In marketing, data is a lifeblood to make things work. However, the changing landscape of privacy laws such as GDPR in Europe and CCPA in California means you can’t just collect data willy nilly, but have to do so in a way that is also compliant.

With that in mind, let's touch on how to practically make them work when trying to do some digital marketing with pixels and such. We’ll take the 2 most significant laws as an example of how these laws are being used in 2024.

The Privacy Laws

1. GDPR (General Data Protection Regulation) – Europe

GDPR is one of the strictest privacy regulations globally, applying to any company that processes the personal data of EU residents, regardless of where the company is based. Its requirements are:

• Consent: Under GDPR, you must obtain explicit opt-in consent before collecting any personal data through cookies or tracking tools. The consent also has to be granular, with Necessary, Marketing, Analytics and Functional Cookies/Tracking
• Applies to: Facebook Pixel, Google Analytics, and any other tools that collect or process personal data (IP addresses, device IDs, etc.). 
• Rights: Users have the right to access, correct, delete, and restrict the use of their data. You must give users the ability to withdraw their consent at any time.

2. CCPA (California Consumer Privacy Act) – California, USA

CCPA is California’s version of the GDPR, applying to anyone collecting data from consumers in the state, although only if they qualify in any of the following:

1. Collect data for more than 50,000 California Residents
2. Get 50% of revenue from selling data
3. Have $25m or more in revenue

As for the tracking itself:

• Opt-Out Requirement: Unlike GDPR, CCPA doesn’t require explicit opt-in consent. However, you must allow users to opt out of the sale of their personal data. 
• Applies to: Sending data to Facebook Ads? That counts as a “sale”, for some reason. Same with GA4 and such. Therefore, CCPA applies.
• "Do Not Sell My Personal Information": This feature allows people to opt out of data “sales” with third parties. For tracking purposes, this lets people stop you from tracking them. Since the tracking counts a “sale”

How to Implement Privacy Compliance: A GTM & Facebook Ads example

So let's take an example. Let's assume you’re doing some Facebook Ads and using Google Tag Manager (GTM). Lets go step by step with setting up compliance in that scenario. 

Step 1: Implement Cookie Consent Banners

The easiest way to ensure compliance is by using a cookie consent banner. There’s a lot of tools for that, Google even keeps their own list. After choosing the tool, it's just a matter of making sure each law is implemented properly:

• GDPR (Europe): You need a granular opt-in consent banner. Users should be able to selectively enable or disable categories of cookies (e.g., necessary, analytics, marketing) before you start tracking them. 
  • Necessary: Always enabled; essential for website functionality. User consent isn't needed
  • Analytics: Allows tracking of user behavior, such as page views. Think Google Analytics.
  • Marketing: For retargeting or personalized ads, such as Facebook Pixel.
  • Functional: A kind of catch all for anything else, kind of.

• CCPA (California): A simpler consent banner is good enough, offering users the ability to opt-out of tracking or data sharing. 

Step 2: Integrate Consent into Google Tag Manager (GTM)

In GTM proper, to ensure compliance:

1. Configure consent triggers in GTM
2. Use Google’s Consent Mode to respect user consent choices for analytics and marketing
3. Make the tags for Facebook Pixel and such fire only after consent is obtained

Step 3: Update Your Privacy Policy

Under all of the laws, your privacy policy needs to explain how you collect, use, and share personal data. It has to specifically include:

• Explain cookies: Detail what cookies you use (analytics, marketing), what data they collect, and how the user can control or withdraw consent.
• Third-party data sharing: Clearly state which third parties (e.g., Facebook, Google) you share data with and why (e.g., for retargeting ads).
• User rights: Inform users how they can access, correct, or delete their personal data, and how they can withdraw consent for tracking.

There’s plenty of options for something like this, like Rocket Lawyer and Termly, so build it out there and put it in your site.

Step 4: Provide Data Deletion, Opt-Out and Request Mechanisms 

Under most of these laws, it must be possible for an user to request to opt-out of the tracking, or that any data be deleted or provided to them directly.

Opting out is rather simple, as either a toggle on the website to stop collecting can be enough. But requests for deletion or provision of data are more complicated. Having a system in place (emails, forms) to receive any request is a starting point. After that, preparing your own side of the request and contacting the right service providers would do the job. For example, if someone requests you delete their data, which is in your Shopify store and on Facebook ads, you could delete their data in the Shopify website and send a request to Facebook that they do the same (Link Here).

It should be noted that this will be fairly rare, but still necessary to be compliant with the established laws. So best to make sure that it's there.

How this applies to Marketing Agencies

Now with the hows out of the way, does this apply in any way to marketing agencies? The simple answer is Yes, kind of.

For GDPR, the agency is a “Data Processor”, which more or less means that the data is handled for a client and doesn’t belong to the agency. With that in mind, the agency’s responsibilities are to ensure that they:

1. Collect only data only on based on clear written instructions from the clients
2. Helps the client fulfill any data request (deletion, provision, etc.)

For CCPA, things are similar. A marketing agency under CCPA is a “service provider” which similarly means that you can only utilize the data in accordance to what the client ordered. Similarly, the agency must abide by any client requests. Thankfully though, the CCPA requirements (25m revenue, 50,000 California Customers, 50% of revenue from selling data) applies to the client, not the agency. So on that point, the agency is good to go!

Conclusion

And that's it! Laws are fairly tedious, but quite manageable with some work. Speaking frankly, the GDPR is clearly the hardest of the bunch, making digital marketing in Europe kind of… crappy. CCPA isn’t a slouch in that either, but its somewhat more limited to somewhat larger companies. It also doesn’t have the harsh opt-in requirements that Europe has. 

Agencies, when it comes to these laws, are generally responsible strictly for the things that are in the data processing contracts with the clients. So all in all, they’re pretty safe for most concerns.