Last week, I had the opportunity to speak at the 2024 IAB Public Policy and Legal Summit in Washington, DC, about the importance of standardization in privacy compliance, discuss the IAB Diligence Platform and hear directly from regulators about what they are looking for.
Standardization is an urgent issue for three reasons.
Advertising is now a regulated industry. Over a dozen states already have regulations in place, and another dozen states are in committee on this subject.
And at the federal level, the FTC, SEC and Congress are considering privacy as it relates to kids, health care, data clean rooms and beyond.
Regulators have put data-driven ad personalization under the microscope. They’ve made it clear that privacy compliance isn’t optional and enforcement will be swift and certain.
Regulators want proactive compliance
We are in the enforcement phase of California, Colorado, Connecticut, Virginia and Utah state privacy laws. Across states, the expectation is “proactive” compliance.
Colorado Attorney General Phil Weiser has said, “Enforcement of the Colorado Privacy Act is a critical tool to protect consumers’ data and privacy (…) If we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”
Michael Macko, the deputy director of enforcement for the California Privacy Protection Agency, had previously said businesses should expect “vigorous enforcement” of the CCPA, including with respect to the newest regulations. He repeated that message at the IAB Public Policy Summit and again at the IAPP Global Privacy Summit last week.
He also noted the importance of “enforcing compliance programs that you have and memorializing what you have done.” The IAB Diligence Platform helps companies do just that.
But enforcement is not only happening at the state level. The Federal Trade Commission is also very actively enforcing privacy policy promises and practices under the FTC Act.
At FTC PrivacyCon in March, FTC Chair Lina Khan said its “enforcement actions are making clear that selling certain types of sensitive data is presumptively off limits. That’s especially true when data can reveal intimate details about people’s lives, including where they live, which doctors they visit, and the websites they browse.”
That’s why every stakeholder in the ad industry needs a privacy compliance plan.
If your vendors aren’t compliant, you aren’t compliant
Selling or sharing data is under heightened scrutiny — and it’s not just about what you do. Now, it’s about what the partners you disclose data with do with that data.
There are new requirements around what advertisers’ partners can and cannot do with consumers’ personal information. But it’s up to advertisers to ensure these requirements are met.
You must have a contract in place that meets specific requirements on what your partner can do with the data. These contracts must include mandatory audit provisions. It’s essential to take “reasonable and appropriate steps” to confirm that your partner uses personal data in ways that are consistent with the law.
Your existing contracts may be out of date. But this is about more than just updating contract language. You have an obligation to exercise due diligence to assess whether your vendors are complying with the CCPA or stop sending data until noncompliance is remediated.
Otherwise, you risk being liable for your vendors’ noncompliance.
The cost of doing business
Compliance can’t be left up to chance. Advertisers need reliable solutions that automate compliance monitoring, providing them with insights into risks and providing avenues to close any gaps.
Whatever compliance solution you choose, it should be auditable and provide a clear record of your company’s compliance efforts. A standardized approach works better for everyone and the industry.
The IAB Diligence Platform can help companies ask the right business and technical compliance questions specific to each digital advertising use case and vendor type. The IAB Privacy Implementation and Accountability Taskforce has invested months in crafting those standardized questions.
The IAB Diligence Platform also offers comprehensive privacy assessments built to the individual state laws and regulations.
Finally, it has an automated Vendor Compliance Hub so that companies can complete the relevant IAB diligence questions and state law assessments once and share them multiple times securely on the platform, demonstrating their compliance as they engage with vendors.
One challenge is that brands don’t typically include a line item for compliance in the campaign budget. But that can’t be an excuse for inaction.
The Sephora and DoorDash enforcement actions were just the beginning. The FTC’s Khan has said quite clearly: “We are looking upstream to establish liability.”
But here’s the reality: We’re all upstream – everyone that shares data across the ecosystem. And you do not want to be caught upstream without a paddle.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow SafeGuard Privacy and AdExchanger on LinkedIn.
For more articles featuring Richy Glassberg, click here.
