What are your thoughts or concerns about the California Consumer Privacy Act (CCPA) and other state or federal privacy rules? What are the risks and opportunities? What do you think is missing from our coverage? We want to hear from you. Email us at email@example.com.
It’s been a disruptive year in the tech and media industry, to say the least. Over the last 12 months, tech giants have come under withering public and regulatory scrutiny for their collection and use of consumer data, and mainstays of digital media like ad targeting and retargeting are facing increasing public opposition. At the same time, the European Union’s General Data Protection Regulation—the arrival of which prompted a Y2K-esque panic among the industry—has settled into law. One year in, though, the exact ways that the regulations are being enforced remain complicated and yet to be fully realized.
Several ad-tech firms shuttered their EU operations ahead of May 25 last year, and big tech names like Facebook and Google were hit with fines for violating the rules on day one of the law’s implementation. In the 12 months since, per the European Data Protection Board, there have been 144 complaints to national supervisory authorities about companies’ data practices. On the publishing side, the IAB Tech Lab only recently closed a public commentary window on the latest version of its Transparency and Consent Framework—an industry standard for GDPR compliance—after earlier iterations were deemed to have overburdened publishers, according to reports.
It’s not just uncertain GDPR enforcement that the industry has to prepare for. Beginning on Jan. 1, 2020, the CCPA, a similar slate of legislation dealing with users’ rights to take back control over their own data, goes into effect. Any company doing business in California—which has a population that makes up roughly 12% of the entire country— that has annual gross revenues more than $25 million, handles data of 50,000 people or more or has half of its revenue coming from selling personal information, will have to figure out how to comply.
“Every company that has a CRM that contains a California resident is affected by this law, so an incredible amount of companies will have to figure out how to deal with that,” said Ramon Jimenez, a venture partner at Movens Capital. “Further still, what about those companies whose business relies on third-party data? What if their partners decide that selling data to them is just too risky, given CCPA?”
Benoit Grouchko, CEO of France-based location data vendor Teemo—a company that had an early brush with its DPA after GDPR enforcement—explained that U.S. publishers are beginning to address their supply partners as a result of such legislation. While the two sets of laws may differ in detail, a consistent approach on either side of the Atlantic is, in his opinion, the best practice. “In GDPR, there is a notion of co-responsibility when it comes to contracts,” Grouchko said.
Many interpret the legislation to mean that all data collectors (such as publishers) share liability with their subsequent data processors (such as ad-tech providers). “We have to make sure that our partners collect data the right way … so, in the U.S., we are doing the same to make sure that anyone we work with is sending data to us in the right way,” he said.
The waiting game for federal regulation
California is not the only U.S. state to consider privacy measures. Other data protection laws in states like Vermont and South Carolina are already on the books, and legislation is moving through other statehouses, too, presenting a potentially tricky patchwork of legislation for companies to navigate. That’s one of the reasons why the digital media industry as a whole is advocating federal measures that would preempt state laws, which they say will provide some uniformity as to the measures they would have to implement coast to coast.
Testimonies heard last week on Capitol Hill by the Senate Committee on the Judiciary offered some kind of insight as to the ruminations of the concerned lawmakers. Dr. Johnny Ryan, chief privacy officer at Brave, urged committee members to adhere to the principles enshrined in GDPR as they consider potential federal rules and reiterated his belief that the very fundamentals of online ad auctions violate the core tenets of GDPR, the basis of a GDPR complaint he earlier filed in the EU.
At the same hearing, influential ad-tech figure and former AppNexus CEO Brian O’Kelley proposed that federal regulations detail consumers’ data rights, as well as give a regulatory body the power to enforce rules and consider breaking up internet giants under antitrust rules.
While the promise and potential pitfalls of federal regulation continue to loom, some industry experts aren’t confident that federal rules will pass before the end of the year, meaning CCPA would become law.
“There is actually bipartisan support on the need for this federal law, but legislation is hard, especially going into 2020,” said Jason Kint, CEO of the digital publishing trade organization Digital Content Next. “If you’re betting, it’s very unlikely that there’s going to be a federal law [by Jan. 1, 2020]. Both sides have different priorities in a federal law.”
A number of proposed CCPA amendments and counterproposals are still under debate ahead of Jan. 1, giving some in the industry a sense of déjà vu from the months leading up to the GDPR enforcement date of May 25, 2018. But Kint said he did not anticipate CCPA to change significantly.
“Being ready for California is—and should be—priority No. 1,” Kint said.
As both U.S. consumers and the digital advertising industry face such fundamental questions over the ethical use of data, Adweek will focus more closely on state legislation like CCPA and the ongoing debate over federal privacy rules. We’ll also look at what it will mean for major players in the industry, including ad-tech vendors, platforms, publishers and agencies. In the coming weeks and months, follow along with our privacy coverage here.