. Businesses will then be left with a problem to solve: build fractionally different experiences for each nation-state jurisdiction or build a system to the highest standards to ensure compliance regardless of jurisdiction.

Many privacy advocates believe businesses should pursue the latter. However, the reality we’ve seen so far is that businesses pursue the former with hopes that they can continue providing minimum viable compliance until they’re forced into Federal requirements. While this strategy has worked so far, while privacy law was still in its nascent stages, the strategy is destined to fail if businesses keep it up. I recently caught up with Farina to talk about how leaders can look beyond the scope of CPRA and change some fundamental practices so they aren’t caught off guard again.

Comprehensive Data Strategies Will Win

CPRA certainly expands on the regulations set forth by CCPA, but it’s not like the changes were unforeseeable. Even a cursory glance at Europe’s GDPR rollout showed stronger privacy regulations, and Farina says smart companies need to model their effort against those regulations to succeed. With GDPR principles being added into the CPRA, it is likely inevitable our federal policy may mirror what’s happening in Europe — all the more reason, Farina says, to get an early start.

Here are the most important things Farina sees in the impending changes of CPRA as the January 1, 2023 deadline approaches:

  • Fines pale in comparison to GDPR: The CPRA’s monetary penalties for non-compliance do not have the teeth of GDPR. When the stakes are low, the temptation to simply pay a fine instead of following the most restrictive principles is too high. It’s almost a given that when privacy regulations are adopted at a federal level, fines and consequences will be more severe, so simply being prepared for CPRA violations is not enough.
  • Control of downstream data: The CPRA expands “right-to-know” and deletion provisions for consumer data. No longer does deleting data you’ve collected at the customer’s request equal compliance — leaders are now responsible for everything sold or “shared” downstream as well. Compliance efforts over the next two years must include better data governance.
  • Sharing data is no longer an exception: Companies like Amazon AMZN +0.2%, Facebook and Google were able to get exempted from some of CCPA’s stricter provisions by stating they were simply sharing data and not selling it. That ends with CPRA. Relying on loopholes and technicalities to exempt you from future regulation is no longer a sound strategy going forward.

The massive change to privacy regulations in such a short period should be a lesson to businesses that prioritizing data privacy is not a fad, it’s a demand. Companies that will end up leading the way will start getting a firm understanding of the law and will focus on enhanced data governance to get ahead of government regulation. To do that, Farina told me, it will require more thinking about the value exchange of consumer data.

Consumers Need To See Value

Surviving these sweeping changes will require transparency and creativity. It will also require finding ways to prove to consumers that their data is not only safe but also providing value and purpose. This sounds potentially damaging to businesses but has proven to work extremely well when done correctly. Metromile, for example, is a car insurance company that offers pay-per-mile rates for drivers. While this involves collecting a lot of traditionally private data — location, distances traveled, etc. — the clear value to the consumer is found in significantly lower prices. The value exchange becomes immediately obvious.

Others have been more creative with their efforts, but at the expense of transparency. Domino’s launched a campaign giving out free pizza in exchange for a picture of literally any pizza, sent to the company via text. Of course, the campaign was a clever way to get consumers to opt-in with their information — a campaign that could have been more forthcoming in its intentions. However, we’re bound to see more quirky strategies like this emerge as companies try to add ROI to the exchange. Some great examples occurred during the most recent Super Bowl, where companies like Capital One COF -2.6% used surveys and other tactics to get opt-ins.

Creative ideas that get consumers to proactively share their data don’t happen in a vacuum. As Farina notes, they almost exclusively happen in teams that have built a privacy-first culture — a strategy he and members of Adswerve frequently blog about and discuss with clients and partners. Doing this requires breaking down internal silos. Marketing and analytics teams, for example, can’t operate separately and expect to maintain a holistic approach to privacy — not to mention guarantee compliance with regulations. As Farina’s colleague Scott Sullivan (Adswerve’s CRO) puts it, there needs to be an “authentic commitment to privacy that is woven throughout the entire organization.”

As we speed through Q2 of 2021 and into Q3, planning to simply meet the basic requirements of the CPRA and other new laws will prove to be a mistake tech professionals can’t afford to make. Instead, they should look to mirror the most comprehensive elements of privacy across jurisdictions that are likely to form our future federal privacy regulation. More importantly, companies need to make every effort to help consumers understand the value of their data. Companies that do not will leave the door wide open for competitors to circumnavigate them by simply providing better customer service — enhanced data protection — which consumers will notice, over time.


Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

Better Emails

Industry news, cutting edge tips, and valuable resources

Join Mailing List
Our emails come once a month because they're better.