Ravi Ganesh
Dec 17, 2020

Advertising practices that fall under privacy laws: A guide for APAC marketers

GDPR and other privacy laws should not be relegated to compliance departments—data collection practices that powers advertising on the internet sits at the heart of these regulations and requires the attention of marketers.

Advertising practices that fall under privacy laws: A guide for APAC marketers

Constantly evolving data regulations, compounded with privacy pushes from the world's biggest tech companies, warrants immediate action from marketers when it comes to cookies and ad targeting.

The issue of privacy and data protection is not something new. Data protection guidelines have been in force in various countries across the globe for many years, either in the form of a generic law or specific to a business sector such as healthcare or financial services. But many of these laws were not crafted for the information age—until the enactment of GDPR in 2018, which has brought about a change in the regulatory environment across the globe.

Most organisations consider GDPR and privacy laws as a subject matter of compliance, but it is important to understand that marketing and cookies are the focal point of data privacy. As a consequence, marketers need to be ready to comply with the most stringent of regulations as far as the use of cookies is concerned. Quick fixes including deceptive banners are temporary and met with subsequent regulatory responses. The focus on first party data and on contextual advertising is imminent.

What has changed with GDPR (and is changing everyday)?

Specific laws for data protection in the internet era (early 2000s) were crafted in the EU, Japan and India and were focused on cybercrime such as hacking, spam, offensive personal messaging and extensive behavioural advertising in the broad domains of electronic communications and e-commmerce. Consent was required for collecting or processing sensitive personal data. In Europe, the ePrivacy regulations were drafted in the early 2000s and required affirmative consent for collecting any data. Subsequent laws and most prominently the GDPR has changed three things:

  1. The definition of what constitutes personal data has widened. It now includes information that is tied to a device such as a device ID or Cookie ID or your web browsing history. This is a recognition of the fact that devices are an intrinsic part of any person’s identity. It is important to note that the nature of personal data is constantly evolving to include biometrics, voice and image /videos that are used invoice and facial recognition technologies. Cookies are very much a personal data and must necessarily contain name, purpose, name of party responsible, duration of validity, names of recipients or categories of recipients of any information collected by the cookie.
     
  2. GDPR has a more detailed articulation of what constitutes consent. In the absence of a proper definition, consent was implied with just one banner that would read “This site uses cookies”. Even where users needed to accept, the banners were designed so that users would not pay attention to them. A recent ruling by a German court in Planet49 case focuses on what cookie consent banners should look like: they should clearly state the purpose of processing, should be explicit, be auditable and revocable by consumers.
     
  3. There is a risk of non-compliance, not just when things go wrong. In the laws thus far, there was a risk of a fine or a penalty only when someone claimed a loss, whereas with the new privacy laws, non-compliance itself leads to fines and penalties. Although it is an issue of compliance, this needs the attention of the marketers as it directly impacts their day-to-day work significantly. Any inadvertent data breach results in loss of reputation and the possibility of class action suits. We have already seen many instances of such suits being filed against reputed brands.

But there is no harmonisation in regulations 

Even as this article is being written, data privacy regulations are being drafted and coming into effect in various countries. There is no harmonisation of regulations and there are cultural differences. India and China have taken a cybersecurity-led approach to their privacy laws and have mandated data nationalisation and localisation. ASEAN has a privacy framework, but only four countries—Philippines, Singapore, Taiwan, and Malaysia have passed specific privacy laws. In the EU, GDPR applies across all member states, but ePrivacy regulations—which governs the use of cookies—is not yet standardised and has different interpretations across the member countries. In the US, California has taken the lead and passed the CCPA and subsequently the CPRA.

In the policy debate, cookies come under the debate of consent versus legitimate interest. Recently, Singapore has updated its data protection law to exclude user consent for ‘legitimate’ business purposes. Some countries like Japan have a consent framework that is different for global and local services.

Essentially, this means that the definitions and interpretations of personal data and what constitutes consent vary by country and region. This makes managing consent extremely difficult for global marketers.

But regulations simply cannot keep pace with technology. The onus is on marketers to put ethics at the core and be a few steps ahead of regulations.

The impact on stakeholders

For consumers, while a strong consent regime empowers users, it is detrimental to the overall customer experience on the internet as customers must click on these consent banners on every website they visit. Also, consumer research has shown that they do not necessarily understand what consent is and what happens once they click ‘Accept’ on a banner.

For publishers, consent frameworks directly impact revenue as the number of third-party cookies associated with their URL substantially drops with user consent. Browsers have already phased out third party cookies or have set timelines for phasing it. One of the tactics used by publishers as a means of survival was the erection of 'cookie walls' to force consumers to accept cookies. This was subsequently found to breach GDPR.

For ad tech players, the focus is on minimising the impact on their revenues. They do not have direct relationships with the end consumer. They are now dependent on brands and publishers who operate websites to get consent on their behalf. However, publishers may not have enough incentive to get these permissions. This uncertainty means that innovation in the ad tech industry gets stifled as no one wants to invest in technology that may be deemed illegal or be subject to extensive regulatory processes. They might need to think of potential alternatives to cookies, which includes third party data trusts or legalised means of collecting consumer preferences.

Brands and advertisers are most concerned about how privacy changes will impact their customer relationships. This provides brands an opportunity to educate end-customers and strengthen their relationship with customers by building a first party data strategy. Consent management platforms (CMP) have emerged to help marketers with these daunting tasks.


Ravi Ganesh is a marketing advisor to startups. He formely worked with Havas Group India as head of data and analytics.

Source:
Campaign Asia

Related Articles

Just Published

16 hours ago

What makes holiday ads truly effective in APAC?

Amid holiday ad fatigue, Campaign delves into how brands can craft tailored campaigns to resonate with diverse APAC audiences and seize opportunities in this year’s evolving shopping landscape.

17 hours ago

What's shaping digital OOH in 2025? Key trends revealed

From fragmented markets to consolidated buying platforms, from brand awareness to performance metrics, 2025 will mark the year DOOH cements its position on advertising's main stage.