Privacy and data protection regulations impact the work of every advertising, marketing and PR communications professional around the globe, and the focus on privacy by consumers and regulators continues to increase. W2O’s team is tracking the most important news and changes that directly influence our industry, including the latest on legislation, new privacy technology, enforcement actions, analysis and thought leadership in privacy and data protection.

Here’s the news we’re paying attention to right now.

  1. GDPR Fines Rolling In

The UK’s data privacy authority, the Information Commissioner’s Office (ICO) has announced its intentions to fine Marriott $123MM and British Airways $230MM – about 1.5% of their respective annual revenues, and the largest penalties yet under the General Data Protection Regulation (GDPR). Both fines relate to data breaches and poor data security. Some observers feel these fines may be prescient of further punitive actions by regulators to come, particularly targeting Facebook and Google.

Main Takeaway – Brands and marketers that haven’t engaged a data privacy program along with IT security need to take action. GDPR particularly, and coming US regulation coming soon such as CCPA impact both security and privacy. A transparent and robust data privacy and protection program not only reduces the impact of breaches (ant the potential for fines), but also builds trust and engagement with audiences.

2. Some CCPA Amendments Passed, Some Defeated

Rushing against a mandatory deadline, California Senate committee members voted on several amendments to the California Consumer Privacy Act (CCPA), which comes into effect January 2020. One of the more contentious bills, 1416, which would have provided exceptions to allow businesses to sell personal data to third parties and allow data transfer to government entities, was withdrawn. Bill 25, which would have provided an exemption for employers related to job data, was amended to require employers to tell employees the types of information collection, and not the detailed data itself. The tech industry supported Bill 873, which would have changed the definitions of personal information essentially exempting IP address and browser fingerprinting, failed to pass.

Main TakeawayAll US businesses should be paying close attention to CCPA developments, especially marketing and communications teams, and ad technology vendors. While the guidance from the attorney general isn’t expected until at least September, brands should be taking action now to prepare.

3. ICO Guidance on Cookies Released

For websites that target EU-based persons, the UK’s data protection authority, the ICO, has released detailed guidance on the use of cookies and similar web tracking technologies (including device fingerprinting) as they relate to GDPR. Some of the highlights include that tracking cannot occur until opt-in consent is given, analytics cookies such as Google Analytics and Adobe Analytics are not considered strictly necessary and must be opt-in, and that emphasizing an “agree” or “allow all” mechanism over a reject or block message – often called nudging – is considered non-compliant.

Main TakeawayThe guidance provided by the ICO is highly detailed, and any operator of a website aimed at, or any company tracking and collecting digital data on EU located should review it in its entirety. There is direct guidance on providing users with clear and comprehensive choices, how to set cookie expiries, and responsibilities for cookies set by third parties on a website, such as Facebook.

* The opinions expressed in this post do not constitute or represent legal advice. No liability is accepted by the authors or W2O Group for any action taken or not taken based on the information or any associated communications.


If you’re interested in learning about W2O, check out our About and Analytics pages.

Want to chat? Drop us a line.