Privacy Laws for Marketers: A quick Guide On How to Make it Work

As a marketer, data is your goldmine. It helps you understand customer behavior, track performance, and optimize campaigns. However, the changing landscape of privacy laws such as GDPR in Europe, CCPA in California, CPPA in Canada and Australia's Privacy Act, means you need to ensure your data collection practices are also compliant.

With that in mind, let's go down the various laws and speak practically on how to make them work when trying to do some digital marketing with pixels and such.

‍

The Privacy Laws

GDPR (General Data Protection Regulation) – Europe

GDPR is one of the strictest privacy regulations globally, applying to any company that processes the personal data of EU residents, regardless of where the company is based. The requirements are:

• Consent: Under GDPR, you must obtain explicit opt-in consent before collecting any personal data through cookies or tracking tools. The consent also has to be granular, with Necessary, Marketing, Analytics and Functional Cookies/Tracking
• Applies to: Facebook Pixel, Google Analytics, and any other tools that collect or process personal data (IP addresses, device IDs, etc.). 
• Rights: Users have the right to access, correct, delete, and restrict the use of their data. You must give users the ability to withdraw their consent at any time.

CCPA (California Consumer Privacy Act) – California, USA

CCPA is California’s version of the GDPR, applying to anyone collecting data from consumers in the state, although only if they qualify in any of the following:

1. Collect data for more than 50,000 California Residents
2. Get 50% of revenue from selling data
3. Have $25m or more in revenue

As for the tracking itself:

• Opt-Out Requirement: Unlike GDPR, CCPA doesn’t require explicit opt-in consent. However, you must allow users to opt out of the sale of their personal data. 
• Applies to: Sending data to Facebook Ads? That counts as a “sale”, for some reason. Same with GA4 and such. Therefore, CCPA applies.
• "Do Not Sell My Personal Information": This feature allows people to opt out of data “sales” with third parties. For tracking purposes, this lets people stop you from tracking them. Since the tracking counts a “sale”

CPPA (Consumer Privacy Protection Act) – Canada

The CPPA, part of Canada's Digital Charter Implementation Act, requires the following:

• Consent Requirement: Similar to GDPR, CPPA requires explicit opt-in consent for the collection of personal data. Albeit not necessarily in a granular manner unlike GDPR
• Applies to: Facebook Ads and tracking tools like Google Analytics that process personal data of Canadian users.
• Transparency: You must clearly disclose how and why you’re collecting personal data and ensure you have consent.

Australia's Privacy Act

The Privacy Act governs how businesses collect and handle the personal data of Australians, including marketers using online tracking.

• Consent for Sensitive Data: For general data collection, implied consent may be enough, but explicit consent is required for sensitive data (e.g., financial information). So no need for a cookie banner for pixels and such.
• Cross-Border Data: If you're sending personal data outside Australia, ensure the recipient follows similar privacy protection standards.

‍

How to Implement Privacy Compliance: A GTM & Facebook Ads example

So lets take an example. Lets assume you’re doing some Facebook Ads and using GTM. With that in mind:

Step 1: Implement Cookie Consent Banners

The easiest way to ensure compliance is by using a cookie consent banner. There’s a lot of tools for that, Google even keeps their own list. After choosing the tool, its just a matter of making sure each law is implemented properly:

• GDPR (Europe): You need a granular opt-in consent banner. Users should be able to selectively enable or disable categories of cookies (e.g., necessary, analytics, marketing) before you start tracking them. some text
  • Necessary: Always enabled; essential for website functionality. User consent isn't needed
  • Analytics: Allows tracking of user behavior, such as page views. Think Google Analytics.
  • Marketing: For retargeting or personalized ads, such as Facebook Pixel.
  • Functional: A kind of catch all for anything else, kind of.
• CCPA (California): A simpler consent banner is good enough, offering users the ability to opt-out of tracking or data sharing. Include a “Do Not Sell My Personal Information” link to allow California residents to stop data sharing with third parties (e.g., Facebook) and you're good to go
• Canada (CPPA): Similar to CCPA, you’ll need a consent banner but it doesn’t really have to be granular like Europe. It also doesn’t need the extra “Do Not Sell My Personal Information” link.
• Australia (Privacy Act): For most cases, implied consent can be obtained with a banner informing users about data collection and that's it

Step 2: Integrate Consent into Google Tag Manager (GTM)

In GTM proper, to ensure compliance:

1. Configure consent triggers in GTM
2. Use Google’s Consent Mode to respect user consent choices for analytics and marketing
3. Make the tags for Facebook Pixel and GA4 fire only after consent is obtained

Step 3: Update Your Privacy Policy

Under all of the laws, your privacy policy needs to explain how you collect, use, and share personal data. It has to specifically include:

• Explain cookies: Detail what cookies you use (analytics, marketing), what data they collect, and how the user can control or withdraw consent.
• Third-party data sharing: Clearly state which third parties (e.g., Facebook, Google) you share data with and why (e.g., for retargeting ads).
• User rights: Inform users how they can access, correct, or delete their personal data, and how they can withdraw consent for tracking.

Step 4: Provide Data Deletion, Opt-Out and Request Mechanisms 

Under most of these laws, it must be possible for an user to request to opt-out of the tracking, or that any data be deleted or provided to them directly.

Opting out is rather simple, as either a toggle on the website to stop collecting can be enough. But requests for deletion or provision of data are more complicated. Having a system in place (emails, forms) to receive any request is a starting point. After that, preparing your own side of the request and contacting the right service providers would do the job. For example, if someone requests you delete their data, which is in your Shopify store and on Facebook ads, you could delete their data in the Shopify website and send a request to Facebook that they do the same (Link Here).

It should be noted that this will be fairly rare, but still necessary to be compliant with the established laws. So best to make sure that it's there.

Conclusion

And that's it! Laws are fairly tedious, but quite manageable with some work. Speaking frankly, the GDPR is clearly the hardest of the bunch, making digital marketing in Europe kind of… crappy. CCPA isn’t a slouch in that either, but its somewhat more limited to somewhat larger companies. It also doesn’t have the harsh opt-in requirements that Europe has. 

All in all, its best to follow the law of course, but ideally some improvements will be made to the laws in the future to make digital marketing somewhat better. And then, hopefully this will be easier than it is now.