Language: EN | ES

CMOs are on their toes and not conducting ‘business as usual’ as data privacy regulators get more assertive

This article is also available in Spanish. Please use the toggle above the headline to switch languages. Visit to read more content in Spanish.

CMOs are a bundle of nerves these days. Blame data privacy regulators for some of it. Sure, the threat of a global recession keeps marketers awake at night, but being named and shamed in headlines of The New York Times for data privacy breaches is the stuff of nightmares.

But until recently, those nightmares never materialized. After all, it was the platforms and ad tech vendors that were in headlines for data snafus, not advertisers.

Time, as ever, makes fools of everyone. In this instance, gradually then suddenly.

Before September, avoiding data privacy breaches was just another priority among others on a long list for marketers. Now, it’s a matter of urgency. In September alone, prominent advertisers Zillow, Expedia, and Lowe’s were hit with lawsuits for allegedly breaching privacy violations in the U.S.

If there was ever any doubt that lawsuits would come for advertisers that played fast and loose with people’s data, it’s fading quickly. Take Sephora, which agreed to pay $1.2 million in fines for selling customers’ data without their knowledge.

That fine, in particular, seemed to prompt internal legal counsels to probe senior marketers on whether their use of data exposed them to something similar, as reported by the Wall Street Journal. The subsequent burst of activity, from data privacy policy updates to renewed data ethic frameworks, is hardly surprising. It’s more like a rising tide. Sources told Digiday that marketers see these latest revisions to data privacy plans as less a matter of completing compliance check boxes, more one of fiduciary responsibility. They really don’t want to be in the headlines.

“Over the two months or so we’ve seen a lot more inbound interest from enterprise organizations looking to update their technology stacks in advance of the changes to data privacy laws in the U.S.,”  said Brian Kane, chief operating officer at consent management platform Sourcepoint. 

Companies like Sourcepoint were always going to see a swell in demand with or without the Sephora fine. They have vital interpretations and perspectives of big, imminent changes to data privacy regulation. Indeed, its going to look different at the turn of the year. This is when the California Privacy Rights Act — a beefed up version of the California Consumer Privacy Act — takes effect. And when this happens so too will the abolishment of the 30-day cure period given to businesses accused of violating the law. No cure period means the California Attorney General’s office can go straight to enforcement action. The Sephora fine was a reminder to marketers of what that means.

“The reality of a CEO calling you about a call they just received from a regulator is now very real for marketers,” said Ian Cohen, CEO of data privacy tech company LOKKER. “The idea that just because you can collect a bunch of data doesn’t mean you should is rigning true with a lot more marketers now. It’s not business as usual for a lot of marketers now.”

To be fair, marketers have always taken privacy seriously. In hindsight, maybe not as seriously as they could have. The reams of audits, policy shifts and data partnerships done over the last several years say as much. Even so, there’s more effort to do what is ethically right, not just legally possible — especially when enforcement actions from regulators come with public campaigns that position them as a champion of the consumer. It packs an extra punch. 

“Some marketers are looking at the data they use to ensure it has been responsibly gathered, with adequate transparency and control for consumers,” said Tom Chavez, CEO of data control business Ketch. “They’re updating contracts with vendors, but more importantly, are using systems and infrastructure that protect privacy and enforce the permissions people place on their individual data.”

What once yielded a monetized asset for advertisers has now turned into a privacy liability. In this way, data privacy is like ESG in so far as advertisers must report not just their own policies, but the policies of their vendors. No mean feat for the marketers who still focus their dollars and operational decisions on a channel or platform as the common denominator for their decisioning, not on individuals or audiences. 

Yes, they’ve got better at locking up personal data but many marketers continue with practices that are potentially no longer compliant. They largely have neither the knowledge nor understanding of how a patchwork of state and regional data privacy laws translates to practices on collecting digital identifiers on their owned and operated digital properties. As Dan Larden, head of U.K. at digital media consultancy Digital, explained: “We’ve seen a lot of non-compliant practices on large brand websites, where data collection is happening without the consent of the user for example.”

But the audit trail for marketers doesn’t stop there (remember, this is advertising). The third-party services marketers plug directly into their own sites, also use third parties, and these become fourth parties to a company. These fourth parties use other software, and these become fifth parties to a company, and so on. It’s a chain that can go over 20 layers deep, so the oversharing grows exponentially.

“Marketers aren’t just thinking about auditing the tags and third-parties on their own sites, they’re also starting to audit how other companies are collecting and using that data,” said Gabrielle Robitaille, senior digital policy manager at the World Federation of Advertisers. “They’re auditing third-parties. But in fairness it’s something that’s slowly gaining traction.”

It’s safe to say, though, that these sorts of audits will pick up. Turns out that getting a better view on the provenance of data is just the start of a much longer process. it’s just as important to know whether to hold on to that data too.

“If you’re drinking from your own data lake, you want to know that it’s safe to drink. The problem is that in digital advertisingg, tthat data comes from a thousand sources, and flows through many others before it gets to you. Its provenance quickly gets lost,” said Jamie Barnard, CEO of privacy compliance platform Compliant. “While the consent management platform is a vital tool, it is not the silver bullet — consent does not equal compliance.”

There aren’t many silver linings to be found. Marketers are going to make tough decisions, often that contradict their own long-held views of how personalized advertising works. All while hitting quarterly numbers in a downturn. But one welcome casualty should be a closer gap between data privacy plans that straddle the line between best practice and legal requirement better. What comes next should be a healthier focus on consumer protection in an age of online media.

More in Marketing

The era of the in-depth brand and gaming creator partnership has arrived

To reach gamers outside of video games, brands have moved beyond one-off activations based on specific intellectual properties toward more fully integrated programs that span across all aspects of a creator’s community and fandom.

Companies seem determined to make everything a retail media network. How did we get here?

Brands are leveraging retail media to push the boundaries of where and how we can shop. How did we get here?

Sifting through ‘the noise’: AI tools for HR are evolving fast – here’s how to catch up

Like with all emerging tech, sorting the useful from the useless, is critical and time-consuming.