CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
July 19, 2022
For marketers, the rise of data privacy regulations like the GDPR and CCPA/CPRA can feel like the end of an era. Marketers once had access to rich, individual-level data they could use to target and measure every dollar of spend across digital channels. But suddenly, collecting that data puts businesses out of compliance and threatens consumers’ trust in the brand.
Nobody, however, thinks data-driven marketing should or will go away. Marketers just need to find an approach to collecting and working with data that respects consumers’ right to privacy.
In short, marketers need to become proficient in privacy-first marketing.
A privacy-first approach allows marketers to access the data they need to make insightful decisions but bakes in data privacy principles throughout the marketing process. It respects consumers’ personal rights, complies with major data privacy regulations, and safeguards consumer data from mismanagement or security breaches.
Let’s dive into privacy-first marketing, explore its key features, and identify the benefits it can have for a modern marketer.
While it was by no means the first data privacy regulation, the GDPR was the first comprehensive, modern data privacy law. Enacted in 2016, the law was a response to a slew of data breaches and the unethical use of consumers’ personal data and was followed swiftly by other data privacy regulations like California’s CCPA/CPRA, Brazil’s LGPD, and more.
Crucially, you may be subject to these laws even if your business isn’t based out of the associated jurisdiction. If you provide products or services to enough residents of a covered jurisdiction, then you need to comply with the associated law. As an example, you might be a Texas-based business that sells a digital product all across the US. If you process the personal data of at least 100,000 California consumers, then you’re still subject to the CCPA/CPRA even though you’re headquartered in Texas.
Complying with these laws means fundamentally recognizing consumer data as the property of that consumer — if your business wants to use it, then you have to ask for it first. The result is greater trust and reduced legal risk. The question on marketers’ minds, however, is whether that trust and reduced risk come at the expense of marketing insights.
When practiced rigorously, privacy-first marketing strikes a balance between compliance and actionable data. Marketers that understand how data privacy works maximize their ability to collect data in an ethical way and minimize their risk of damaging their companies’ reputations, upsetting their consumers, and running afoul of the law.
If there is any one technology that marketers need to understand before taking a privacy-first approach to marketing, it’s cookies.
Cookies are small text files placed in a visitor’s browser by the website they’ve chosen to visit or by a third-party partnering with that site (though the latter may be going away — more on that later). If a website owner wants to analyze their visitors’ behavior, they can do so by seeing what cookies have been stored in their visitors’ browser.
For marketers, cookies mean they can retarget consumers who previously visited their website, can measure the effectiveness of new campaigns, see how changes to their website impact user behavior, and more. In essence, cookies provide the data that digital marketers need to do their job.
Under cookie laws like GDPR and CCPA/CPRA, placing cookies on consumers’ browsers and tracking that data indiscriminately isn’t in compliance. Companies can and do receive fines for improperly collecting consumers' data through cookies. Under the GDPR, for instance, companies have been fined anywhere between €28 and €748,000,000.
Fortunately, you can compliantly drop and track cookies on consumers’ browsers: you just have to ask for consent in the right way.
Every data privacy law requires you to ask for consent, but you might sell to customers in a jurisdiction that doesn’t have a data privacy law. If so, you don’t have to ask for consent before dropping cookies on a consumer’s browser.
However, this practice can’t really be called “privacy-first marketing,” since issuing cookies without consent doesn't really respect the consumers’ privacy even when it’s legal. Privacy regulations are becoming more common, and respecting consumer privacy is just the right thing to do anyhow, so we recommend asking for cookie consent regardless of whether you’re legally required to do so.
Under regulations like the GDPR, businesses need to ask consumers to explicitly opt in to cookies. This can be done by, for example, clicking a button, ticking a box, or otherwise proactively demonstrating that they’re comfortable with being tracked by cookies.
Under most US data privacy laws, such as the CCPA/CPRA, businesses only have to offer opt-out consent. So long as the consumer is informed in a conspicuous way (such as by a pop-up banner) and given the option to opt out of cookies, businesses can assume that consumers consent to cookies if they continue to use their site.
Data privacy laws are changing all the time, however, and if a business wants to err on the side of caution, it’s best to default to offering opt-in cookie consent as it’s considered to be the practice that’s more in line with consumer rights.
Whether you offer opt-in or opt-out consent for cookies, user consent management is essential. Marketers and website owners can’t merely show a cookie banner with “Accept” and “Reject” buttons that do nothing. Whether consumers consent to cookies and what sorts of cookies they consent to needs to be recorded and acted upon, which will require either in-house development work or a third-party solution.
It can be frustrating to have to fiddle with the backend of your website to ensure that the only cookies that fire are the ones your website visitors have consented to. Furthermore, you need to keep a long-term record of consent in case you get audited by a data protection authority. While it’s possible to do this work in-house, most marketers purchase a consent management platform (CMP) to simplify the technical aspects of cookie consent. That way, you’re one step closer to the actionable, compliant data you need to do your job better.
Naturally, if you’re asking for consumers’ consent before collecting data from them, the total data available to you will drop. As a result, marketers might think that their task is to maximize the number of website visitors who give consent. This practice is known as consent rate optimization.
While using clear language and design in your cookie banner is a good practice that may increase your consent rates, it’s essential that you don’t try to “game” your cookie banner. Some organizations require additional clicks for users to opt out of cookies, or make the “Reject” button less noticeable than the “Accept” button — these are examples of dark patterns (i.e., manipulative design practices). Some data privacy regulations explicitly prohibit the use of dark patterns, but this manipulative practice goes against the spirit of all data privacy laws, whether it's explicitly mentioned or not.
Cookies come in different flavors, each of which has different implications for marketing and for consumer privacy. We’ll explain the differences between third- and first-party cookies, as well as how zero-party data can supplement them.
This can feel pretty creepy for the consumer. What if they don’t want their search and browsing history to follow them around on the internet? Moreover, advertising networks can gradually build up a scarily in-depth profile of a given user. This is both a security risk and a major invasion of privacy.
Data privacy regulations say that it’s fine to use third-party cookies so long as the consumer consents to them. Even still, consumers may not realize that these cookies follow them around as they navigate to different sites, and while the privacy issue of third-party cookies is solved by consent, the security issue remains. That’s part of the reason why third-party cookies are going away.
Google Chrome announced that it will stop supporting third-party cookies in mid-2024, joining other browsers like Safari and Firefox.
What does this mean for marketers? Essentially, it means that ad retargeting will become a lot less effective. Without third-party cookies, tracking users that had previously visited and interacted with your site and then serving up your ad to that user will be a challenge. However, marketers can adapt by leaning on other data collection methods — like using first-party cookies and zero-party data.
When it comes to privacy, there’s a world of difference between first-party cookies and third-party cookies. Rather than track consumer behavior across websites, first-party cookies track behavior solely on one domain. Marketers can gather information about their visitors based on how they interact with their website, but they won’t be able to identify where visitors were before they visited their site or where they go afterward.
With this information, marketers can still craft a targeted marketing strategy — they just won’t be able to have that strategy follow consumers around.
While not technically cookies, zero-party data is an essential part of a privacy-first marketing strategy. Rather than use tracking technology to gather data about consumer behavior and preferences, marketers can do the easy thing and just ask.
Zero-party data is information that the consumer explicitly shares. To a certain extent, marketers are already collecting zero-party data — whenever a consumer shares their email address on a form or fills out a contact card, for instance, they’re providing zero-party data.
But zero-party data can encompass more than just an email address. You can gather data on communication preferences, purchase intentions, areas of interest, and any other information that will provide the consumer with a better experience.
When done well, zero-party data collection gives something back to the consumer. It might be access to a valuable resource like an ebook, tailored product recommendations, or more relevant communications.
With third-party cookies being phased out, privacy-minded marketers will want to launch personalization strategies that rely on both first-party cookies and zero-party data.
So, how can marketers actually put all this information into practice? When implementing a privacy-first marketing strategy, there are three basic steps you should follow.
At times, emphasizing data privacy in marketing can feel at odds with consumer and market demands. Consider the fact that:
Don’t these statistics seem contradictory with the demand for privacy? How can marketers gather the data that personalization and targeted advertising requires while still respecting consumers’ right to privacy?
Unfortunately for marketers, consumers want to have their cake and eat it too; as marketers, it’s our job to make that possible. Success in the modern business world and in privacy-first marketing means that marketers need to source the requisite data for personalization, targeting, and attribution while protecting user privacy at the same time.
For one, make sure you’re maximizing your ability to collect zero-party data. As an example, industries with complex customer lifecycles can exchange educational content for customer data, which can then be used in your marketing and sales efforts.
Or, if your product or service has a lot of variations, you might develop a digital questionnaire to help prospective customers self-select the product or service that fits their needs and that asks for consent to collect that data. You can and should get creative here, so long as you stay in compliance.
Make sure you’re maximizing the collection of first-party cookie data as well. If users spend a lot of time interacting with your website and app, then asking for consent to collect their usage data through a cookie banner can yield a lot of actionable information.
You can also benefit from the first-party data that other organizations are collecting, too. Large publishers and platforms like Google, Facebook, and others have the benefit of massive user bases with high engagement — that means they have tons of user data. Under the “walled garden” approach, you can provide them with ads for your brand and basic information about your company. Using internal ad platforms, walled gardens target your ads for you. At the cost of some control and insights, you’ll still get to target and personalize advertisements to the most relevant audiences on those third-party platforms — all in a compliant way.
With an understanding of both your compliance requirements and your data strategy, now you just need the tools to help you carry it out. Here’s what you need to keep in mind when evaluating these tools.
Data privacy and martech aren’t always guaranteed to go together, so it’s important to evaluate how third-party martech vendors are treating the data you collect. After all, if your vendors are mishandling your customers’ data, then it won’t matter whether you’re compliant on your end; data privacy regulations still hold you liable.
If you work with a privacy professional, then evaluating vendors for their data privacy compliance will be a big part of their role. If not, then you’ll want to identify a vendor monitoring solution to ensure you can quickly get a sense of your martech solutions’ compliance track record.
Data privacy tools for marketers need to do more than enable compliance — they also need to have a minimal impact on your role.
Marketers are often put in charge of the company website, which means that many data privacy concerns fall in their lap too, whether it’s related to marketing or not. Thus, it’s important for marketers to get involved in the vendor evaluation process, since there’s a good chance they’ll be interacting with whatever data privacy software the organization settles on.
When evaluating data privacy software, you’ll want to ask questions like:
There are a number of privacy or privacy-adjacent software solutions out there, like tools to support DSARs, records of processing activity (RoPAs), data processing agreements (DPAs), and any number of compliance minutiae.
Arguably, however, the most important solution for a marketer is a cookie consent tool. This will enable you to secure consent to data collection, which in turn means you can assess consumer behavior on your website, track which content resources consumers are converting on, identify preferences and tailor content to those preferences, and more. Moreover, you’ll be able to offer consumers the right to opt into or out of data collection for all cookies or just marketing, personalization, and/or analytics cookies, ensuring consumers have granular control over what data they permit you to track.
A privacy-first approach to marketing may be a dramatic shift from the indiscriminate, bulk data collection of the 2000s and 2010s, but it’s one that ultimately enables a safer, more respectful internet for your customers. Marketers that learn how to support that experience and perform their jobs without violating their customers’ privacy rights will benefit.
But enabling that experience requires data privacy solutions designed with marketers in mind. When vendor selection is left up to the development and legal teams, marketing can get stuck with a solution that makes their job more difficult.
That’s exactly what happened to Mailgun. Mailgun’s marketing department was saddled with a solution that was overly strict and blocked basic metrics like anonymous page views for over half of their web traffic. Frustrated, the team turned to Osano.
The Osano CMP:
Privacy-first marketing requires a strong foundation. Let Osano be that foundation for your organization. Schedule a demo today.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.