“Adjusting to the new regulatory landscape is the biggest issue facing the industry right now,” is what I told the AdMonsters community two years ago.
Guess what? Preparing for privacy regulations, along with the death of the third-party cookie (and other identifiers used to target individuals and measure advertising) is still a colossal challenge.
So, what’s coming to the data and privacy landscape in 2022? Expect more state-led privacy legislation coming to the table, GDPR to kick it up a notch while privacy spans global, privacy ad tech to get a lot of shine, cookieless solutions to face the music, and global privacy controls to gain traction. Real-time bidding they’re coming for you.
5 Data Privacy Trends for 2022
The State Privacy Party Will Continue
There will be no federal privacy law this year. Instead, the “patchwork” of state privacy laws will continue. In addition to Colorado, Virginia, and California, I expect two-three more states to pass privacy laws this session. It’s not clear which states will go, but there will be more states to contend with by the end of 2022.
This is going to require companies to create (if they haven’t already) comprehensive privacy programs that allow them to understand what data they collect, where it sits, how they use it, who they share it with, and the value of that data. This is not a one-time exercise, it will require ongoing maintenance.
This is the foundation that will help companies layer on additional privacy requirements as they come in, instead of scrambling and starting from old information each time there is a new law/obligation. This exercise impacts legal, IT, procurement/sourcing, and the sales and marketing teams. The days when privacy was a problem for legal or compliance to deal with are over.
Privacy Goes Global
There is a lot of conversation about state privacy laws and the lack of federal privacy legislation, but outside of the U.S., we are seeing privacy go global. In the EU, I expect to see the enforcement of the GDPR and e-Privacy continue to escalate. After a few “quiet” years with a small number of fines, the cases filed with the various data protection authorities have worked their way through the system and the increase in fines reported in 2021 will likely continue. I expect there to be a focus on the use of cookies and the practice of programmatic advertising and real-time bidding.
Both the ICO in the UK and CNIL in France investigated this practice in 2019 and 2022 may be the year that they start to enforce the warnings previously given. Outside of the EU, Canada and Australia are updating their privacy laws, India is considering a new privacy law, China will be enforcing the law it passed last year, and Saudi Arabia (among other countries) passed a privacy law last year.
I expect to see the trend of increased privacy regulation and enforcement around the globe continue. Companies will need to navigate much more than the U.S. privacy landscape if they really want to work on a global scale (see prediction #1 about the need for a privacy program).
Privacy Tech Will Take Center Stage
As regulators, consumers, and the big platforms continue to put pressure on business models that rely on the sharing of personal information, companies will turn to technology to help them achieve their business goals. In 2021 we saw the rise of privacy-enhancing technologies – in 2022 they will take center stage.
Techniques like differential privacy and homomorphic encryption, along with solutions that involve synthetic data, will gain in popularity as sharing personal information continues to be stymied by privacy-related restrictions. Clean rooms will stay in the mix as a privacy-forward solution. Companies should expect to see more of these solutions being marketed in their inboxes and will need to understand the technology and its implications as they decide which to add to their tech stack.
Post-cookie Solutions Will Be Put to the Test
At the top of 2022, we are still anxiously awaiting news on the proposed regulations under the CPRA. The head of the CPPA, the agency writing those rules, has signaled some skepticism about e-mail based identifiers. That doesn’t mean they won’t survive, but they may be subject to the same restrictions currently placed on cookie IDs and similar identifiers.
Global Privacy Controls Will Gain Traction
I am using the lowercase here because I don’t know if uppercase GPC is the final word on what a global control looks like and I think there are still too many open questions about its implementation. That said, I think there is a real concern with how consumer choice is provided – regulators don’t like the idea that consumers have to navigate the privacy practices of each website they visit in order to exercise those choices (and neither do consumers).
My hope is that we have more dialogue on how a “gpc” should function and some standard setting for the signals sent. First, we need to understand what exactly are consumers opting out of?
Each state has a different definition and slightly different approaches to what activities a consumer should be able to opt-out of – how can there be a “global” tool when there aren’t global definitions?
Second, there hasn’t been enough alignment on the logistics — how will platforms receive the opt-out signal, what is the impact on offline activities, how should browsers communicate the potential limitations, and how can we allow consumers to make individual choices for companies they have a relationship with. I hope to see some of these questions answered before we see significant enforcement of unclear expectations.