Mere hours ago, we bid as we were bidding farewell to the year 2023, Utah’s data privacy law become enforceable. This action will be a single item across a chain of events that will force companies to adapt to the new world as we move into Q1 2024. Certainly this new year will force a re-evaluation of various key activities that take place in the online MarTech ecosystem. In this blog post, I highlight some of the key changes taking effect in the first quarter.
The 3rd Party Cookie Phase Out Begins
Next up will be Google’s phase out of 3rd party cookies, beginning with 1% of Chrome Users (roughly 30 million users) on January 4th. Google is encouraging organizations to adopt their privacy sandbox initiatives. The impact from this change will show in analytics and performance monitoring and may lead to some uncomfortable conversations with leadership when graphs and charts appear to be going in the wrong direction. Education activities for stakeholders are strongly advised to avoid very uncomfortable questions at reporting time.
It should be noted that while the phase out starts at 1%, it will rapidly increase and is expected to complete sometime in the 3rd quarter. Organizations which have failed to account for this shift in technology may find some website features and key marketing activities such as remarketing stop working. This effectively means if you were relying on such technology you must come up with a replacement process. If remarketing accounted for most of your marketing budget, a re-evaluation may be in order.
Apple Will Begin to Enforce Privacy Manifests
For those who have mobile applications on Apple’s AppStore – it should be noticed that Apple will begin automatic enforcement of privacy manifest files. They have also released a list of third party SDK requirements. Apps which use these SDKs have additional actions to take in app development as well as when submitting the app via App Store Connect.
Once automated enforcement begins apps will be blocked at submission that are missing the required disclosures / manifest files. Organizations operating on the AppStore are running low on time to ensure their software is compatible with the new requirements ahead of the Spring 2024 enforcement.
Google Gets Serious on Consent Mode
For those organizations operating in the European Economic Area (EEA) they should be aware of the Digital Markets Act. As part of this act, various ad publishers will impose new requirements to ensure they are compliant with the law. The Consent Made changes are how Google is addressing compliance and if you want to handle measurement and advertising in the EEA Google will require the Consent Mode signal to be in place prior to March 2024.
Google is very clear that in order to continue from benefiting from measurement, ad personalization and remarketing features that consent must be obtained (as is required by the ePrivacy Directive and GDPR). This includes data sent to services from Google Analytics and even extends to offline data such as offline conversion reports.
If you use MarTech services in the EU – you must complete the requirements prior to March, or you will begin to suffer data loss. This should not be a major lift for organizations already compliant with the ePrivacy Directive and GDPR, but it still requires explicit action on the part of the organization. This work may need to go through change management in some organizations so should be penciled in for work at the earliest opportunity to avoid disruption to operational efforts.
New Health Data Laws
The following is not legal advice and you should consult with counsel if you believe it may impact you.
Beginning on March 31st, 2024, the States of Nevada and Washington will begin enforcing their respective health privacy laws. These laws extend in scope beyond what is covered in HIPAA (Health Insurance Portability and Accountability Act) and may impact businesses not traditionally considered healthcare. Here’s an example of the data covered under Washington’s My Health My Data Act:
“Consumer health data” means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
For the purposes of this definition, physical or mental health status includes, but is not limited to:
(i) Individual health conditions, treatment, diseases, or
diagnosis;
(ii) Social, psychological, behavioral, and medical
interventions;
(iii) Health-related surgeries or procedures;
(iv) Use or purchase of prescribed medication;
(v) Bodily functions, vital signs, symptoms, or measurements of
the information described in this subsection (8)(b);
(vi) Diagnoses or diagnostic testing, treatment, or medication;
(vii) Gender-affirming care information;
(viii) Reproductive or sexual health information;
(ix) Biometric data;
(x) Genetic data;
(xi) Precise location information that could reasonably indicate
a consumer’s attempt to acquire or receive health services or
supplies;
(xii) Data that identifies a consumer seeking health care
services; or
(xiii) Any information that a regulated entity or a small
business, or their respective processor, processes to associate or
identify a consumer with the data described in (b)(i) through (xii)
of this subsection that is derived or extrapolated from non-health
information (such as proxy, derivative, inferred, or emergent data by
any means, including algorithms or machine learning).
Nevada’s law is very similar to that of Washington, but with a key difference. Nevada’s law does not allow for private action, where Washington’s does. This dramatically increases the risk for organizations which are believed to be in violation Washington’s law may be subject to lawsuits from the general public in addition to the Attorney General for Washington.
The Washington Attorney General has released a F.A.Q. around the law that may be worth a review.
It is strongly recommended that organizations discuss these laws with their legal counsel and take any required corrective action before enforcement begins at the end of March.