PART 1 – NORTH AMERICA – US LAWS (STATES AND FEDERAL), CANADA
US States Privacy Compliance:
From Jan 1, 2023, we will have the beginning of five new US state laws which all have similar definitions of what constitutes “personally identifiable information” which includes persistent IDs used in AdTech.
- In 2018, the California Consumer Privacy Act (CCPA) was a turning point for US state privacy laws. The California Privacy Rights Act (CPRA) has since been passed, extending and amending many of the CCPA’s provisions.
- In 2021, Virginia and Colorado passed their own privacy laws, the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) respectively.
- In 2022, Utah passed the Utah Consumer Privacy Act (UCPA) and Connecticut passed the Connecticut Data Privacy Act (CTDPA).
As more states introduce privacy laws, organizations must be aware of, and able to manage, the varying provisions which can make cross-state compliance complicated.
US States Priority What’s needed Now, Next, Later for 2023 (with some links to IAPP resources)
- Priority Now: California (CCPA & CPRA) | will be in force 1 Jan 2023
- Priority Now: Virginia (VCPDA) | will be in force 1 Jan 2023
- Priority Next: Colorado (CPA) |will be in force 1 July 2023
- Priority Next: Connecticut (CTDPA) | will be in force 1 July 2023
- Priority Later: Utah (UCPA) | will be in force 31 December 2023
Listen to AdExchanger Podcast interview with MediaMath CPO “Doing the Math on Privacy Compliance”
CPRA: The NAI submitted written comments to the California Privacy Protection Agency (CPPA) in response to their proposed CPRA regulations.
US State Laws comparison: Resource on US State Laws comparison from partner Sourcepoint
California recent enforcements:
The recent California AG’s enforcement action against Sephora which resulted in a $1.2 million civil penalty “marks a considerable uptick in risk”. The attorney general is focused on online tracking and on implementation of and compliance with global opt-out signals, such as the Global Privacy Control. The complaint alleged that Sephora disclosed its use of online tracking technology but not the sale of personal information, that the privacy policy incorrectly stated “we do not sell personal information,” and the company did not offer an opt-out of sale by any method. The complaint also charged Sephora with failing to respond to user-enabled global privacy controls (GPC).
Why does this matter to marketer clients?
- Global Privacy Controls
It is important for marketers to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations. Ensure your technology team fully recognizes the new opt-out requirements. The “frictionless” opt-out approach (recognizing opt-out signal preferences) may have challenges. You should understand how the business can practically implement this approach. Alternatively, you may choose the alternative approach of including links to allow consumers to opt-out. This AdExchanger article encourages marketers to be proactive in thinking about privacy, data collection and governance, stating that “by embedding privacy considerations into their larger business strategies, companies can build longer, more loyal relationships with customers.” Following learnings from the Sephora settlement, this article from the IAPP offers some helpful practical steps for clients to take for CCPA compliance. https://iapp.org/news/a/ccpa-enforcement-action-a-case-study-at-the-intersection-of-privacy-and-marketing/
Read More
- Future of Privacy Forum Comments to the California AG on Global Opt Out signals
- Commentary from Odia Kagan CA AG 2nd Year CCPA Enforcement Report is out!
Privacy Policies, Privacy Notices, Cookie Policies
Clients should now start reviewing and updating disclosure documents on their sites and digital properties, as the new US State privacy laws and rules will require many changes, such as what are the categories of data disclosed to third parties. In the Sephora complaint the State alleged that: “Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that ‘we do not sell personal information.’” Clients should reassess whether their online tracking practices result in CCPA sales and also whether or not analytics warrant treatment as a service provider offering.
Read More:
- https://www.jdsupra.com/legalnews/california-attorney-general-s-first-5529031/
- https://www.natlawreview.com/article/first-california-consumer-privacy-act-enforcement-action-and-settlement
Compliance Approaches to US State Laws
- Contract updates will be required
Clients should start now reviewing the updated definitions and practices for compliance with US State Privacy Laws which contain new contractual requirements regarding data, requirements that will need to be integrated into both new and existing contracts. For example, under the CPRA Regs there is now a complete ban on a business (client) sharing California user data to a service provider for the purpose of cross-contextual advertising, which is common today, and so we will need to make appropriate contractual updates to accommodate compliance with these changes.
MediaMath will be reaching out to existing clients with an addendum including appropriate contractual terms to address these new US State Privacy Laws requirements.
- Industry contracts may solve some challenges – IAB US Multi-State Privacy Agreement (MSPA)
Advertisers have increased obligations of accountability under CPRA and the IAB US recommend that everyone in the RTB chain (including advertisers) should be signing up to the MSPA so we have a common framework and can scale the contractual privacy and privity requirements. The MSPA covers contract requirements between first parties (Publishers and Advertisers) and downstream participants (SSPs and DSPs, also adservers and other vendors in the RTB chain).
- Technical signals: IAB Tech Lab Global Privacy Platform (GPP)
The industry must comply with several forthcoming state privacy laws (i.e., CA, VA, CO, UT, CT), with California and Virginia’s privacy laws becoming effective on January 1. Tech Lab plans to support state-level privacy signaling for each of these states in the GPP only and will not be available using the existing USP API. Therefore, to support signaling for the new changes to California’s privacy laws and the other state privacy laws, GPP must be adopted. https://iabtechlab.com/gpp/. IAB Tech Lab will not officially deprecate the USPrivacy String until later in 2023, it can only accommodate opt-out of sales in California, but not California opt-outs relating to cross-context behavioral advertising and sensitive personal information (including personal information about minors). These proposed changes to the USP API materially impact the industry.
Read More: An Explainer for GPP from IAB Tech Lab:
PRIORITY NEXT: KEEP A WATCHING BRIEF ON POSSIBLE FEDERAL PRIVACY LAW CHANGES.
US Federal proposals:
- The American Data Privacy and Protection Act (ADPPA)
- What Is It? The ADPPA is an attempt by Congress to bring harmonization and pre-emption to US state laws and provide comprehensive federal data protection. Read more on progress of ADPPA
- Will it become law? This is the closest ever bi-partisan effort to propose federal privacy protections in the US. It is possible but still not probable, especially after Nancy Pelosi said she wouldn’t support it in its current form. Read more on AdExchanger
- Is it a good idea for digital advertising? It could provide much needed clarity on what is required for US data protection compliance for businesses and greater clarity regarding consumer data rights. The bill diverges from a consent-based privacy structure (collection is generally allowed, so long as the user consents to it) towards a data minimalization one (a company cannot collect any more data than they reasonably need, as defined by statute). It provides for 17 purposes where collecting data is deemed necessary and permitted. This includes targeted advertising, but in a more limited form. Additionally, users would be allowed to opt-out of targeted advertisements (requiring more consumer-friendly language than other major laws) and appoints the FTC to create a universal opt-out standard.
- What are the key issues that challenge digital advertising? Targeting ads towards minors and those using “sensitive covered data” (which includes health, financial, precise geolocation, sexual behavior, biometric, and racial data, among other types) would be banned. Of greatest relevance to the digital ads industry is that the definition of sensitive covered data was unusually expanded to include internet browsing history overtime and across third party websites or online services. Industry bodies such as Privacy 4 America have objected to this and warned about the potential harmful consequences to the US data driven economy.
- Federal Trade Commission (FTC) S5 & ANPR
The Federal Trade Commission issued an Advance Notice of Proposed Rulemaking (ANPR) seeking feedback about whether rules are needed to protect people’s privacy and information, how to balance costs and benefits of current practices under S5 unfair and deceptive practices, and how, if at all, the FTC should regulate harmful “commercial surveillance” (described broadly by the FTC as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information”).
- Why does this matter to digital advertising? The terms “commercial surveillance” and “surveillance advertising” have been frequently used over the past year by advocates looking to restrict or even ban targeted advertising.
Read More on FTC ANPR:
- The Network Advertising initiative (NAI) issued a statement calling “surveillance” a loaded term to describe established business practices that benefit consumers, small business, and a competitive marketplace.
- A couple of clear articles discussing the FTC ANPR on privacy issues. This will take a long time so there is no immediate impact on privacy compliance requirements or changes to current FTC S5 enforcement under unfair or deceptive practices.
https://www.adttorneyslawblog.com/ftc/nine-things-you-should-know-about-the-new-ftc-rulemaking-on-privacy-and-targeted-advertising - https://www.adlawaccess.com/2022/08/articles/the-ftcs-privacy-rulemaking-broad-and-far-reaching-but-unlikely-to-lead-to-a-rule-anytime-soon/
CANADA
IAB Canada TCF is Ready
The IAB Canada TCF (The Transparency & Consent Framework) is similar to the IAB EU TCF, where it ensures privacy signaling for various parties in the programmatic chain. In short, when MediaMath bids on a bid request, we need to ensure that the user has received the proper disclosures and has given the proper level of consent in order to bid for an ad. The TCF is the signal that informs MediaMath whether or not that has happened. The IAB Canada TCF is very similar to the EU TCF, in that it outlines similar purposes for data collection, including generalized ads, personalized ads, and measurement. The bases for collecting data fall under either express consent or implied consent. The IAB Canada TCF will be rolled out as part of the IAB’s Global Privacy Platform, which will standardize the way privacy signaling in the programmatic chain can be exchanged across partners.
WHATS NEXT?
MediaMath Legal & Compliance will be reaching out and following up with further information on the new contractual requirements because of new US State laws.
WHAT ABOUT COOKIES VS IDENTITY SOLUTIONS?
This privacy laws briefing is focused on upcoming privacy laws and contractual and technical solutions. The information is generally applicable to all data defined as “personal data” or “personally identifiable information” that governs the collection, processing and transfer of existing identifiers such as cookies and MAIDs and also of new ID solutions, both probabilistic and deterministic, and we do not discuss the pros and cons of any of these technologies in this article. However, we have some links for information from our privacy team that discuss how the laws will apply to IDs post third party cookies.
Webinars: Our Chief Privacy Officer Fiona Campbell-Webster, was a panel speaker for the ID5 Identity 2022 Event on Consent Post Third Party Cookies,
Guides: Ferdinand David, VP, Product Policy & Compliance Lead, and James Kerr, Regional Counsel and Data Protection Officer, EMEA and APAC, contributed to IAB Europe‘s updated “Guide to the Post Third-Party Cookie Era.” Covering the latest on alternatives and best practices ahead of the end of third-party cookies.
DISCLAIMER: Please note this article is for informational purposes only and does not constitute legal advice. Clients should consult their own legal advisors about their specific compliance requirements.