Privacy Regulations Reshape How Companies Handle Personal Data

The commercial use of personal data has served as a gold mine for businesses, turning personal data into customer insights, market predictions and personalised services. The landscape is quickly changing though, making the unfettered use of personal data increasingly risky.

Growing consumer mistrust and regulatory action are fueling these shifts. Consumers are opting out of third-party tracking, enabled by browser restrictions on cookies and mobile operating systems changes that provide choice on limiting app tracking. In parallel, a mix of new privacy regulations, enforcement actions and new government-led digital infrastructure plays are reshaping the backend infrastructure of personal data sharing.

New standards and technologies that enable data empowerment and consent-based collection and use of data are emerging, ones that respect privacy, engender trust and can unlock new types of data — if implemented effectively.

This article examines how regulatory changes are limiting the use of personal data, the challenges in getting consent right and how new consent-based data collection and sharing solutions are reshaping the market infrastructure for personal data.

Operationalising Data Collection and Consent

For businesses, operationalising consent for the collection, use and disclosure of personal data is admittedly tricky. Obtaining informed consent with sufficient transparency and control can help build trust among consumers, but at the risk of having an overly cumbersome experience. Conversely, not providing sufficient information and control can result in potential regulatory fines and reputational risks.

Getting the right balance of consent and control is becoming increasingly important. IDC predicts that by 2025, half of customers will screen out companies based on privacy policy transparency and quality.

In the wrong hands, sharing your location data can hurt consumers. Data can be used to infer LGBTQ+ identification, whether a person visited an abortion clinic or frequently visits medical facilities. This data can be sold to a third party who may expose an individual to potential discrimination, physical violence, or emotional distress.

Regulatory Fines and Enforcement Actions

In the US, regulatory enforcement actions have been focused on curtailing the backend infrastructure of sharing personal data between companies, which traditionally relied on an opaque network of data brokers.

Several significant enforcement actions were taken:

• January 9, 2024: The second largest US location data broker was prohibited by the FTC from selling and sharing location data — the first-ever ban on the use and sale of sensitive location data in the US.
• January 18, 2024: Another data aggregator was prohibited from selling precise location data to settle FTC charges.
• February 22, 2024: A popular antivirus firm was banned from selling browsing data by the FTC, after it sold re-identifiable browsing data to advertising firms despite claiming its product would block online tracking.
• February 28, 2024: U.S. President Biden announced plans for an executive order barring data brokers from selling U.S. citizens’ sensitive personal data to entities in adversarial countries.

These actions highlight three strategic shifts: unfettered access to personal data is going away; contractual clauses alone are not sufficient; and the backend infrastructure used in advertising is being forced to change.

New Data Privacy Regulation is Accelerating

By end 2024, Gartner predicts 75% of the world’s population will have its personal data under modern privacy regulation, up from 25% in 2021. Companies’ privacy spending have more than doubled over the past five years.

In Asia, new personal data protection laws have been implemented in India, Indonesia, Vietnam, Thailand and Sri Lanka — a 25% increase in data privacy laws in the region.

In the US, the American Privacy Rights Act (APRA) aims to provide Americans enforceable data privacy rights through a single national framework.

Regulators Are Funding and Co-creating New Digital Infrastructure

Within the EU, regulators are advocating, funding and piloting new digital infrastructure which relies on decentralised technologies. The European Blockchain Services Infrastructure (EBSI) leverages new decentralised identity technologies which enable greater trust, privacy and user control.

Additionally, common European data spaces are emerging across industries: health, agriculture, media, mobility, energy, and public administration.

Looking Forward

The adtech industry is seeing major shifts. The use of third-party data is slowly being phased out. Government funding and co-creation of new digital infrastructure is being created, encouraging data empowerment and trust.

Three Key Takeaways

• Keep less data. Regulations pushing for data minimisation make this more of a reality. Where personal data is needed, consider alternative identity solutions which enable customers to have greater control.
• Give meaningful choice about privacy. Replace the “I agree” button with real choices. Be more transparent about data collection practices and enable individuals to have a say in what data is collected.
• Experiment with new technologies that engender trust, respect privacy and empower individuals to own their data. Invest in capabilities that enable individuals to discover, collect, store, share and unlock value from their data.