It’s not always obvious, but consumer data plays an essential role in your agency’s marketing strategies. Agencies need to be aware of the implications privacy laws can have on you and on your clients as you develop your next strategy recommendation or campaign idea.

In 2023, four new states adopted statutes protecting the use and collection of consumer data, and several more states are poised to do the same in coming years.

Additionally, the Association of National Advertisers (“ANA”) and the American Association of Advertising Agencies (“AAAA”), and several other advertising agencies joined a coalition supporting proposed federal legislation that would standardize privacy laws and regulations across the country.

Here are the major regulation updates with some recommendations about how you can improve your agency’s data privacy practices – and advise your clients on data privacy issues when they’re relevant to your work with them.

1. The Big Players (GDPR + CCPA)
   • In some previous summaries and content here, we’ve laid out that the GDPR and the CCPA are the “gold standard” of privacy regulations. These statutes, designed to protect the privacy of consumers, dictate the collection and processing of consumer data. Currently, these are the main regulatory schemes that dictate your data processing. And there’s a lot of confusion about what they mean for your work, and the agency’s responsibility for compliance.

2. When do data privacy rules apply to the agency or our work?
   • Many agency owners are unsure as to whether privacy laws apply to them, especially in situations where they are not European or Californian residents and their clients’ markets aren’t necessarily, either. However, the key factor in applying data privacy laws is that laws are triggered by the consumer’s residence, not the agency’s and not the client’s. This means that if you (or your client) are gathering data about individuals in California or Scotland, these laws apply to you.
   • Due to the expansiveness of the internet and the lack of complete control you have over data collection (especially when a client drops its email list or CRM into your lap), it is safest to assume that these laws always apply to you when you are handling data. It’s equally safe (and the best risk avoidance strategy for the agency) to assume that your client isn’t entirely sure of the sources of its data and whether all parties opted in properly to the client’s lists and databases.

3. Updates in data privacy law
   • This year, four U.S. states adopted new privacy-related laws that you should be aware of. You will notice a lot of overlap between these states, which is good news for any modifications you may need to make to your privacy practices.

• • • • For consumers in the state of Virginia, data processors and collectors must:
        • Allow consumers to opt out of data gathering, provide a privacy notice when data will be collected, have data processing agreements in place you’re your processors, and honor consumer requests for data deletions
      • For consumers in the state of California, data processors and collectors must:
        • Allow consumers to opt-out of data collection, honor requests for data deletions, establish a data retention period, and allow limitations in processing of data.
      • For consumers in the state of Colorado, data processors and collectors must:
        • Allow consumers to opt-out of data collection, provide privacy notices when data will be collected, conduct data protection impact assessments when there is a risk to consumers, and honor consumer requests for deletion.
      • For consumers in the state of Connecticut, data processors and collectors must:
        • Allow consumers to opt-out of data collection, collect the minimum amount of data needed for the purpose it is being collected, provide privacy notices when data will be collected, and conduct data protection assessments where processing may pose a risk to consumers.
      • For consumers in the state of Utah, data processors and collectors must:
        • Allow consumers to opt-out of data collection, have processing agreements in place, provide privacy notices when data will be collected, and honor consumer requests for deletion.

Montana, Iowa, Tennessee, Texas, will have new laws coming into effect in the next couple years, and other states have laws that are sitting in the pipeline.

4. Proposed Federal Legislation backed by the AAAA and ANA
   • One of the biggest challenges to complying with data privacy rules is that the U.S. is a complete state-by-state patchwork of laws at this moment – making it more confusing, more expensive, and time consuming to launch a compliant marketing campaign.
   • So much so that in a rare display of cooperation on policy, the AAAA (American Association of Advertising Agencies), ANA (Association of National Advertisers), IAB (Interactive Advertising Bureau), and NAI (Network Advertising Initiative), all have joined the “Privacy for America” coalition with the goal of developing comprehensive federal legislation regarding privacy laws.
   • The purpose of this legislation is primarily to protect the privacy of consumers while also providing clarity to agencies and brands alike so that the rules of processing and collection are clear and precise across the entire country.
   • Additionally, the coalition wants to prohibit certain data practices harmful to individuals, create a new FTC Data Protection Bureau, impose restrictions on data use for advertising, and require data protections to guard against data breaches.
   • Federal legislation could be beneficial in providing clarity, but it could also substantially impact the manner in which you collect, process, and use data as an agency. It will be essential for every agency owner to remain ahead of any important updates regarding these proposed federal privacy laws.

5. Artificial Intelligence
   • Due to the high levels of responsibility required of data processors and collectors, an additional complicator to data privacy compliance is the possibility of sharing data by feeding it into prompts to generative AI Platforms.
   • Given the lack of industry-wide privacy safeguards in most commonly used AI Platforms right now, the safest approach is avoidance of sharing any consumer information by feeding it into AI-generative technologies of any kind, even when consumer consent is provided. The frontier of Artificial Intelligence is too new to safely predict what the consequences may be for an agency’s use of consumer data in AI prompts. For the safety of your agency, your clients, and consumers at large, keep personal data out of AI-generative technologies for now.

6. What Do Agencies Do About All of This? Recommendations –
   • You may be asking yourself – as an agency owner, what can I be doing better to limit our liability with regards to the data our client provides or that we otherwise source?
   • Here are our top recommendations:
     • Stay informed. As laws continue to change and update, it is important that you know the nuances impacting you and your business.
     • Update your agreements. If you handle any amount of data, your Master Services Agreement, Independent Contractor Agreements, and Vendor Agreements should all have provisions determining the procedures and responsibilities of both parties for data use.
     • Use a data privacy addendum. If you regularly handle data or you have a particular engagement where you will be handling a large quantity of data, consider implementing a data privacy addendum that contains additional terms and protections for the agency regarding the delivery, storage, and use of the data.
     • Educate your staff. Data privacy is a complex topic, and it is important that your staff understands the seriousness of data usage. Provide them with regular educational resources and trainings as needed to ensure everyone is well-informed of their obligations.
     • Talk to your lawyer. As always, if you have questions or concerns, or if you have a specific situation, you need help with, talk to your lawyers! We are here to help you navigate the murky waters of data privacy.

Got questions about data privacy compliance for your agency’s next campaign? Contact us – we can help.