In parallel, Directive 2002/58/EC, dubbed the “ePrivacy” Directive, as amended, lays down rules to guarantee protection of privacy in the electronic communications sector. This Directive, as well as its transposition into French law by Law no. 2004-575 For Confidence in the Digital Economy, imposes obligations with respect to marketing and introduces rules on how cookies are used. The e-Privacy Directive is still undergoing revision and is expected to be replaced by an e-Privacy regulation that will be directly applicable in the EU. The CNIL has made cookie compliance one of its main areas and has sanctioned several companies for non-compliance.
Since the implementation of the GDPR, an increased number of countries across the globe are adopting personal data protection regulations. In the United States, in the absence of federal regulations, California adopted the California Consumer Privacy Act (CCPA), which came into force in January 2020 and was supplemented in October 2020 by the California Privacy Rights Act (CPRA) which came into force in January 2023 and will be applied as from July 1, 2023. The CCPA requires the implementation of opt-out mechanisms allowing the user to refuse the use of their personal data and the CPRA strengthens the requirements relating to the way in which companies are authorized to use the personal information of consumers in California. The states of Virginia, Colorado, Connecticut and Utah also adopted privacy laws in 2021/2022, all of which will come into force on different dates in 2023. These laws incorporate some of the concepts of the GDPR and the CCPA. A dozen other US states are in the process of proposing their own draft laws on personal data protection which, if adopted, will continue to complicate the situation with the fragmentation of the legislative landscape.
In 2021, Brazil and the People’s Republic of China adopted their personal data protection laws. In 2022, India, Australia and Saudi Arabia introduced more substantial personal data protection laws.
The European Union also introduced new regulations which affect the advertising and marketing industry with the ambition of turning the European Union into a single digital market and “creating a safer digital environment which protects consumers’ fundamental rights and establishes fair competition conditions for companies”. These are centered around the Digital Market Act (DMA), the Digital Services Act (DSA) and the Data Governance Act (DGA). The DMA aims to regulate the behavior of platforms that have a significant impact on the European market, particularly with regard to competition law. This text contemplates obligations relating to the use of personal data for targeted advertising. The DSA aims to regulate the operation of platforms, regardless of their size, and in particular the content published on the Internet.
The DGA aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical barriers to data reuse. The DMA and DSA entered into force in November 2022 and the DGA entered into force in June 2022.
Artificial Intelligence (AI) has been developing rapidly in recent times and is commonly used by companies for advertising-related activities. It is receiving increased attention from regulators in both the European Union and the United Kingdom. In April 2021, the European Commission proposed an AI law and the United Kingdom’s data protection regulator, the ICO, published guidelines and made AI one of its three main strategic priorities.