What are your thoughts or concerns about the California Consumer Privacy Act (CCPA) and other state or federal privacy rules? What are the risks and opportunities? What do you think is missing from our coverage? We want to hear from you. Email us at email@example.com.
It’s been a disruptive year in the tech and media industry, to say the least. Over the last 12 months, tech giants have come under withering public and regulatory scrutiny for their collection and use of consumer data, and mainstays of digital media like ad targeting and retargeting are facing increasing public opposition. At the same time, the European Union’s General Data Protection Regulation—the arrival of which prompted a Y2K-esque panic among the industry—has settled into law. One year in, though, the exact ways that the regulations are being enforced remain complicated and yet to be fully realized.
Several ad-tech firms shuttered their EU operations ahead of May 25 last year, and big tech names like Facebook and Google were hit with fines for violating the rules on day one of the law’s implementation. In the 12 months since, per the European Data Protection Board, there have been 144 complaints to national supervisory authorities about companies’ data practices. On the publishing side, the IAB Tech Lab only recently closed a public commentary window on the latest version of its Transparency and Consent Framework—an industry standard for GDPR compliance—after earlier iterations were deemed to have overburdened publishers, according to reports.
It’s not just uncertain GDPR enforcement that the industry has to prepare for. Beginning on Jan. 1, 2020, the CCPA, a similar slate of legislation dealing with users’ rights to take back control over their own data, goes into effect. Any company doing business in California—which has a population that makes up roughly 12% of the entire country— that has annual gross revenues more than $25 million, handles data of 50,000 people or more or has half of its revenue coming from selling personal information, will have to figure out how to comply.
“Every company that has a CRM that contains a California resident is affected by this law, so an incredible amount of companies will have to figure out how to deal with that,” said Ramon Jimenez, a venture partner at Movens Capital. “Further still, what about those companies whose business relies on third-party data? What if their partners decide that selling data to them is just too risky, given CCPA?”
Benoit Grouchko, CEO of France-based location data vendor Teemo—a company that had an early brush with its DPA after GDPR enforcement—explained that U.S. publishers are beginning to address their supply partners as a result of such legislation. While the two sets of laws may differ in detail, a consistent approach on either side of the Atlantic is, in his opinion, the best practice. “In GDPR, there is a notion of co-responsibility when it comes to contracts,” Grouchko said.
Many interpret the legislation to mean that all data collectors (such as publishers) share liability with their subsequent data processors (such as ad-tech providers). “We have to make sure that our partners collect data the right way … so, in the U.S., we are doing the same to make sure that anyone we work with is sending data to us in the right way,” he said.
The waiting game for federal regulation
California is not the only U.S. state to consider privacy measures. Other data protection laws in states like Vermont and South Carolina are already on the books, and legislation is moving through other statehouses, too, presenting a potentially tricky patchwork of legislation for companies to navigate. That’s one of the reasons why the digital media industry as a whole is advocating federal measures that would preempt state laws, which they say will provide some uniformity as to the measures they would have to implement coast to coast.