# Privacy Rules (The Laws With Teeth) ## The Big One: GDPR The European Union's operations were significantly altered when the **General Data Protection Regulation (GDPR)** went into force on May 25, 2018. Any business that processes the data of EU citizens is subject to GDPR, regardless of where your business is located. - All personal information, including name, email, IP address, cookie IDs, device IDs, and pretty much everything else - Data that is both digital and offline ### Important Guidelines **1. Valid Reason for Processing** Processing personal data requires a valid legal justification. The two main choices are: **Consent** (expressly agreed by the user) and **Contract** (necessary to provide a service). - **Legal obligation** (as mandated by law) - **Legitimate business interest** (weighed against user rights) Consent is typically the only legitimate basis for advertising. No user information should be utilized without express consent. The user should not be coerced into giving their consent; it should be voluntary. "By using this site you agree to cookies" cookie banners? are not GDPR-compliant forms of consent. **2. The Right of Access** Users can ask to view all of your personal information. You have thirty days to supply it. **3. The Right to Forget** Users may request that you remove their data. Unless you have a valid reason to keep it, you have to comply. **4. Data Portability** Customers have the option to request their data in a machine-readable format and deliver it to a rival. **5. Designing Privacy** Systems must be designed with privacy in mind, not added after the fact. **6. Notification of Data Breach** If there is a breach, you have to alert the authorities and the impacted users within 72 hours. ### **AdTech Impact** Several common practices were crippled by GDPR: - Cookie walls, which require users to accept cookies in order to view content - declared unlawful - Pre-checked consent forms - not legitimate consent - Granular consent bundling (accept everything or nothing) is required. - Ambiguous privacy policies need to be precise and unambiguous. ## California's Version of the GDPR On January 1, 2020, the **California Consumer Privacy Act (CCPA)** became operative. Later, in 2023, the **California Privacy Rights Act (CPRA)** strengthened and modified it. ### **What It Covers** Applies to for-profit businesses that: - Have annual gross revenue > $25 million, OR - Buy/sell personal info of 100,000+ California consumers, OR - Derive 50%+ of revenue from selling personal data And process data of California residents. ### **Key Rights** **1. Right to Know** What personal information is collected, used, shared, or sold. **2. Right to Delete** Request deletion of personal information (with some exceptions). **3. Right to Opt-Out** Opt out of the "sale" or "sharing" of personal information. CCPA defines "sale" broadly—even giving data to third parties for targeted ads counts as a "sale." **4. Right to Non-Discrimination** Companies can't penalize you for exercising privacy rights (can't charge more, deny service, etc.). **5. Right to Limit Use of Sensitive Data (CPRA)** Sensitive personal information includes race, health data, biometrics, sexual orientation, precise location. Users can limit how it's used. ### **The "Do Not Sell My Personal Information" Link** CCPA requires a visible link on websites: "Do Not Sell or Share My Personal Information" Clicking it should stop the sale/sharing of your data. Many companies implemented this as "turn off all cookies" which breaks the site. Not the spirit of the law, but technically compliant. ### **Impact on AdTech** CCPA forced companies to: - Implement opt-out mechanisms - Track what data is sold/shared - Honor deletion requests - Maintain records of data processing Many companies just applied CCPA protections to all US users (not just California) because it's easier than geo-targeting by state. ## Other US State Privacy Laws After California, the floodgates opened. As of 2025, states with comprehensive privacy laws include: - **Virginia (VCDPA)** - Effective 2023 - **Colorado (CPA)** - Effective 2023 - **Connecticut (CTDPA)** - Effective 2023 - **Utah (UCPA)** - Effective 2023 - **Iowa, Montana, Oregon, Tennessee, Texas** - Effective 2024-2025 Each has slight differences, but they're converging on similar requirements: - Right to access, delete, correct - Opt-out of targeted advertising - Data protection assessments - Sensitive data restrictions The patchwork of state laws is a compliance nightmare. Many companies are lobbying for federal legislation to preempt state laws, but Congress hasn't acted yet. ## COPPA (Protecting Kids) **Children's Online Privacy Protection Act (COPPA)** has been around since 1998, but enforcement ramped up in the 2010s. ### **What It Covers** Websites and apps directed at children under 13, or that knowingly collect data from kids under 13. ### **Requirements** - **Verifiable parental consent** before collecting data from kids - Clear privacy policies - No conditioning participation on providing more data than necessary - Reasonable security measures ### **The Problem** Many apps/sites just say "you must be 13+ to use this" and call it a day. Kids lie about their age. Problem solved? Nope. ### **Impact on AdTech** Any platform with kids needs: - Age verification mechanisms - No behavioral advertising to kids - Limited data collection - Parental consent flows Google and YouTube now treat all content "made for kids" as COPPA-compliant, which means: - No personalized ads - No cookies - Limited data collection - Lower ad revenue ## PECR (Europe's Cookie Law) **Privacy and Electronic Communications Regulations (PECR)** is a UK/EU law that specifically addresses cookies and tracking. ### **Key Rule** Before setting non-essential cookies, you must: 1. Tell users what cookies you're setting 2. Explain what they do 3. Get consent **Essential cookies** (session management, security) don't need consent. **Analytics, advertising, tracking cookies** absolutely do. ### **Why This Matters** This is why every European website has a cookie banner. PECR + GDPR combo means you need affirmative consent before dropping tracking pixels. ### **Enforcement** Fines are smaller than GDPR, but PECR violations can escalate to GDPR violations if you're processing personal data without a lawful basis. ## Other Global Regulations (Brief Overview) **Brazil - LGPD (Lei Geral de Proteção de Dados)** - Similar to GDPR - Effective 2020 - Fines up to 2% of revenue (max R$50 million) **China - PIPL (Personal Information Protection Law)** - Effective 2021 - Strict rules on cross-border data transfers - Requires explicit consent for sensitive data **Canada - PIPEDA (Personal Information Protection and Electronic Documents Act)** - Federal law, some provinces have their own - Right to access and correct data - Consent required for collection/use **Japan - APPI (Act on the Protection of Personal Information)** - Revised 2020 - Consent for third-party transfers - Cross-border transfer restrictions **India - Draft Digital Personal Data Protection Bill** - Still being finalized as of 2025 - Expected to be GDPR-like The trend globally: More privacy regulation, not less. Consent requirements. Data minimization. User rights. ## The Future: More Regulation, Not Less Expect: - Federal US privacy law (eventually) - More states passing their own laws (in the meantime) - Stricter enforcement globally - New categories of protected data (biometrics, AI training data) - Restrictions on AI/algorithmic decision-making The days of "collect everything, figure out what to do with it later" are over. Privacy is the new normal. Adapt or get fined into oblivion.