A close up of classified papers
A close up of classified papers
Back to all insights
Trends + Insights

The year of privacy

Guest Writer
Mar, 2024
6 mins

What do California, Texas, Florida, Oregon and Montana have in common? They all have consumer privacy regulations going into effect this year. In fact, California’s CPRA regulations are enforceable immediately after a court of appeals recently reversed a decision that set a later effective date.

Consumer privacy regulations are nothing new. GDPR went into effect in May 2018 for the EU, EEA and UK. Brazil’s LGPD became enforceable in August 2021. What is new is the speed of consumer privacy regulations spreading across the United States, and businesses primarily catering to U.S. audiences taking notice. They are right to take notice. Fines associated with the consumer privacy regulations going into effect this year start at $7,500 per violation.

At the end of 2023, approximately 5.4% of the U.S. population fell under consumer privacy regulations requiring explicit consent in Virginia, Colorado and Connecticut. By the end of 2024, approximately 27% to 34% of the U.S. population will fall under the explicit opt-in requirements of consumer privacy regulations. There are more states on the way. Tennessee, Iowa and Delaware have consumer privacy regulations going into effect in 2025.

Implied Consent vs. Explicit Consent and Why They Matter for Advertisers

Implied consent means a website visitor consents to the use of cookies and tracking technology through the continued use of a website. Implied consent was the standard until GDPR and largely remains the standard in the United States at the time of writing.

Explicit consent, on the other hand, means users must provide a clear signal of agreement before cookies and tracking technology are used. Virginia’s VCDPA defines consent as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

The concept of “unambiguous agreement” is not unique to Virginia’s VCDPA, and you can trace it back to GDPR. This “unambiguous agreement” most often materializes in the form of a banner when you first visit a website prompting you to accept all cookies, reject all cookies or manage your preferences. This banner is served via a consent management platform (CMP) that captures records of consent from users and determines which cookies and tracking technology are enabled – if at all.

Strictly Necessary Cookies and Challenges to Measurement and Attribution

“Strictly Necessary Cookies” are based on the user experience and not business needs. A load balancer script ensuring website reliability is an example of a strictly necessary cookie. Any cookie associated with a user logging in and staying logged in is an example of a strictly necessary cookie. Google Analytics 4 (GA4), Google Ads conversions, Floodlight tags and the Meta Pixel are all examples of nonessential cookies advertisers use for measurement and attribution.

In practice, advertising platforms will continue to report clicks to your website in full, but without consent for analytics cookies you will not be able to use Google Analytics 4 to quantify the users coming to your website, their website behavior or their conversions. Consumer privacy regulations requiring explicit consent will decrease measurable performance and obscure the conversion path for users from affected regions.

6 Tips for Succeeding in a Consent-Based Future

Though there may be nonprofit exemptions in certain privacy regulations and revenue thresholds in others, it’s important to remember every business and organization will have to comply with privacy regulations in most regions. The following tips are for further exploration and not legal advice.

  1. Work with a partner to implement a consent management platform (CMP) and privacy framework
    The key benefit of using a consent management platform like OneTrust is being compliant in the regions where you need to be compliant while fully leveraging your capabilities in regions without privacy regulations. This is done through configurable geotargeting rules in the platform.
  2. Estimate the impacts of privacy compliance
    Determine which regions underlying your media plan have or are soon to have privacy regulations requiring explicit consent. Estimate impacts to website traffic and conversions using assumed opt-in rates of 20%, 30% and 40%. Work with your agency partners to adapt your measurement strategy and model performance.
  3. Unlock Google Analytics 4 (GA4) modeled data
    As Google’s VP and GM for Ads Buying, Analytics and Measurement said, “The future is consented. It’s modeled. It’s first-party.” To that end, Google has a privacy framework called Google Consent Mode that you can use to unlock GA4 modeled data and conversions to compensate for data loss due to privacy compliance. Google Consent Mode is not a CMP, but you can integrate the Google Consent Mode framework with your CMP.

    In one example, we had been operating under the explicit consent requirements of GDPR. Integrating with Google Consent Mode and unlocking GA4 modeled data increased sessions from Western Europe by 564%.

    Virginia’s VCDPA regulations and compliance substantially affected us in another example. Virginia organic search sessions were down 53% year over year without GA4 modeled data. Using GA4 modeled data, the decline in year-over-year organic search session volume was limited to 19.2%.

  4. Expand and optimize the collection of first-party data
    There is a growing imperative for advertisers to own their data due to increasing privacy regulations and the eventual deprecation of the third-party cookie later this year. It is critical to capture consent alongside this first-party data that most often takes the form of an email address but could be a mobile phone number for SMS/MMS marketing. Email addresses and mobile phone numbers can both be used for engagement, retargeting, lookalike audience building and audience modeling.

    Remember, compliance with privacy regulations will obscure the conversion path for many users from affected regions but you can still capture email sign-ups, visitor guide requests and bookings. Advertisers should create opportunities for conversion and the exchange of information with consent. Maybe there’s a monthly newsletter, but there isn’t a local newsletter or a weddings newsletter. Maybe we see a resurgence in printed visitor guides purely for their conversion value. Maybe more destinations work with partners to create free and paid passes requiring an email address for activation. Now is the right time to think through expanded opportunities for first-party data collection and optimize what you’re doing already.

  5. Audit cookie usage and privacy compliance annually
    Privacy compliance is not set and forget. You should show continuous good faith effort to comply with privacy regulations. You would be in the upper echelon of advertisers if you audited cookie usage and privacy compliance annually, and even more so if you were to update your privacy policy after each audit.
  6. Watch out for vendor changes
    As stated earlier, all businesses and organizations must comply with regulations in some capacity and that includes your media and technology vendors. These vendors may not be transparent and forthright about changes to their platforms. You should ask vendors about their compliance efforts for upcoming privacy regulations and plan to audit performance through the lens of privacy regulation impacts at a regional level.