In the late 1990s, the recognition of the internet’s commercial potential marked a significant shift into the era of digital analytics. This transition not only reshaped approaches to data but also underscored the importance of privacy as a crucial element of modern analytics.
Brian Clifton, a renowned digital analytics and privacy expert, takes a trip down memory lane to present the history of digital analytics. Our video series comprehensively explores the history, technologies, and mindsets surrounding the analytics industry. The first part was dedicated to the origins of web analytics tools.
In the second part, Brian focuses on the growing significance of privacy in data collection and analysis. He also sheds light on the introduction of GDPR and its pivotal role in increasing privacy compliance. You can watch the four episodes of our series in the corresponding sections of this article.
The early days of data-driven analytics
The expansion of digital marketing in the late 1990s led to the rapid development of analytics, which enabled marketers to measure campaign effectiveness. Initially, analytics focused on basic metrics, such as page views and session durations, but with the advancement of tracking technologies, organizations recognized the value of data in shaping business strategies and driving growth. However, despite this evolution, few paid any attention to data privacy and its ethical implications.
“I was at university in the 1990s, when the web was just coming of age. At that time, it was still very much an academic and noncommercial place. However, I was blown away by its commercial potential.”
Brian Clifton, Digital analytics and privacy expert
The rising importance of privacy and ethics in the analytics industry
The increasing significance of privacy was initially met with skepticism by the analytics industry. However, it gained increasing attention with the general public after, among others, Edward Snowden’s revelations on government mass surveillance, the Cambridge Analytica/Facebook commercial scandal, and the enactment of GDPR.
GDPR – the first big change
The General Data Protection Regulation (GDPR), prepared by the European Commission, entered into force on May 25, 2018. The regulation marked a significant advancement in data privacy, establishing a new gold standard for data protection laws. One of its many provisions states that companies must have a legal basis to store and process users’ personal data.
In Europe, privacy has been treated as a fundamental right since the 1950s with the adoption of the European Convention on Human Rights. The idea behind GDPR was to update these protections for the digital age, giving individuals full control over their data. It also strengthened and unified the data collection processes within the European Union.
GDPR also introduced several key principles:
- Data protection authorities (DPAs) make binding decisions and issue administrative sanctions, including fines.
- Users can object to data processing based on the controller’s or public interests.
- DPAs and data subjects need to be notified about data breaches.
Read more about GDPR in our articles:
After GDPR went into effect, reactions varied widely across industries. Many organizations faced significant challenges adapting to the strict requirements imposed by the regulation. Some companies started to rebuild their data management practices to ensure compliance, while others faced hefty fines for not following the new rules.
Read our latest study, conducted six years after the introduction of GDPR, to learn how EU companies are leveraging privacy laws – Harmonizing marketing and privacy: How EU organizations are developing their compliant digital marketing strategies.
We ran a survey among 1,800 CEOs and marketing executives from 27 European countries, with the majority of respondents coming from Germany, France, Denmark, the Netherlands, and Sweden, to find out how they were balancing GDPR compliance and effective marketing.
Differences between approaches to privacy compliance in Europe and the US
The implementation of GDPR triggered a “domino effect,” with other countries/regions adopting similar privacy frameworks. These new data privacy laws significantly impact businesses locally and globally, necessitating that companies adapt to varying regulatory requirements. It also underscored fundamental discrepancies between privacy compliance in Europe and the US.
“Europe went through two World Wars and was the epicenter of the Cold War. That legacy means Europeans today have quite a different perspective on our personal privacy than perhaps other parts of the world. For Europeans, the right of privacy has become a fundamental human right.”
Brian Clifton, Digital analytics and privacy expert
The primary difference lies in the comprehensiveness and universality of the two approaches. GDPR sets a uniform standard for data privacy across all member countries, treating data protection as a fundamental right. This holistic approach contrasts with the US’s fragmented system, where data privacy is governed by state-level legislation and sector-specific regulations like HIPAA for healthcare, GLBA for financial institutions, and FISMA for federal agencies.
Also, the EU’s philosophy is deeply rooted in historical contexts emphasizing protecting personal information against misuse, reflecting a cultural commitment to individual privacy. The US has traditionally prioritized the commercial use of data, trying to incorporate a business perspective within its regulatory frameworks. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), were the first steps towards stronger data protection in the US and came into effect on January 1, 2020.
Another significant milestone in executing privacy compliance in the US happened on July 10, 2023, when the European Commission adopted the Data Privacy Framework. This framework introduces stricter limitations on data collection by US businesses, a development that has far-reaching implications for international data transfers. It also allows these businesses to commit to privacy responsibilities, including deleting unneeded personal data, safeguarding data shared with third parties, and adhering to data minimization principles, purpose limitation, and proportionality.
However, the Data Privacy Framework has come in for its share of criticism. It is thought to inadequately protect non-US residents, as it falls short of European privacy standards due to unchanged US surveillance laws like FISA 702 and EO 12.333. This critique raises concerns about the framework’s ability to ensure equivalent protection for personal data in the US, as questioned by the European Data Protection Board (EDPB) and the European Parliament.
Read more about the EU-US data transfers in our article: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)
As debates over EU-US data transfers continue, companies are taking a proactive approach and considering alternative data handling strategies, such as data anonymization or EU-based solutions, reassuring customers about their capacity to adapt to the evolving privacy regulations.
Privacy becomes a cornerstone of digital trust
The evolution of privacy awareness, from consumer ignorance to caution, was accelerated by various data scandals and leaks that exposed the risks. Customers are more wary because they started to understand the consequences of improper data collection and exploitation. It also led to greater scrutiny of how companies handle personal data.
92.1% of respondents from our study believe that companies must respect individuals’ online privacy. In 2023, it was 90%, and in 2022, only 71.2%. Only 2.4% of this year’s survey participants take the opposite view.
For most organizations, privacy compliance is a box-ticking exercise. Only a few are progressive enough to see that privacy is integral to brand integrity and consumer trust. Responsible data usage is essential in retaining consumer trust, as mishandling data can negatively impact brand reputation.
However, a balance must be struck between safeguarding consumer data rights and enabling data-driven decision making processes, which are crucial for an organization to survive.
The primary factor driving companies’ compliance is building trust with consumers (69.5%), which has increased by almost 4% compared to the previous survey. Other motivators for all countries include company values (52.0%) and legal obligations (39.7%). Only 15.6% of respondents mentioned the risk of fines – an almost 3% increase from 2023.
“In the 21st century, consumer trust has taken on a new digital form. Customers now want to have confidence that data is being harvested responsibly and that they have a level of control over its collection. Data protection and privacy is the new frontier for brands.”
Brian Clifton, Digital analytics and privacy expert
Best practices for privacy compliance
Despite GDPR and the Data Privacy Framework, there is still confusion regarding best practices for achieving compliance, with many organizations struggling to obtain explicit user consent and ensure transparent data collection practices. This discrepancy is primarily evident to data auditors navigating the complex data privacy landscape. Often, data tracking persists even in the face of user rejection, underscoring the need for enhanced transparency and accountability in data collection.
Here are some of the best practices for organizations that can help increase their compliance.
Knowledge of legal frameworks
Developing a deeper understanding of legal frameworks includes investing in education and training programs, engaging closely with legal counsel specialized in relevant laws, and staying updated on regulatory changes. This is the job of a Data Protection Officer (DPO). By prioritizing these steps, organizations can navigate the complexities of legal requirements effectively, ensuring compliance and safeguarding data protection and privacy in their operations.
Understanding data collection
Data teams need to understand the intricacies of data collection methods, destinations, and implications. This involves scrutinizing data flows across multiple platforms and assessing the necessity of each tool employed.
Cross-team cooperation
Analytics teams should collaborate closely with legal and compliance teams to ensure a cohesive approach to data governance. Such partnerships should prioritize transparency and risk mitigation.
Safe data storage and transfer
Companies that understand the geographical considerations of data storage and jurisdictional implications, particularly relevant in the context of European data protection laws, are gaining a competitive advantage. That’s why they should opt for European-based data hosting solutions to ensure compliance and mitigate risks associated with foreign jurisdictional control. The same goes for data transfers, especially between the EU and the US.
Implementation of privacy-compliant tools
Data teams should emphasize the importance of data minimization and consolidation, as less data equals reduced risk. By advocating for a strategic approach to tool selection and data collection, companies can avoid excessive data accumulation without a clear purpose or utility.
“From a privacy point of view, if you have sensitive data, or want to insulate your customers from becoming a product of ad tech vendors, consider working with an analytics platform that comes under EU data protection jurisdiction.”
Brian Clifton, Digital analytics and privacy expert
Supporting privacy consciousness in data analytics
Collaboration between legal, IT, and analytics teams is essential for navigating the complexities of data management and ultimately safeguarding individuals’ rights and privacy in an increasingly data-driven world. Piwik PRO is one of the privacy-conscious analytics vendors that strictly adhere to data protection regulations such as GDPR, the Data Privacy Framework, or CCPA while collecting valuable insights into user behavior.
Learn more about privacy laws and regulations:
- 17 new privacy laws around the world and how they’ll affect your analytics
- HIPAA, marketing and advertising: How to run compliant campaigns in healthcare
- What is the new UK Data Protection and Digital Information Bill and how it will impact your marketing and analytics
- TTDSG – how to make sure your analytics complies with the German law
- DMA and DSA – how these new laws influence online business
This is the second article based on the video series with Brian Clifton.
In the third, we’ll discuss how to overcome the everyday challenges of working with data.