Data Protection Trends: What GDPR and other regulations mean for 2019 and beyond

As we journey through the opening months of 2019, the effects of 2018 on privacy continue to play a significant role. This is perhaps most apparent in the introduction of new laws and regulations to provide consumers with greater control over how their personal data is collected and used.

While the enforcement of the EU’s General Data Protection Regulation (GDPR) was in the spotlight throughout most of 2018, behind the scenes GDPR was also responsible for influencing a massive wave of privacy updates and regulations across the globe.

Working towards GDPR compliance has been a focus for many businesses and advertisers over the last year. But GDPR is far from the only data protection regulation that affects how the ad tech ecosystem operates.

Here’s a brief overview of some of the recent data protection and privacy regulations that have been introduced, and where they are similar and different from GDPR.

Privacy Is Spreading

ePrivacy Regulation (Europe)

Commonly confused with the ePrivacy Directive, the ePrivacy Regulation focuses on rules for advertisers accessing a user’s electronic device. Like it’s predecessor the ePrivacy Directive, which is sometimes referred to as the “cookie law,” the draft of the ePrivacy Regulation would require that users provide consent before a company can access their device, which includes the reading and writing of cookies. Over the last several years, internet users in Europe may have noticed the “cookie banners” that are featured when they visit websites. The ePrivacy Regulation would extend this requirement, and will likely align with some of the requirements in the GDPR. For example the GDPR’s requirement that consent be a freely given, specific, informed and unambiguous indication of the user’s wishes expressed via a clear affirmative action.

California Consumer Privacy Act

California has also been one of the few states to be on the forefront of privacy regulations and has introduced its own data protection law. Though not nearly as comprehensive as the GDPR to which it is sometimes compared, the law has some similarity to the European data protection law, holding businesses that operate in California accountable for how they collect, share and secure consumer personal information. The law empowers consumers, by giving them additional insight into what information is being collected and with which companies that data is “sold” to.

In its current form, the laws will apply to companies that collect personal information about California residents, regardless of where they are located. Businesses that operate in California will be held accountable for misuse of consumer data and can face significant fines or lawsuits for data breaches.

While the new privacy law won’t go into effect until 2020, California has made it clear they intend to further enhance consumer protections concerning how personal information is used and may introduce new laws as the consumer privacy landscape evolves.

Vermont Privacy Law

Following in California’s footsteps, the state of Vermont has also worked to introduce a pro-privacy law that covers  what companies can and cannot do with user data. Most notably, this new law aims to provide further transparency for consumers on what data is being collected and how it is used as well as the ability to opt out of certain data collection practices.

Under the proposed law, businesses must register with the state of Vermont and give consumers the option of opting out of data collection, and may be  held accountable for security breaches in which personal data is affected. Given the stakes of non-compliance, this new law should encourage businesses operating in Vermont to enhance their n  security practices and to protect personal data.

Canadian and Australian Privacy Laws

Other countries such as Canada and Australia have also followed suit in updating their consumer privacy laws in ways that are similar to the GDPR.

For example, Canada has worked to improve the Personal Information Protection and Electronic Documents Act (PIPEDA) by making user consent and transparency a top priority, „Organizations covered by (PIPEDA) must obtain an individual’s consent when they collect, use or disclose that individual’s personal information.

The Canadian law includes ten fair information principles that Canadian businesses must follow including accountability, consent, accuracy, safeguards, and more. Though it differs from the GDPR, Canadian privacy law does provide consumers with more control over how their information may be used and helps to establish Canada as a leader in consumer data regulation.

As is the case when processing the personal data of EU residents, companies that operate in Canada should also work to comply with Canadian privacy law.

The Australian Privacy Act (APA)

Introduced in 1988, the APA has also seen some newly proposed changes and additions to the law that has been protecting Australian consumers for over two decades.

The APA consists of thirteen key privacy principles that provide Australian consumers with specific rights, and includes additional transparency requirements that organizations in Australia must follow when they collect, store, and share data. Like other consumer privacy-related laws, the APA aims to enhance consumer trust with regard to the collection of information, and establishes rules for accountability.

The Australian Privacy Act applies ”to businesses that are incorporated in Australia. It also applies to companies outside Australia if they collect personal information from, or hold personal information in, Australia and carry on a business in Australia (s 5B of the Privacy Act.” The APA is similar to GDPR in that it also establishes requirements focused on accountability and privacy by default.

What the privacy wave means for U.S based businesses

With so many new consumer privacy laws and regulations being introduced, it can be a challenge to determine if your business is operating within the rules and regulations of applicable consumer privacy laws. However, as the privacy wave continues to spread and regulations are enforced more consistently, prioritizing compliance is a good way to to avoid penalties and fines.

While considering GDPR compliance requirements is a great start, there are many more consumer privacy laws and regulations that your organization should invest time in understanding in markets where it does business.

2018 was likely only a preview of what is to come concerning privacy laws and regulations, as the pendulum swings swiftly toward improved transparency and data protection. US based businesses and advertisers would be wise to double down on their investment to understanding these new regulations and being at the forefront of transparency and compliance.


To learn more about how Quantcast is supporting our customers and partners in adapting to the changing legislative landscape, check out more information on Quantcast Choice here.