Let me try to sum up what happened with Cambridge Analytica as we now can better understand it in hindsight. In March of 2018, news broke that the personal data of 87 million Facebook users was exposed to a political consulting firm based out of London known as Cambridge Analytica. This personal data was mined with a quiz app that used a loophole in the Facebook API to collect information from its 270,000 app downloaders along with all of those users’ friends.
As outlined by the New York Times team, Facebook “routinely allows researchers to have access to user data for academic purposes — and users consent to this access when they create a Facebook account,” as described in the Facebook Service Agreement (that most people don’t read but agree to without knowing what’s in it). So the first part, the ‘data mining’ was technically legal but the selling and transferring that data to advertisers (or a monetization-related service) was not.
Doesn’t all of that feel like it happened 100 years ago? Guess what? It hasn’t even been one!
Two critical things happened after that: regular (non-tech and non-advertising industry) people realized that Terms of Service Agreements are way too complicated as companies began to understand just how legally and reputationally liable they are when the personal data of users isn’t properly handled. For the rest of the year, companies and their digital agencies tried to untangle laws, internal privacy policies and processes relating to first-party data. Oh, but the year had barely begun — and there was much much more to follow.
April 2018: Congressional Hearings
Because of Facebook’s role in these events, CEO Mark Zuckerberg had to explain his company’s privacy policies, data handling procedures, and business practices to Congress. As a former Facebook employee told the New York Times, “The people whose job is to protect the user are always fighting an uphill battle against the people whose job it is to make money for the company.”
Imagine trying to explain TikTok to your grandparents and you’re close to envisioning how the hearings went down. The members of Congress asked questions like “How does Facebook make money?” and “Is Twitter the same as what you do?”
As marketers, we immediately recognized that our government understood data privacy far less than they should and that collectively, we should be investing in more technology to regulate ourselves and protect our clients. Facebook also required us to take action on behalf of clients by tightening up the way first-party data was used on its platform in the weeks following Facebook’s Congressional hearings.
At this point, the year wasn’t even halfway over and the US government had already exposed shortcomings in its data privacy laws, not to mention lawmakers’ general lack of understanding around the digital economy and how it operates. Following the endless national news cycle about the Congressional hearings and Facebook’s procedure changes, deciphering our clients’ privacy policies led to some very late nights. Interestingly enough, an EU law all about protecting people’s online privacy was due for implementation and was already being hailed as the new industry standard for such legislation.
May 2018: General Data Protection Regulation
GDPR, a law aimed to give individuals more control over their data and how its used by digital companies, was signed into law in April of 2016 but wouldn’t be implemented until May 2018. This gap of time was then used by companies located in the European Union to update their websites and data handling practices in order to comply with the GDPR’s strict requirements by its implementation in May 2018.
With the Cambridge Analytica scandal fresh in mind, and even though the regulation was only legally valid in the EU, every company that had any global online presence readied itself to comply with the GDPR. The implementation of regulatory standards was so widespread in the global marketplace that the actual phenomenon is now known as The Brussels Effect.
In fact, the US will spend $42 billion to comply with GDPR even though they technically don’t need to do since it’s not a US law. But that number seems paltry compared to the 200 billion pounds that EU companies will be spending.
Those companies were right to invest and comply with the new data regulations since the GDPR allows lawmakers to penalize companies up to 4% of the company’s global revenue for any violations to GDPR. Since agencies support global companies, our very own tech and legal teams had to work late nights navigating how they would implement the tech solutions that GDPR required and how the language of each contract would have to be updated to comply.
September 2018: ITP2.0
In September of 2018, Apple released an update to Intelligent Tracking Prevention (ITP) across the Safari browser. Apple is well-known for its strict regulations about data privacy, so the change certainly made sense given the global news cycle’s hyperfocus on data privacy practices. ITP allowed Apple phones and computers to further block tracking cookies to better protect users’ privacy which, of course, directly affected companies like Google and Facebook whose advertisers rely on third-party tracking. Note that we can still track that traffic, though less reliably, using UTM parameters.
To find out more, read our more in-depth ITP POV here.
Nevertheless, this was a massive adjustment for the main players in the advertising ecosystem, and we had to be ready and quickly find a turnkey solution for our clients.
While last year was a complete tornado from start to finish, hopefully, this year will be less stressful now that we know the direction our industry is heading as it relates to user privacy and data security practices.
We anticipate that this hyper-focus on data privacy and larger consumer behavior trends will evolve in 2019 as companies become financially liable for any lack of data security with the threat of facing a swift public backlash caused by any missteps. Along this same line of thought, we anticipate 2019 to be the year where potential governmental oversight begins to enter the digital economy.
As advertisers, we’ll continue to do our jobs in finding efficiencies and serving valuable and helpful content to the right audiences while also heavily investing in more technology and resources that keep user privacy top of mind.