Neil Sweeney, Founder/CEO of Reklaim, discusses how evolving privacy laws are transforming ethnicity into Sensitive Personal Information (SPI), urging marketers to pivot from traditional approaches and secure explicit consent — or risk alienating multicultural audiences and facing legal repercussions.
Media outlets today focus on multiculturalism and DE&I (Diversity, Equity, and Inclusion), but an overlooked issue is how marketing strategies must adapt to new regulations to engage these multicultural groups effectively — and legally.
In the past, ethnicity was simply another audience segment you could pull off the shelf, ready for your campaign. If you wanted to target African Americans, Hispanics, or any other ethnic group, the data was there, and available to use. Fast forward to today, and the landscape has changed dramatically. Ethnicity, alongside many other categories, has been reclassified as Sensitive Personal Information (SPI). What does this mean for marketers? A lot. And if you’re not paying attention, it could be catastrophic for your campaigns and your brand.
The Shift from Assumed to Explicit Consent
The days of assumed opt-ins — think cookie banners — are over. Today’s privacy landscape increasingly demands explicit opt-in. The difference is significant, yet many players in the agency world and data market still fail to understand this distinction. If you’re using SPI data, you need explicit user consent, period. This isn’t just about collecting consent; you must also ensure the user can opt-out.
Furthermore, data consent must be used in the context in which it was collected. You can’t collect explicit consent in one place and then sell or trade that data for use elsewhere. Yet, this is the problem many platforms face today. Why? Because they lack direct interaction with consumers.
The Problem with ‘Headless’ Platforms
Headless platforms are like data warehouses — they store information but lack a consumer-facing interface to collect or manage consent. Over the last two decades, data management platforms (DMPs), supply-side platforms (SSPs), demand-side platforms (DSPs), and similar services have played pivotal roles in media and advertising. However, these platforms often operate without direct consumer interaction, meaning they can’t collect opt-ins or manage opt-outs. By definition, SPI data should not be processed by these platforms — yet no one seems to be addressing this issue.
Some platforms have started removing these categories altogether in an attempt to self-regulate. However, this approach is inconsistent and insufficient. It also leaves a gaping hole in the market for the Fortune 500 companies that rely on this data to market efficiently.
A Market at Odds
Consider this: over 40% of the U.S. population identifies as part of a minority group. Yet the very data needed to market to these groups is rapidly becoming unavailable or unreliable. The conundrum? There’s never been a greater appetite to market to different ethnicities, but the tools to do so have never been weaker.
Bad actors are partly to blame. Predatory marketing practices, such as targeting low-income multicultural groups with unfair lending products, violated the Fair Lending Act. This is why categories like household income and ethnicity are no longer available on platforms like Meta.
What Can Marketers Do?
- Stay on Top of Privacy Policies: With privacy regulations in constant flux, it can be overwhelming. My advice? Focus on following the opt-in. Wherever new requirements for explicit opt-ins emerge, you can be sure that marketing to those groups without this consent will expose you to liability.
- Choose Partners with a ‘Head’: A key way to ensure compliance is by selecting data partners with a user interface. If a platform has no direct relationship with the consumer, it can’t collect or manage explicit consent. No head, no consent—simple as that. Don’t be fooled by the “privacy-first” jargon that’s become all too common in marketing.
- DE&I Is Not an Exemption from Compliance: Many brands are pushing their DE&I initiatives by directing ad spend to minority-owned organizations, which is commendable. However, if those same brands aren’t checking whether the data used in those campaigns is opt-in compliant, they’re inadvertently fast-tracking their liability. A DE&I SSP should be able to manage both opt-in and opt-out consent to protect the brand.
- Treat SPI Like Health Data: Sensitive Personal Information is much like healthcare data. Most of us understand that when marketing in the healthcare space, compliance with HIPAA is mandatory. The same principle should apply to SPI. Treating SPI data with the same level of care ensures that your marketing strategies meet the explicit consent requirements.
Exclusion Isn’t a Strategy
Too often, I’ve had conversations with brands and agencies that end with them saying, “We’re excluding this (SPI) category for now.” This approach is not a long-term solution. Exclusion is a cop-out, and more importantly, it’s intellectually bankrupt. Ignoring multicultural audiences due to data compliance challenges is not a strategy — it’s a missed opportunity. Any self-respecting brand that thinks excluding 40% of their audience is a good idea should ask themselves: what’s the alternative? A campaign so vanilla it appeals to no one? Brands should demand more from their agencies and teams if this is their approach.
Since early 2023, over 17 states have enacted privacy laws that address consumer inclusion around ethnicity, religion, sexuality, and union membership. This trend is not reversing. It’s vital for brands and agencies to overcome inertia and adopt new strategies and tactics. Progressive brands must take the lead, holding their agencies and partners accountable. There is enormous opportunity here for those willing to lead from the front.