The New Privacy Landscape

September 2023 Update

Alison Goldberg AUTHOR: Alison Goldberg
Sep 21, 2023
6 Min Read

“Privacy is a substantial digital priority.” My colleague Ally Duffey Cubilette wrote these powerful words in February 2023, and since she put digital pen to paper, the privacy landscape has evolved at lightning speed.

Every single privacy change will impact arts marketers’ work. Hard stop. The old ways of collecting and using data are fading, and new processes will emerge. If you want your marketing strategies to be effective and legally compliant, you’ll need to update your data practices and remain flexible as things continue to change.

Why am I so interested in privacy? Well, it’s imperative in our digital landscape. I also lead CI’s Privacy Committee to stay at the forefront of these discussions. The committee monitors the latest news about data privacy, investigates new tools that might help our clients, and brainstorms content that will help shepherd arts organizations through this work—just like the blog post you are reading now.

This update is time-stamped in September 2023. We’ll be releasing regular updates to keep you ahead of the curve.

So, let’s dive into the wonderful world of privacy updates.

Another  Apple iOS Update

Previous Apple iOS releases have impacted arts marketers mainly by limiting our tracking and measurement abilities. Well, Apple may be at it again. With the iOS17 update this fall, Apple is introducing Link Tracking Protection, which would remove user-identifiable tracking parameters from links when clicked.

  • What does this mean for you?
  • Don’t panic just yet! This explicitly targets tracking parameters that ad platforms append to URLs to identify specific users. This feature is available for those using Private Browsing Mode within Safari; currently, a relatively small portion of the market share and links are clicked within the Mail and Messages apps.
  • Our current understanding is that UTM parameters will remain intact, so we do not expect to see an impact on our ability to track website traffic.

Privacy Laws and Lawsuits Across the U.S.

We started 2023 with privacy laws going into effect for Virginia and Utah, joining California. Colorado’s privacy law went into effect this summer, while other states—Connecticut, Delaware, Montana, Oregon, and Texas—passed privacy laws starting in the next couple of years. This trend will continue state-by-state for a while before a unified federal privacy law is eventually passed.

What does this mean for you?
  • Disclaimer here before we dive in: we are not lawyers and are not giving legal advice. We encourage you to speak to your legal counsel about which piece(s) of legislation might apply to your organization.
  • Different states will have different requirements, limitations, and exemptions. These laws can help guide what should be included in your privacy policy and how you ought to handle your users’ data. Most, but not all, of this legislation derives its jurisdiction from where the user is rather than the organization. So, if you have users in a particular state, you could be subject to these rules even if you are based elsewhere. Some states offer exemptions for non-profits, some do not.

On the national front, recent lawsuits brought by the Federal Trade Commission (FTC) against digital healthcare companies Betterhelp and GoodRX resulted in millions of dollars in fines. These companies shared personal health information with Meta, Google, and other third parties. As arts organizations, we are not collecting this type of sensitive personal data from audiences. However, it is still a good idea to review what pieces of data you collect on your website and whether you are using all the data you collect, like birthdays. This is also where privacy policies come into play – make sure yours is up to date with the data you collect and how it may be used.

Google and Meta Updates

Apple’s changes over the past few years have impacted Meta and Google’s abilities to track and report results as they had before. Combined with increased privacy regulations, these digital advertising behemoths have been forcibly encouraged to move away from how they have been collecting data and find new ways to report results for advertisers.

Update #1: Hashed Data

There is pressure from governments and consumers to improve the security of the personal data being passed from websites back to advertising platforms. The new method – hashed data – moves away from third-party pixels and cookies, and Meta and Google say it is more privacy-secure.

  • Step 1: A user (likely having consented to your privacy policy by using your website, as is still common practice in the U.S.) provides some personally identifiable information, like an email address, while purchasing on your site.
  • Step 2: This data is run through an algorithm that hashes it into a string of numbers and letters with no discernable pattern. This string is sent to Meta/Google, and they use their algorithm to see if there is a match in their system so they can then attribute a conversion back to an ad.
  • Important Note: With this method, you choose what personally identifiable data is sent to these platforms, and it is typically only an encrypted email address.

Update #2: Modeled Conversions

Using this same hashed data mentioned above, the platforms’ modeled conversion algorithms can provide an educated estimate of other conversions attributed to ads on their platforms even when specific data is not sent or not matched.

Both Google and Meta require you to agree to additional data processing terms – another important reason to look at your privacy policy and ensure it accurately represents how you collect and handle users’ data.

  • Enhanced Conversions: This is Google’s version of a hash-data-informed modeled conversions algorithm. We’ve been running tests on Enhanced Conversions with clients. The setup is possible via Google Tag Manager and some setting changes in Google Ads.
  • Advanced Matching: This is Meta’s version of a hash-data-informed conversions algorithm. The more robust option, Meta’s Conversions API (CAPI), requires a more technical setup. Partner integrations are available for certain eCommerce vendors to make this setup easier or can be configured manually via Google Cloud or Amazon Web Services.

As these methods have been introduced, Capacity Interactive has been actively setting up and testing these enhancements to conversion tracking for exploratory clients.

What’s Next on the Privacy Horizon?

As I mentioned before, these changes will impact your daily work. It’s essential to prepare for current and upcoming changes—here’s how you can do it:

  1. Create an internal committee. Just like we’ve done at CI, create an internal working group across departments that interact with digital data to ensure you are all on the same page regarding your approach to managing users’ personal data and what the impact of those decisions might be.
  2. Consult legal counsel. This will help you better understand which regulations you may be subject to.
    Review your privacy policy. Ensuring the policy accurately reflects how you handle users’ data is crucial.
  3. Review your privacy policy. Ensuring the policy accurately reflects how you handle users’ data is crucial.
  4. Incorporate enhanced conversions. Interested? Reach out to us (or your CI consulting team) to help determine if you are eligible. We will release more information about implementing CAPI in the coming months.