Revisiting Data Privacy and Compliance

2020 Looking Forward - online trends for the coming year

January, that time of the year when we take a look at the past twelve months and the months ahead to spot trends that might define our times. In the world of website management, online privacy laws and compliance with those laws has emerged as the most significant trend of 2019 and 2020.

The EU’s General Data Protection Regulation (“GDPR”) and California’s Consumer Privacy Act (“CCPA”) are the main drivers of this trend but there are also other national statutes, such as the ADA / WCAG and Brazil’s upcoming LGPD regulations, as well as various state and local laws like Nevada’s SB 220.

This trend toward privacy regulation marks a significant shift in the internet landscape as we are beginning to move away from the data free-for-all that defined the digital marketing industry during the past decade and move toward a more balanced personal-data-sharing equation, where individuals have more control over how their Personally Identifiable Information (PII) is collected and used.

Whether or not we reach that balanced relationship remains to be seen (for more on this, read the bonus section below). But we know for certain that these new regulations have altered the current landscape, at least in the short term. Our prediction is that this increased focus on privacy regulations and compliance will result in new paradigms for online marketing and online services. Here are a handful of the ways we see this playing out:

1. The Online Marketing Apple Cart is Flipped Over

Tracking and targeting website visitors is the linchpin of the online marketing space. If marketers and advertisers lose a significant portion of their ability to identify consumers based on their personally identifiable information (PII), they lose a key ingredient to their secret sauce.

This probably wouldn’t have happened, even with the GDPR and CCPA coming into effect, if digital marketers could continue to assume the consent of their website visitors and application users. In other words, if websites could continue to use the ubiquitous “By using this website you accept all our cookies” consent model, not much would change. Users rarely take the extra steps needed to opt out of cookies in this model. But this model is changing.

The EU’s justice system (the CJEU) ruled this past September that visitors must provide “affirmative consent” before cookies can be stored on a user’s device. This means that  a GDPR-compliant website can only drop cookies on a user’s device when that user has accepted those non-essential* cookies. And the form allowing them to accept or not accept these cookies must default to ‘not accept,’ meaning if the user does nothing, they are opting out of non-essential cookies.

(*’Essential cookies are those that are required for a website or app to function, like a cookie that identifies which server a user is connecting to. Non-essential cookies cover everything else, like traffic measuring  tools, social media hooks, advertising trackers, etc.)

Naturally, making users the ‘gatekeeper’ that decides whether or not non-essential cookies are set on their devices will result in a segment of users opting out, i.e. refusing those cookies (on GDPR-compliant websites). It’s too early to tell how large that segment of users that will be but our very logic-oriented gut tells us that it will be close to half of all users. Our thinking here is that, if all things remain equal and there’s no incentive to either opt-in or opt-out, and the default state of the form is set to opt-out, that at least 50% of all users will essentially do nothing and thereby opt-out. If that’s true, then the systems and processes that rely on tracking user behavior are going to be losing 50% or more of the data they rely on. Ergo apple cart upended.

2. A New Phase for Traffic Analytics

Currently, measuring the effectiveness of a website relies on traffic analytics tools that identify new or returning visitors and their behavior across your website. Naturally, those systems rely on cookies to measure traffic and, where those tools are monitoring a GDPR-compliant website in 2020, the cookies will only be ‘dropped’ onto the devices of actively consenting users. As we outlined above, we feel that 50% of visitors to a site will opt out of those tracking cookies. And a 50% reduction in measurable traffic is tantamount to the floor dropping out from under the website analytics industry.

However, because measuring traffic to a website is so ingrained in website management and marketing, we predict that this technology will change in one of three ways.

Option 1. The technology will adapt to provide equally accurate and comprehensive measuring capabilities without requiring the sharing of cookies and personal data. This could happen if analytics software services removed or effectively anonymized the PII that is recorded by the software. Perhaps through some kind of encrypted, anonymized identification of a user’s device fingerprint. If this can’t be accomplished, then analytics platforms may create some sort of algorithmic or statistical formula to compensate for the lost users In other words extrapolating the true size of a website’s audience from the data that is gathered.

Option 2. The practice of measuring traffic and the success of a website will evolve to be less focused on measuring each individual user’s engagement and will become more focused on collective user actions such as click-throughs, downloads or other responses. Tracking these conversion events or key performance indicators (KPIs) can be done without the use of cookies.

Option 3. The more cynical (and therefore most likely) option is that website traffic measuring providers will successfully lobby to redefine their tools to be essential, thereby making them exempt from the privacy regulations.

3. The Ever Increasing Imperative of Quality Content

Content is still king. It was never otherwise. Just take a look at the first graph on this 2019 content marketing survey by Green Target. Useful, meaningful and current content is what most digital consumers want and therefore what drives the success of online marketing programs.

As privacy laws ratchet up and as it becomes harder to track and target your audience members and potential customers, the value of strong, shareable content will only grow. Content publishing, already a key component of any digital marketing program, will become the mainstay, overshadowing email marketing, advertising/remarketing, SEO, PPC and other opportunities.

4. The End of Free Web Services?

As we (the public) start to opt out of being tracked, analyzed and targeted, the internet behemoths that built their dynasties off of free data will need to adapt their business models. Expect that Google, Facebook, Microsoft and others will start to charge a nominal fee for services that are “free”* today.  (*Of course these services aren’t free, as we pay for them with our personal data.) This could take on a number of forms but we think the most common approach will be more annual fees similar to what Amazon charges its Prime members or Microsoft its Office 365 users.

Regardless of how these fees take shape, the next year or two will mark the end of the ‘freemium’ model that we’ve been riding the past 15-20 years. If a startup is restricted from harvesting the data of a large number of its users, their business will have to rely on actually selling something other than user data. Of course, if data privacy laws start to trend in the other direction, toward weaker restrictions, the freemium model will persist.

5. Compliance as a performance measurement

Website performance has expanded in recent years to include mobile operability and security (SSL). This has resulted in search engines, most notably Google, giving higher rankings in search results to websites that are mobile-friendly and secure.

It seems logical then that compliance with data privacy and accessibility standards will begin to be weighted in a similar way. If having a responsive design and an HTTPS website are best practices that lead to better ranking in the search engines today, it’s reasonable to expect that complying with privacy laws and accessibility guidelines will lead to better rankings in the future.

Look for Google and Bing to announce changes to their indexing algorithms that favor sites that comply with GDPR and CCPA and that are demonstrably accessible to impaired users.

In Conclusion: Data Privacy and Personal Privacy Matter

Data privacy laws and compliance with those regulations are the next big thing on the internet. And these changes extend far beyond the “Accept Cookies” alerts that we see popping up on the bottom of every website nowadays. Protecting user data and requiring user consent before tracking activity will have far-reaching and long-lasting effects on how business on the internet is conducted. Make it your goal to update your website, cookie behavior and privacy policy to be in sync with the regulations applicable to where you conduct business.

If you have any questions about your company’s privacy policy or whether your website is compliant with regulations in your area, please email us at We’d be happy to help.

Thank you for reading and Happy 2020!


… Bonus Section …

Who Does Data Empower?

Over the years, the internet has enticed and quashed dreams of a utopian society. 20 years ago the internet pundits loved the idea that the free flow of information would empower the masses and democratize everything from the media to financial markets. More recently, thought leaders espoused the internet as a great equalizer, shifting the balance of power from the corporate sales and marketing department to the consumer, as the information at our fingertips made us more critical customers.

But the real story, it turned out, was not consumer empowerment but rather the nefarious world of big data. While we were happily using our phones in the aisles of big box stores to compare Amazon’s prices with those on the shelves, vast amounts of data were being collected on every one of us from every corner of our digital lives.

With all this information, corporations and their data scientists acquired unprecedented power and insight. Subsequently, the practice of ‘predictive analytics’ was applied to our online shopping behavior, allowing those companies with data and resources to reliably map out shopping behavior and buying decisions. Video game makers used ‘game data mining’ to gather and test, in real time, how small changes to their games might affect (increase or decrease) player engagement across thousands or millions or users. And political campaigns began using ‘psychometrics’ to predict our personal and political preferences based on our social media posts and likes and to weaponize those data to influence our votes. In other words, the balance of power is far from equal.

Meanwhile, throughout it all, we witnessed dozens of incidents where our personal data—credit card numbers, passwords, social security numbers, credit rating scores—have been accessed by hackers, spy agencies or rogue states and we have virtually no option or course of action other than to shrug our shoulders and hope that our insignificance among the masses somehow protects us.

The bottom line is that the status quo, in terms of privacy and personal data, favors corporations and governments. We accept this because we want the convenience and lower cost that we’re now accustomed to. In essence, we trade our personal data for these benefits. But the struggle is ongoing. The GDPR and CCPA, as well as other regulations on the horizon, begin to put a check on the power of big data. That check returns to the public some of its lost privacy rights. But these laws will also restrict the flow of information, meaning less convenience and higher prices in our future. Time will tell whether or not we determine that our privacy is worth the cost. Certainly the large data-centric companies we patronize will try to convince us otherwise.

We’ll close with this paragraph from a report that Amnesty International published in November 2019:

Ultimately, it is now evident that the era of self-regulation in the tech sector is coming to an end further: state-based regulation will be necessary, but it is vital that whatever form future regulation of the technology sector takes, governments follow a human rights-based approach. In the short-term, there is an immediate need for stronger enforcement of existing regulation. Governments must take positive steps to reduce the harms of the surveillance-based business model—to adopt digital public policies that have the objective of universal access and enjoyment of human rights at their core, to reduce or eliminate pervasive private surveillance, and to enact reforms, including structural ones, sufficient to restore confidence and trust in the internet.

0 comments on Revisiting Data Privacy and Compliance