These slides were presented at the SEMrush webinar "GDPR, CCPA, ePrivacy: Which Data Laws Are Next and How the New Privacy Landscape Will Affect Marketers". Video replay and transcript are available at https://www.semrush.com/webinars/gdpr-ccpa-eprivacy-which-data-laws-are-next-and-how-the-new-privacy-landscape-will-affect-marketers/
DGR_Digital Advertising Strategies for a Cookieless World_Presentation.pdf
Abbie Clement — GDPR, CCPA, ePrivacy: Which Data Laws Are Next and How the New Privacy Landscape Will Affect Marketers
1. This webinar may contain simplifications and therefore is not intended as legal advice,
and does not establish any type of lawyer-client relationship
2. www.iubenda.com – info@iubenda.com
Abbie Clement
HEAD OF CONTENT
iubenda.com
Marketing and the new privacy landscape -
GDPR, ePrivacy, CCPA and more
Andrea Giannangelo
HEAD OF PRODUCT & CEO
iubenda.com
Jason Hennessey
CEO
Hennessey Digital
6. www.iubenda.com – info@iubenda.com
At its most basic, the General Data Protection Regulation specifies
how and when personal data should be lawfully processed.
● Personal data under the GDPR refers to any data that relates to an
identified or identifiable person. This includes pieces of information that,
when collected together, can lead to the identification of a person.
● Under the GDPR personal data can only be processed if there’s at least one
legal basis for doing so.
7. www.iubenda.com – info@iubenda.com
The Legal Bases of Processing Data
● Consent. The user has given consent for one or more specific
purposes
● Contractual requirements. The processing is necessary for the
performance of a contract in which the user is a participant.
● Legal obligation. The processing is necessary for fulfilling a legal
obligation.
● Vital interests. The processing is necessary for protecting the vital
interests of the user or of another person.
8. www.iubenda.com – info@iubenda.com
The Legal Bases of Processing Data
● Public interest. The processing is necessary for performing a task
carried out in the interest of the public or under the official authority
given to you.
● Legitimate interest. The processing is necessary for the legitimate
interests of the data controller or third party, except where overridden
by the interests, rights and freedoms of the user, especially if the user
is a child.
9. www.iubenda.com – info@iubenda.com
The Legal Bases of Processing Data
*Note: Legal bases shouldn't be “picked” at random, as they must legitimately
apply to your situation.
There will always be data processing activities where consent is the
safest, best or only option.
● Consent Pros & Cons
11. www.iubenda.com – info@iubenda.com
In effect since 2002, the ePrivacy Directive (Cookie Law) was created
to put guidelines in place for electronic privacy, including email
marketing and cookie usage.
● It complements the GDPR, and it still applies today.
● Unlike the GDPR, it is a Directive. Directives set certain agreed-upon goals and
guidelines in place with member states being free to decide how to make these
directives into national legislation.
● Both the ePrivacy and the GDPR apply to the protection of personal data of
individuals within the EU: if you do business in the EU (regardless of whether or
not you are based in the EU), then these laws affect you.
12. www.iubenda.com – info@iubenda.com
Cookie Law: Legal Requirements
A cookie is a small piece of data that is sent from a website or app and
often stored on a user’s computer via their web browser. The ePrivacy
Directive/Cookie Law requires users’ informed consent before storing
cookies on a user’s device and/or tracking them.
This usually involves informing the user via a cookie notice, blocking
scripts from running before consent is collected and linking to a
comprehensive cookie policy.
13. www.iubenda.com – info@iubenda.com
Cookie Law: Industry Requirements
● The IAB Transparency and Consent Framework
● Publishers further stand to benefit as it makes it easier to be more
transparent and allows you as the data controller, to have more control
over how your users’ data is processed and why.
*If you run ads on your website it’s highly recommended that you enable this
feature: some advertising networks may limit access to their network if not
implemented, which could, in turn, potentially decrease your ad revenue. (e.g.
Recent case of Snopes)
15. www.iubenda.com – info@iubenda.com
The Federal CAN-SPAM Act
Set as a US standard for the regulation of spam email, Controlling the Assault of
Non-Solicited Pornography and Marketing (CAN-SPAM) is an Act that sets the rules
for commercial email and commercial messages.
● All US businesses that send commercial emails (or employ third-party services
to send emails on their behalf) are subject to comply.
● You do not need consent prior to adding users located in the US to your mailing
list or sending them commercial messages. However, it is mandatory that you
provide users with a clear means of opting out of further contact.
16. www.iubenda.com – info@iubenda.com
CCPA & CalOPPA
California’s most well known Privacy Laws are some of the most robust
in the United states. They are both relevant to you if you likely have
users that are based in the state of California.
California Online Privacy Protection Act (CalOPPA) - since 2002
Law requires commercial websites and services to have a privacy policy.
The document:
● Must clearly state what info is collected and who it's shared with.
● Must disclose how a business’s website or online service responds to Do Not
Track signals from Web browsers.
● Must include the effective date of the Privacy Policy and more.
17. www.iubenda.com – info@iubenda.com
CCPA & CalOPPA
California Consumer Protection Act (CCPA)
● Grants users additional rights such as the right to be informed and the right to
access information you’ve collected about them - but perhaps, most relevant to
marketing is the right to Opt-out.
● Under the CCPA, users have the right to opt out of any processing that can be
considered a sale of their data. Sale, in this context is quite broad and simply
means sharing for any profit- monetary or otherwise.
Note that in the case on minors, they are granted the right to Opt-in.
19. www.iubenda.com – info@iubenda.com
Consequences of Non-Compliance
GDPR:
● fines up to EUR 20 million (€20m) or 4% of the annual worldwide
turnover;
● sanctions such as official reprimands, periodic data protection audits;
and
● liability damages.
20. www.iubenda.com – info@iubenda.com
Consequences of Non-Compliance
CCPA:
● Consumers have the right to sue businesses that violate the law. The associated
fines will be between $100 and $750, or any higher amount related to actual
damages
● The state can bring charges of up to $2,500 per violation for businesses that
unintentionally violate the CCPA, and fines of up to $7,500 per violation, for
businesses that commit intentional violations.
While these fines might not seem particularly large in comparison to the GDPR, consider
that these fines apply per individual violation and per consumer. For a business with
even just a few customers, these fines can add up to a hefty sum.
21. www.iubenda.com – info@iubenda.com
Consequences of Non-Compliance
CalOPPA:
● Actions by the Federal Trade Commission, which may bring enforcement action
against businesses whose posted privacy policy is deceptive – that is, where a
business fails to comply with its posted privacy policy.
● The Government can bring suit as a violation of CalOPPA can be considered as a
violation of California’s Unfair Competition Law (UCL)
23. www.iubenda.com – info@iubenda.com
Have a clear and easy email opt-out for both US and
EU-based users
Include a clear, visible and easy option to opt-out of further
communications in your marketing emails.
E.g. “You are receiving this business communication from [Business Name] as
you have expressed your interest in our products and services]. If you no longer
wish to receive these communications, you can unsubscribe by clicking here”.
Be sure to set up your email management system in such a
way that the user can opt-out without needing to log in.
24. www.iubenda.com – info@iubenda.com
Get opt-in consent for EU-based users
Make sure that your opt-in mechanism informs the user clearly
and correctly of your intentions. Do not use pre-ticked
checkboxes or combine purposes, and make it clear to the
user that consenting to your newsletter is completely optional.
Here’s a visual example of how you can do this correctly →
26. www.iubenda.com – info@iubenda.com
Transparency: Make relevant disclosures & Clearly
identify yourself
● Have a valid privacy policy in place which contains all relevant
disclosures related to how and why you process user data.
● Endorsements must be non-misleading and fully disclosed. You
must inform users when given an incentive (financial or
otherwise) to promote a product.
● Clearly identify yourself /business with accurate and up-to-date
contact information in both your email communications, and any
user-facing privacy documents on your site.
27. www.iubenda.com – info@iubenda.com
Have a consent management platform in place on your
website
● If you have EU-based users, under GDPR and ePrivacy
regulations, you must block cookie scripts from running until
you’ve collected informed, freely consent from your users.
● Also, under California’s CCPA, you must inform California-based
users of any selling of their personal data and give them the
option to directly opt-out.
If you have cookies in use on your website (and you most likely do),
not having a cookie consent management solution in use on your
website could mean that you’re violating user rights.
28. www.iubenda.com – info@iubenda.com
Have a consent management platform in place on your
website
● Be sure to have a cookie solution in place that allows you to
inform users, block cookies prior to consent, manage consent to
cookies and pass TCF consent preferences along the advertising
network where applicable.
● If you have California based users, choose a CMP that also
supports IAB’s US Privacy Framework. The ideal scenario, of
course, is to find a CMP that supports both cases.
Here’s a visual example of of what a CMP can look like in action →