January 2020 marked the rollout of the California Consumer Privacy Act (CCPA), representing a first-of-its-kind U.S. data privacy regulation in terms of its firmness and financial risk for businesses. This milestone, along with that of surpassing a year and a half since the debut of the General Data Protection Regulation (GDPR), continues to point to a laudable increase in awareness around data privacy and related business practices. The norm has shifted away from companies burdening the individual rights of a user and toward greater transparency with how they collect and use consumer data. While GDPR has seen only a few violations make the news, we may see more and stricter enforcement of data privacy infringements in the U.S. with CCPA at the table.

With all the potential for penalties, a question lingers: How much do the latest data privacy regulations limit customer journey data that powers personalized online experiences? Brands and technology companies that engage in personalization, which is at the sharp end of data processing, have to be much more aware of what data is being collected and used, and where the uncrossable "creep line" is. Is it possible the demands of the latest data privacy regulations equate to an existential crisis for the personalization market?

What data privacy legislation means for brands that use personalization

How brands personalize customer experiences all begins with how and what data is collected. Companies collect data about their customers in three ways: asking them directly, tracking them indirectly and acquiring it from other companies. The last way is often referred to as third-party data. Some smaller companies have already been slapped with GDPR violations for collecting and disseminating third-party data, but fines have been light and sparse so far. With CCPA legislation now in place, enforcement may become more prevalent, forcing U.S. businesses to start relying more on first-party data, or information customers volunteer. Providers and platforms that play in the middle will have to be more transparent. In the short term, this can mean a loss of insight into customer behavior from third-party cookies and tracking, but in the long term, companies will strengthen their internal data and set themselves up for success by self-governing.

There are some big companies eager to be known for privacy and customer trust, and some have gone beyond complying with government legislation by introducing policies to show that their customers have more control over their personal information. Apple and Google are leaning into the privacy restrictions by dismantling completely or limiting the ability to use third-party tracking cookies in their browsers. This is another challenge for personalizing experiences online, as tools like cookies help companies optimize their marketing spend and deliver customers more relevant marketing messages. By eliminating third-party cookies altogether, we risk a lot of wasted time on the brand side and consumer side in having to potentially reestablish context with the brand each time they visit. That said, customers should also be able to navigate online privately if they wish to, which makes for quite a conundrum.

Consumers expect personalized experiences online

End users expect both privacy and personalized experiences. They want to be offered deals and products that someone with their profile would be interested in. A site you've visited before should know you are a returning customer and offer the latest relevant information based on your profile. This becomes tricky when navigating between privacy regulations and the familiarity that consumers have grown accustomed to from stores and sites they frequent online. Often, businesses don't clearly communicate with customers about not only what data is collected, but also what it will be used for. If the customer does not understand the process and purpose, this can further hamper the company's ability to comply with applicable laws. Furthermore, many brands are challenged with a lack of definition around the data points they collect and why. This means they are also challenged with an inability to scrap the data they don’t need, which would give greater visibility and create less exposure.

So, can personalization and data privacy coexist? To answer this question, we need to figure out whether it’s possible to achieve business goals without burdening the rights of a user while being fair and transparent. In order to process data, you need a lawful basis — consent and legitimate interest, as long as it doesn't burden the rights of a user and is transparent. When a consumer is browsing a site, there's not much time or desire to consent but companies still have a legitimate interest processing data for these purposes. Most companies now explicitly call "legitimate interest" out as the basis on which they process website behavioral data.

For businesses that rely on personalization, a lot of questions remain, but will data privacy mean an end to the entire personalization market? Likely not, as long as businesses that practice personalization evaluate key considerations: Is the concept of transparency being adhered to? What is the likelihood of data subjects complaining about how their data is used? How do we determine whether consent is informed? Have we confirmed where our data is coming from? Can we glean insights from a smaller amount of data?

With CCPA legislation here, the philosophical debate will continue. Any business with California customers (or the potential to have any such customers) has to be able to defend their compliance and balance the legal requirements with meeting consumer expectations for a modern online experience. GDPR paved the way with very strict data handling requirements. This just might mean running a very tight ship with data practices and tools that adhere to legislation and respect consumer’s data privacy and looking inward to inform business decisions.