Digital Advertising and the Global Privacy Patchwork

“The global privacy patchwork has created significant challenges for participants that work with the digital advertising industry,” says Michael Hahn, SVP and General Counsel from IAB Tech Lab. “We work with multiple partners, the technology is complicated, and the slightest variations in the different privacy laws can result in cascading legal and data management efforts for organizations.“

“Furthermore, the proliferation of different privacy laws and enforcement approaches…create a challenge for the digital advertising industry and how companies can best manage their compliance.”

Joining Hahn to discuss these challenges at the Fall Spokes Privacy Technology Conference was Bird & Bird Partner, Sophie Dawson; Jessica B. Lee, Partner, Chair, Privacy, Security and Data Innovations at Loeb & Loeb; Mark Webber, Fieldfisher U.S. Managing Partner; and Jessica L. Rich, Of Counsel at Kelly Drye, who previously served as a director of the Federal Trade Commission’s Bureau of Consumer Protection.  Hahn moderated the session, Digital Advertising and the Global Privacy Patchwork.

The Patchwork Challenge

“Like everything, the devil is in the details,” says Lee. “And specifically, for these laws, in the definitions.” Noting that while the bones are somewhat similar with respect to certain baseline consumer rights across California, Colorado, Virginia, and the GCPR, but “when you get into the weeds — particularly in this space where data is so important, they don’t exactly overlap.”

There are so many different data streams and parsing out each category of data, how its impacted by the law, and each data use is where some of these exemptions come into play (like deletion exemptions) aren’t exactly the same. We really have to go in line-by-line and understand when we do have an obligation to delete and that impacts, how you operationalize a deletion obligation.

—Jessica B. Lee, Loeb & Loeb

Lee notes that while companies are starting “to wrap their minds around it,” there will be much work to do in 2022 to measure the impact and develop processes for handling it.

The ability for consumers to limit the use of sensitive personal information; to opt out of having their PII used for any purpose other than that which it was collected is another complication in managing data. One that also constrains adtech and the ability to serve targeted advertising based on say, demographic and location data.

This means, says Lee, “figuring out first, what is the scope of personal information that I’m collecting and how am I using it. And then, what kind of mechanisms, am I going to put in place so that all the rights are applied to the data appropriately.”

“Number one,” advises Lee, “map your data. Companies really need to have a sense of what they have, where it sits, what they’re doing with it, and understand the business impact associated with that data. I think that Foundation will help for any future state laws.”

The hurdles to FTC rule making authority

The FTC can do industry wide studies and reports. It’s done that for broadband providers, data brokers, and social media companies, for example. And it can issue new rules under the FTC Act, even if they’re not mandated by Congress, under its ‘Mag Moss’ authority.

These tools give the FTC a lot of latitude, but there are some real hurdles too.

—Jessica L. Rich, Kelly Drye

She notes that the “FTC has several tools it can use to ramp up enforcement in this area,” including laws against unfair and deceptive practices. But the hurdles are significant.

“Contrary to what is often thrown around by people discussing deception and unfairness, those standards require the FTC to meet certain elements or proofs. Deception has to be material. With unfairness, you have to show a likelihood of significant injury and satisfy a cost-benefit analysis. Also, Magnus-Moss rulemaking is extremely cumbersome…Those rules take years to complete and it’s really not going to be feasible to do any kind of broad rule under Mag Moss.”

In October, Commissioner Slaughter provided remarks, where she questioned whether the notice and consent framework that most companies use, work, and suggested that a data minimization approach is better. And that it won’t “break the Internet” because there’s the alternative of contextual advertising. Is that a widely held view in the FTC?

—Michael Hahn, IAB Tech Lab

“The concept of data minimization isn’t new and criticizing notice and choice is not new,” reminds Rich. “This is stuff has been talked about for years. Data minimization is best practice, and it can be an element of the data security violation under FTC.”

“While it is a particularly difficult concept for the Adtech industry…the Ad industry can work on parallel protections as to use and sharing. I’ve helped work on those with people in the Ad industry, preventing the use of data for secondary and potentially harmful purposes as data travels through the chain. That’s something that your industry should be working on very hard.”

Unless they’re nuts, I really don’t expect the FTC to try to do a broad privacy rule with hundreds of mandates under its own Mag Moss authority. But I do think they’re going to bring aggressive enforcement and maybe launch some narrower rulemaking around what they’re calling surveillance.

—Jessica L. Rich, Kelly Drye

When Adtech woke up to a new world

“Adtech had grown fast. And not necessarily with privacy in mind,” says Webber. “And certainly not necessarily with European privacy or the GDPR in mind. There were a lot of businesses at the heart of adtech, that were U.S. or non-European centric, and the prospect of large fines (2% or 4% of global turnover) began to make some think about it. The GDPR really asked everybody to look inward at what data they had and why they had it.”

As Webber notes, three significant things the GDPR did was redefine personal data, a processor, and introduce extraterritorial controls.

“First of all, many ad tech providers considered themselves processors acting on behalf of somebody else,” notes Webber. Furthermore, “Many of those organizations considered themselves outside of the scope of the jurisdictions GDPR, but the GDPR had an extraterritorial effect. A business adtech business in San Francisco was now conceivably within the bounds of European law.”

The GDPR also clarified what was considered “personal data” going beyond then current European legislation, to include indirect identifiers (i.e., cookies, device IDs, IP addresses, and other indirect identifiers).

“So, the adtech industry lost that ‘we’re not processing personal data anyway’ argument. Suddenly that collection, use, disclosure, dissemination, and general uses of data now required that adtech processing was fair, lawful, and transparent. A new concept to think about. When you’re thinking about adtech you’re thinking about two things:

1. The collection of data, that is, how do you get it in the first place, and
2. The use of that data.

What we do know is we need transparency, and clear, open, and honest use around the way data is collected, used, and shared, and that’s really what we’ve been struggling within Europe ever since,” says Webber.

Since the introduction of the GDPR and subsequent legislation and enforcement, the adtech industry has learned quite a lot opines Webber. “The problem is,” he says, “is a lot of that has been local guidance. Although there’s a lot of commonalities,” the French, the UK, and Germany (late to the game), for example, have a very different view around opt-out/opt-in.

Webber also notes that case law provided much-needed insight. “Three cases come to mind:”

1. Fan Pages. Basically, an organization running a fan page in your own home page on Facebook is now seen as a joint controller and jointly responsible alongside Facebook for the collection of data.
2. Fashion ID, coming from the CJEU and also concerning Joint controllership. It involved website publishers using social plugins (e.g., share on LinkedIn) and made clear that if you run a website as a publisher and use third-party plug-ins, you are jointly responsible for the collection.
3. Planet 49. In this situation, cookie acceptance was pre-checked. The CJEU said this wasn’t going to be enough. You needed player affirmation.

All focus on transparency. “It’s important to look at what other technologies are alongside you, and that there might be some joint responsibility.”

Australia on its own

Sophie Dawson: “We have our own privacy laws which are not exactly like anybody else’s,” says Dawson. “Our piece of the patchwork quilt is very much our own.”

Privacy is undergoing two reviews in Australia, says Dawson. An exposure draft bill that would give power to the Privacy Commissioner to put in place a code with specific rules applicable to social media large digital platforms and data brokerage services. The second is a broader privacy review process and submissions.

The Australian story picks up on the global themes we’ve heard today, which are, firstly, that it comes very much from a competition, as well as a privacy focus. The current reforms stem from a digital platforms inquiry report done by our competition regulator, which was instigated in 2017. So it’s been quite a long conversation in Australia.

—Sophie Dawson, Bird & Bird

“Flowing from that process, we see proposed privacy and consumer protection reforms in the adtech space focused on transferability and promoting competition,” suggests Dawson. “There’s a focus on notice and consent, but there’s also a concern that that may no longer be the appropriate approach. Our regulators are talking about [a] move to more focus on what’s fair and reasonable from the regulator’s perspective, rather than it being all about consumer control.”

The exposure draft bill would do three things:

1. Increase the penalties for serious and repeated breaches of privacy including increasing the maximum penalty to AU$10M or 10% of annual revenue or the benefit received whatever is greater,
2. Extend the extraterritorial operation of the Australian act so it will no longer be confined by reference to Australian sources of data,
3. And, most importantly from an adtech perspective…it empowers the policy commissioner to make a code and requires that that code does things like introduce the specificity and informed nature of consent. So, it could have a real impact on the current practice.

The contemplated code would also enable individuals to request that their data no longer be used or disclosed which is not an existing right. There are “a lot of changes which are very relevant to adtech: changes to the personal information and technical information definition sometimes relied on the in the adtech world,” warns Dawson.

There’s a lot of potential changes around notice and consent, but there is a recognition that part of the GDPR feedback around consent and notice fatigue.

So the review is also looking at possibilities of requiring participants in the adtech environment with large data sets to assess privacy risks and manage them instead of a holistic duty-of-care type approach and the possibility of a rule saying that they must ensure that collections, uses, and disclosures are fair and reasonable.

—Sophie Dawson, Bird & Bird

“It is really important when you’re dealing with an Australian notice or consent,” continues Dawson, to actually step back from the privacy requirements and think does this make sense to a consumer? Is there a competition risk in addition to their privacy risk?

Watch the entire SPOKES session here.