Maciej Zawadziński: The topic of online privacy is broadly discussed on both sides of the Atlantic. But do the US and the EU understand this notion in the same way?
Cory Underwood, Platform Engineer at Search Discovery:From a legal standpoint, they don’t. The definitions of personal data differ not only between the US and the EU, but also between states. The American legal structure centers around “notice and consent”, and privacy isn’t a core right granted to us by our Constitution in the same style as in the EU. We have the right to avoid illegal searches by the government, but if we’re giving data to a company, that exchange often doesn’t enjoy the same legal protections, except where elsewhere defined in law.
America is also divided in what to do about that, as we lack a federal privacy law. Some states such as California have passed very progressive privacy laws, while others, like Utah, have adopted laws that are very weak. It’s not clear to me which level of standard may ultimately become the baseline for a federal effort.
I think there’s a concern around advertising and data collection in Europe for international brands. It feels like many of the recent decisions involving GDPR leave no chance for brands to comply, as the issue is between the US and EU governments and not between a specific brand and the EU.
Cory Underwood
Maciej Zawadziński: A lot has happened in the fields of privacy and MarTech in the EU since summer 2021: the invalidation of Privacy Shield , noyb’s complaints, rulings by DPAs against Google Analytics, record GDPR fines, and more. All this was quite the talk in the EU – how is this news being received by the marketing community in the US?
Cory Underwood:It makes a lot of headlines for the media in the States as well. As for how much this drives compliance, that varies between companies. In the US, businesses are more interested in how the changes in privacy laws in Europe and elsewhere affect the larger ecosystem for data collection. Especially how they lead to things like app tracking transparency, mail tracking protection, and the new Google Play store policies around advertising.
I think there’s a concern around advertising and data collection in Europe for international brands. It feels like many of the recent decisions involving GDPR leave no chance for brands to comply, as the issue is between the US and EU governments and not between a specific brand and the EU.
You might also like:
Is Google Analytics GDPR-compliant? [UPDATE]
Maciej Zawadziński: Big Tech companies such as Google or Meta are under constant legal and media fire in the EU for their monopolistic tendencies and compliance issues. How does the situation look in the US?
Cory Underwood:Google, Meta and others are currently facing antitrust investigations by multiple states. The discussions here are more around monopolistic issues rather than compliance. The USA doesn’t have federal privacy standards. Unless it’s a special category of data, such as children’s data or health, or specific kinds of data defined at a state level, theBig Tech companies can avoid a lot of the compliance issues domestically.
Maciej Zawadziński: Some Big Tech companies try to evade fines by implementing new technical features in their products. Recently Google added a reject all button to consent forms on YouTube. What other technical changes can we expect in their products that aim to address compliance issues?
Cory Underwood:I think we’ll start seeing more operating system changes, as we’ve seen in iOS and Android. I also suspect the Internet of Things, such as smart speakers, will likely face a lockdown in the next few years. This technology is one of the remaining forms that haven’t been evaluated in terms of privacy to date. We’re already starting to see that with the movement of processing the speech to on-device.
We’re also not done yet on the browser front. The Internet Engineering Task Force has advised thatcookie handling will likely get worse before it gets better, and have modified recommendations regarding cookie lifetime to be capped at a recommended 400 days. This means there will be no more tracking users for years just because you happened to place a cookie on their browser at some point in the past decade.
I’m very skeptical about a federal data protection law this year, and depending on how the midterm elections go in the States, we may not get one in the next two years. There’s a very real possibility that the US winds up in a “patchwork” law scenario, where most of the states have different privacy laws in place.
Cory Underwood
Maciej Zawadziński: Is there any chance that the US will introduce a federal data protection law in the near future? If so, what would such a law look like? Would it resemble the GDPR in any way?
Cory Underwood:I’m very skeptical about a federal data protection law this year, and depending on how the midterm elections go in the States, we may not get one in the next two years. There’s a very real possibility that the US winds up in a “patchwork” law scenario, where most of the states have different privacy laws in place, in the same way the US insurance industry developed. It’s a direction I’d very much like to avoid. However, I just can’t see Congress concentrating on this until next year at the earliest. Even if they were to prioritize it, I’m skeptical we’d get agreement on something as strict as the California law.
Cory Underwood, Platform Engineer at Search Discovery
With over 15 years of experience in optimization, analytics and web development, Cory works with clients to help them understand the impact of privacy regulations and technical changes to their marketing tech stacks. He also advises them as to potential changes that need to be made.
Cory’s blog focuses on A/B testing, personalization, privacy, and analytics. His mission is to keep the larger analytics community informed of technical changes imposed by outside forces that could impact their implementations and reporting. You can regularly find him engaging with the community on these topics in the Measure.chat.
