• Privacy
  • Regulations

Consent and Advertising in 2023

read

Looking back, the Global Data Privacy Regulation (GDPR) really set the bar for notice, choice, and consent and unbeknownst at the time, it gave us a look into the future of how privacy legislation would evolve. Years later, California provided the first interpretation of what privacy law was going to look like in the United States at the state level. Evolving from the California Consumer Privacy Act (CCPA) to the California Privacy Rights Act (CPRA), now four States have followed: Virginia, Colorado, Connecticut, and Utah, with several others in discussion.

Today, organizations are mobilizing to devise consent management and notice strategies – the common themes across all the legislation – across multiple channels, brands, and devices from phones to smart TVs and connected appliances.

Joining WireWheel CPO Rick Buck at the SPOKES Privacy Technology Conference (held June 22-23) to discuss Consent and Advertising in 2023 are Jennifer Harkins Garone, Sr. Director, Privacy at Carnival Corp.; IAB and IAB Tech Lab EVP and General Counsel, Michael Hahn; and Gary Kibel, a Davis + Gilbert LLP Partner.

This seasoned group of privacy experts have seen the concepts of notice, choice, and consent go from non-existent to becoming a front and center issue.

A lot to unpack

With all these new laws, all the different state laws, and the lack of a federal law in the U.S., it is very challenging because definitions in the laws do not line up and obligations in the laws do not line up. This leads to the big question: what sort of solutions should you implement?

—Gary Kibel, Davis + Gilbert LLP

Table showing the Consent and Advertising laws in 2023 regarding opt in and opt out

“Do you implement a state-by-state solution, or a one-size-fits-all solution based on the strictest standards brought together from multiple jurisdictions?” asks Kibel. “You can’t simply say I’m going to follow the one strictest state, because there are unique differences.”

“Some of the laws have definitions of sensitive personal information (PI), which do not line up exactly the same,” notes Kibel. “The most impactful is that Virginia, Colorado, and Connecticut require an opt-in to process ‘sensitive personal information,’ California’s CPRA and Utah require an opt-out.”

Importantly, most of the sensitive personal information definitions include precise geolocation. While Apple now requires apps to ask permission to collect your location information, “this is not a common practice on the web where IP addresses and precise GEO information is collected without an express opt-in. This is one of the unique things that’s going to change in 2023,” advises Kibel.

This requires some big decisions: as it is not a requirement in every state, will it affect a pop-up for Virginia, Colorado, and Connecticut only, or is it going to do it for everyone regardless?

The weeds of the law

Consider just a small sampling of consumer rights across the States, the complexity of implementing consent in terms of policy and technical implementation becomes clear:

  • The privacy laws have opt-out rights for targeted advertising, but the states define them differently (California calls it cross-context behavioral advertising).
  • The California Privacy Rights Act (CPRA) extends the California Consumer Privacy Act’s (CCPA) right to opt-out of sale to include sharing and limiting the use and disclosure of sensitive PI. “The CPRA requires there to be a new link which has the words ‘limit the use of my sensitive personal information,’” notes Kibel.
  • Other laws take a similar approach with a right to opt out of targeted advertising, sale, and profiling, with some requiring opt-in for use of sensitive personal information.

Once we dig into the weeds of the law, there are other disconnects even between the same concepts. The CPRA treats sale of data to a third party for monetary or other valuable consideration, while in Virginia it is only ‘monetary consideration’, which again necessitates deciding “how to apply this right differently to consumers in different locations.

—Gary Kibel, Davis + Gilbert LLP

It is a lot to unpack. To help navigate the ever-changing privacy law landscape, WireWheel has created a Privacy Law Comparison Matrix.

The network-based approach to consent

“Do you need to obtain consent on the publisher or advertiser’s page? Or can you obtain consent on a single page in a broader network that bands together,” asks IAB’s Michael Hahn.

To look at an issue like this, we have to start with ‘what’s the basic standard?’ And while there are undoubtedly nuances in what it means to consent, for those thinking about this in a multi-state approach, you’re going to end up with what is typically the most rigorous version of consent to apply it everywhere.

—Michael Hahn, IAB

That most “rigorous version of consent” is the GDPR version, says Hahn, and one which also appears in some of the State laws. The CPRA adds that “a business must adhere to the following principles when designing its consent method, and any method that fails to meet these requirements may be considered a dark pattern and does not constitute valid consent” (Cal. Proposed Regs. § 7004(b)). The principals include:

  • Easy to understand
  • Symmetry in choice
  • Avoid language of interactive elements that are confusing, and
  • Avoid manipulative language or choice architectures

Infographic showing to define Consent and Advertising in 2023

Does a network-based approach to consent work?

“When referring to a network-based opt-in approach”, says Hahn, “what we’re really talking about is providing consent to a large number of, let’s say publishers and ad tech companies to undertake cross-site tracking. In other words, you are being asked to opt-in to cross-site tracking for the network participants. However, when tested against the CPRA consent standard this network-based approach falls short.”

It’s tough to imagine making a strong argument to a regulator that when I go to publisher number one as a consumer, that I was sufficiently informed about what could be a large number of other publishers in the network…that providing this bulk consent is for a narrowly defined particular purpose.

—Michael Hahn, IAB

And indeed, the CPRA states that any opt-in link applies only to the business with which the consumer intends to interact (Cal. Civ. Code § 1798.185(a)(20)).

While the concept of multiple independent or joined controllers exist in state law, “generally speaking, state laws encumber the entity with whom the consumer has a direct relationship with a broad set of direct responsibilities and distinguishes them from third parties: a concept that that does not exist in Europe,” notes Hahn.

Hahn also notes that the draft regulations have an entirely new concept: “The business needs to either a) disclose the third parties to whom they have sold personal information and such third parties control the collection of the information, or b) provide information about their business practices.”

“I don’t know what the second half of that means,” confesses Hahn, “but whatever it does mean it suggests to me that it’s impossible to fulfill that requirement” in a network-based approach.

Operationalizing privacy law requirements

When asked if the ‘do not share’ prohibition under CPRA is tantamount to the right to opt out of behavioral targeted advertising, two or three years ago, most of us would have said no, they’re different. But the state AG has started to say they’re the same because with a lot of the behavioral and targeted advertising that is done through cookies (such as with Facebook) somebody is exchanging money in order to get that.

—Jennifer Harkins Garone, Carnival Corp.

The question becomes “If my company website has a Facebook cookie who is then selling that information, how does somebody who is running a program handle it?”

For Garone, the answer is “you have to apply the ePrivacy Directive to everybody. Or apply California to everybody. And it is going to be available on January 1, 2023, as opposed to 2025, because if you iterate, it costs a lot of money. Heck, if you don’t iterate it can cost a lot of money, so it is a very challenging decision.”

You have to look to technology. “In one part of our business we have a homegrown tool and we started to find it costs too much in money and lead-time to make the necessary changes with the constant parade of new laws. So, we’re looking at what the right technology stack is for us to manage it,” says Garone.

If the cookie banner is your opt-out vehicle, how do you make that work together with do not share? How do you bring do not share into your cookie and tags? It’s taking us a while to figure out because of all the nuances.

One of the ways we can make it easier on ourselves is getting the right technology.

There are still a lot of questions around the new privacy laws

You have senior executives who have goals to meet. They want to do targeted advertising. You need to have conversations with them and there are a lot of questions to ask, says Garone:

Who are you sharing data with? Under what definition? What is the agreement that you have if somebody says, I don’t want to process sensitive information? What are the contracts with third parties telling you? Are you making so much on targeted advertising that it is worth a potential fine? Can you cure in 30 days if necessary and what would be your plan to cure? Do you even have an internal process to get those regulatory letters to the right people?

In the end, operationalizing privacy, whether it is multi-state, single state, or globally, comes down to the basics. Questions need to be answered, competing requirements resolved, and decisions made.

“I was looking at an agreement with a third party,” relates Garone, “that we’re buying information from for prospecting. Going through the list of data elements…I found one was latitude and longitude. Why are we asking for precise geolocation? What are you going to do with that that you are not already getting? You’re going to have to protect it like you protect a credit card number. So it was struck.”

There are a lot of new common-denominator obligations:

Notice at point of collection. Updating privacy notices. Third-party due diligence for those with whom you share data. Contracting those third parties so they uphold your data the same way you’re obligated to. The ability to provide and honor rights – not only effectuate those rights and collect consent – but to pass those signals throughout the ecosystem.

All that is really hard to do.

—Rick Buck, WireWheel

Listen to the session audio