Every day, it feels like there’s a new data privacy regulation update; six states in the US now have comprehensive privacy laws (and many more with bills in the works), adding to the already crowded global regulatory landscape. Because third-party cookies are also finally going away in 2024 (for now), organizations need to find a way to get relevant data about their customers without using third-party trackers to get it.
This shift is going to bring about a new era of corporate responsibility, with organizations being more transparent than ever before about exactly how and why they’re processing data and demonstrating the value that collecting this data brings to their customer’s user experience.
In the recent Marketer’s Masterclass webinar series, OneTrust privacy experts covered many topics on consent and preferences, including first-party data, zero-party data, and how US state privacy laws define Sensitive Personal Information (SPI). Let’s take a look at some of the common questions across the series that were asked around first-party data.
When collecting first-party data or zero-party data, your marketing organization needs to be aware of the categories of data that it’s collecting. While obtaining data such as website activity and purchase data require opt-out consent from the user to obtain, more sensitive categories of data not only require a separate consent form but an additional notice as well that explains why these categories of data are required for your organization and how you plan on processing it. These categories of data are referred to as Sensitive Personal Information (SPI) and have slight differences across the US privacy landscape.
SPI can be considered first-party or zero-party data when it’s collected directly from the consumer and not via any third-party data trackers. In these cases, you still need to ensure that the appropriate consent mechanisms are in place when collecting this data.
You need to guarantee that your marketing teams are aware of the different consent requirements and mechanisms in place for the categories of data that it’s looking to obtain from users.
What are the differences regarding sensitive personal information (SPI) consent for different states?
Different laws in the US deal with SPI in different ways.
First off – what is it? Different states define SPI slightly differently, however, all states currently have the following items classified as SPI:
Apart from these, there are certain categories of data that some states consider as SPI and others don’t. For example, California considers union membership, government ID, financial information, and private communications to be SPI while no other state does. Certain states include other categories such as biometric information, children’s data, and geolocation, in their SPI definition while others leave them out. Precise geolocation data is one category that is considered SPI by every state except for Colorado and is currently one of the main topics of discussion in privacy.
Refer to the table below for a full breakdown of SPI categories across US state privacy laws.