Let's Talk!

How Companies Can Leverage Potential Data Privacy Regulations

Brand3 Team  •  February 7, 2023

Meta, the parent company of Facebook and Instagram, is facing scrutiny in Europe over its data use practices. Although the US currently has no singular federal law that encompasses data privacy, the EU ruling has American companies wondering if similar laws will become commonplace in the US.

By examining current state laws, we can determine what eventual federal laws may look like. While it’s likely that the country will see more comprehensive data privacy laws, businesses can choose to leverage that possibility to their advantage by proactively offering consumer data protection, thus upholding their corporate social responsibilities while establishing their brands as trustworthy.

Table of Contents

1. Meta and the EU

2. State Privacy Laws: Inferring Possible Data Privacy Laws at the Federal Level

3. Data Mining: Ethical Dilemmas and Corporate Social Responsibility

4. Conclusion

Meta and the EU 

In April 2019, a Facebook leak exposed 533 million users' personal information: their phone numbers, locations, and birthdates. The Irish Data Protection Commission (DPC) fined Meta 276m dollars for the data breach in November 2022.

Because Facebook and Instagram have their European headquarters in Ireland, the DPC takes the lead on making sure they comply with EU law, and in January 2023, the DPC fined Meta again. This time, the fine reached 390m euros – over 430m dollars

The DPC's reasoning for fining Meta in January stems from the EU's General Data Protection Regulation (GDPR) – a data privacy law that went into effect in May 2018. The DPC claims Meta's method of asking users' permission for data use for targeted advertisements on Facebook and Instagram was unlawful under the GDPR. 

If users declined to accept the updated terms of service, they could no longer use Facebook or Instagram. According to the DPC, this illustrates that Meta forced users to consent to their data being used for targeted ads. In response, Meta claims their platforms could not work without using data for personalized advertising, and therefore, they weren’t forcing an ultimatum on users. 

The DPC ruled that Meta has three months to change how they obtain and use data for targeted ads; however, Meta intends to appeal the decision. Additionally, according to the Irish Times, Meta set aside 2bn euros or 2.176bn dollars to cover EU fines. The appeal, coupled with allocated money specifically for data privacy fines, suggests Meta doesn’t intend to change their practices any time soon. 

This decision has American companies wondering about the future of data privacy laws and how potential regulations will impact their business models. 

State Privacy Laws: Inferring Possible Data Privacy Laws at the Federal Level

Currently, in the US, there is no all-encompassing federal law such as the EU’s GDPR. Instead, there’s a mix of federal regulations and state privacy laws that impact the collection and use of consumer data. Looking at the three states with comprehensive privacy laws, we can infer how eventual privacy laws may impact businesses nationwide. 

1. California

The California Consumer Privacy Act of 2018 (CCPA)

Gives consumers the rights to:

  • Know what personal information businesses collect, along with how their data is used and shared
  • Delete the personal information that companies collect (with some exceptions)
  • Opt out of the sale or sharing of their data
  • Not face retribution for exercising their CCPA rights 

California Privacy Rights Act (CPRA)

An amendment to the CCPA adds the rights for consumers to:

  • Correct inaccurate personal information that a company has about them
  • Limit the use and disclosure of their sensitive information 

In California, businesses subject to the CCPA and CRPA must respond to consumer requests to exercise these rights within 15 business days and give consumers notices that explain their privacy practices. 

2. Virginia

Virginia Consumer Data Protection Act (VCDPA)

Gives consumers the rights to:

  • Access their data
  • Request businesses delete their personal information

The VCDPA only affects businesses that 

  • Control or process the personal information of at least 100,000 consumers in a calendar year, or 
  • Receive 50% of their gross revenue from selling the personal data of at least 25,000 consumers

The VCDPA also requires companies to conduct data protection assessments of personal data used for targeted advertising on sales, and businesses have 45 days to respond to consumer requests.  

3. Colorado

Colorado Privacy Act (CPA)

Gives consumers the rights to:

  • Opt out of targeted advertising, the sale of their data, and certain types of profiling
  • Access, correct, and delete their personal information

The CPA only affects businesses that

  • Control or process the personal information of at least 100,000 consumers in a calendar year, or
  • Receive revenue or discounts by selling the personal data of at least 25,000 consumers

The CPA will go into effect on July 1, 2023, and businesses will have 45 days to respond to consumer requests. 

At a federal level, similar laws would give consumers more control over how their data is collected and used. Businesses would be required to allow their customers to have information on the personal data collected and opt out of sales or data sharing. 

However, these state laws suggest that similar federal regulations would require consumers to request these rights rather than implicitly have them. Then, businesses would have a specific time frame to respond to these customer requests. 

Data Mining: Ethical Dilemmas and Corporate Social Responsibility

In 2017, ProPublica found that Facebook advertisers could exclude users from advertisements based on race. They were able to buy rental housing ads on the platform and request the advertisements “not be shown to certain categories of users, such as African Americans, mothers of high school kids, people interested in wheelchair ramps, Jews, expats from Argentina, and Spanish speakers” – groups protected under the federal Fair Housing Act. 

This example illustrates discriminatory practices resulting from data mining and targeted advertisements. Although there is no all-encompassing federal mandate for data privacy, organizations should consider their corporate social responsibility (a form of self-regulation that aims to support ethically oriented practices) to maintain ethical practices when capitalizing on users’ data.

Thorin Klosowski, the editor of privacy and security topics at Wirecutter, outlines four basic protections data privacy laws should encompass: data collection and sharing rights, opt-in consent, data minimization, nondiscrimination, and no data-use discrimination. While data privacy laws may inspire fear in companies reliant on collecting personal information, organizations can leverage these areas as a framework to operate more ethically, thus establishing themselves as a trustworthy brand.

1. Data Collection and Sharing Rights

Organizations can foster greater transparency and trust that they’re appropriately handling sensitive information by allowing consumers to request to see their collected personal data and ask that it not be sold to third parties. 

2. Opt-in Consent

In 2021, Apple received positive press for requiring developers to request opt-in consent before tracking users with Apple’s ID for Advertisers (IDFA). Explicitly giving users a choice to consent to data tracking can establish confidence that an organization has its users’ interests in mind. 

3. Data Minimization 

Data minimization allows companies to collect information necessary to provide their services while not exceeding the bounds of user trust by collecting excess data. Companies using data minimization can position themselves as dependable and honest.

4. Nondiscrimination and No Data-Use Discrimination

Companies clearly stating they won’t discriminate against individuals exercising their privacy rights can establish their brand as principled and ethical. Additionally, they can prevent advertisers from discriminating against specific characteristics. 

Rather than fear future laws, organizations can leverage the likelihood of more state and federal protections against data privacy to position their brands as ethical, satisfying their corporate social responsibility and appealing to consumers concerned about the use of their personal information.


Data privacy rights are becoming an increasingly crucial issue for businesses and consumers, and the DPC's ruling against Meta highlights this problem. While organizations may fear how their business models will change with more comprehensive laws, they can leverage data privacy to their advantage by maintaining ethical practices when capitalizing on users' data. 

Consumers are more likely to trust a business that shows transparency in collecting and using personal information. Companies that learn from these principles of data collection rights, opt-in consent, data minimization, nondiscrimination, and no data-use discrimination can establish themselves as trustworthy brands while giving customers greater control over their private information. By adopting some of these guidelines, companies can capitalize on users' data without compromising consumer trust.

More from BrandEd

brand health
May 15, 2024

Don’t Go Brand Blind—3 Simple Ways to Check Your Brand Health

Are you worried you’ve gone brand blind? Then it’s time to check your brand health. 
Read More
core values
March 28, 2024

Brand Tip: Develop Values that Strengthen Your Remote Team’s Culture

Need help building your remote team’s culture? Learn about the impact of your company values, how to develop them, or how to strengthen them.
Read More
March 25, 2024

10 Tips for Building Company Culture with a Remote Team

Need help building company culture with a remote team? Get proven strategies and actionable tips for strengthening your remote culture.
Read More
1 2 3 38

Contact Us

1200 Agora Drive
Suite C #307
Bel Air, MD 21014
Copyright © 2023 Brand3, Inc. All Rights Reserved.

Learn More

Contact Us

1200 Agora Drive
Suite C #307
Bel Air, MD 
201 Market St
Suite #202
Havre de Grace, MD 
Copyright © 2024 Brand3, Inc. All Rights Reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram