Meta began the year with another fine from European Union privacy regulators. It was ruled that the idea of “contractual necessity” was not enough to justify the collection of users’ data for delivering personalized ads under the terms of GDPR. In order to be compliant, the company would have to ask users to specifically opt-in to behavioural ads. Meta plans to appeal the ruling.

But the latest ruling highlighting the importance of privacy protection also presents a real conundrum for brands. Even if they are compliant with privacy regulations through their own gathering of customer data, in order to reach a target audience, they might have to do so with platforms that aren’t being as mindful.

“If the brand is keeping their personally identifiable and sensitive data secure, has done their due diligence in vendor review, then the biggest impact would be reputational,” Robin LeGassicke, managing director of digital at Cairns Oneil, says of working with a non-compliant platform. “If there is a breach or if they are found to not be in compliance with regulatory requirements, brands that are associated with these platforms can feel the ripple effect of the negative reputational impact.”

LeGassicke says that, first and foremost, brands need to make sure their own house is in order. They should take steps to protect their customers’ personally identifiable information, be transparent about their data practices and ensure that they have obtained proper consent from individuals before they collect and use personal data.

To protect themselves and their clients, she says it is important for businesses to also regularly review and update their privacy policies and consent management processes to ensure compliance with the latest laws, regulations and rulings that clarify what is and is not compliant. LeGassicke also cautions that a brand’s privacy policies and data policies should be reviewed by a lawyer or privacy officer, but so should those from platforms, vendors and publishers that they work with.

When it comes to how compliant companies are being, LeGassicke says there should be a risk assessment done when thinking of using a new platform. There are ways to marry data points that are secure, compliant and have less risk. Clean rooms would be a good example of how brands and publishers can bring data together to leverage for marketing purposes with very little risk to breach of privacy regulations with the sharing of information.

Meta is not the only large digital media company to come under scrutiny, as Google, Amazon and TikTok are among those that have caught the attention of regulators in different jurisdictions for failing to adequately protect user data and obtain proper consent in the last three
years. But brands are also being scrutinized on their data practices: in September, Sephora was the first brand to be fined under the California Consumer Privacy Act.

LeGassicke says the industry has a collective responsibility to educate consumers about how data is shared and used.

“We are making progress here. More and more brands and publishers are using plain language, providing opt ins and opt out beyond what’s legally required, and only keep data on hand that is needed to provide a better overall customer experience.”