What to Expect from Privacy Laws in 2023
Moderator Michael Hahn EVP and General Counsel of IAB and IAB Tech Lab, brought together a panel at the 2022 Summer Spokes Privacy Technology Conference (held June 22-23) to discuss the impact of various State privacy laws on digital advertising activities.
Joining Hahn for the session “What to Expect in 2023” which offers practical guidance on managing compliance are WireWheel Founder and CEO, Justin Antonipillai; Sundeep Kapur, Senior Associate Cyber, Privacy & Data Innovation at Orrick; and, Crystal Skelton, Senior Corporate Counsel, ZipRecruiter®.
One button or two?
It depends on the ways in which a business is selling or sharing data. “If selling data in ways beyond the sharing or targeted advertising,” says Skelton,” then it might make sense for a company to offer two. But if they’re conducting solely targeted advertising, I would expect to see one.”
“But It’s also a balancing act. I often wonder whether having two separate links could make it less likely that consumers will exercise both of their opt-out rights. I do appreciate that the draft CPRA regulations provide an alternative opt-out link option…but, as many of you already know, there are additional requirements that come with that, including the use of an icon.”
“It remains to be seen whether companies will more broadly adopt the icon with the alternative opt-out or choose to offer one or more links on their website. Having this more neutral language helps provide flexibility, especially in states that have similar requirements but aren’t as prescriptive about the language that must be used.”
“Just don’t make it look like GDPR in Europe”
As much as our community spends time understanding what targeted advertising and cross-contextual behavioral advertising is, it’s not the kind of thing you can just show up at your family reunion and everybody knows what you’re talking about. And we’re seeing a lot of focus on how to make this easy to understand.
—Justin Antonipillai, WireWheel
“There’s a lot of hesitancy about putting on a link that says, ‘do not sell my personal information’ or ‘do not sell or share,’” says Kapur. “Providing privacy options seems a more brand-friendly way of providing that experience.” The link can be used for multi-state compliance, but it depends on what you want to combine.
“If you’re a publisher, maybe you want one link, and you’ll just drop the traffic if they opt-out. Same with advertisers. If you’re using internal data, maybe you want two: one for targeted advertising and one for sale and sharing because you’re relying on first-party data.”
“Request number one,” says Antonipillai, “when implementing consent mechanisms – especially for companies who have experience abroad — is ‘I don’t want this to feel and look like it does in Europe.’ A customer experience that is “really difficult to do almost anything when you go to a website or an APP.” Companies in the U.S. feel that approach will cause people to disengage.
“We hear a lot of concern around making the user experience too complicated,” relates Antonipillai. “But if you start to abstract a lot of the individual choices that you get to a lot of different individual choices that might need explanation.”
The New Complexity of Consent Choice
The question becomes ‘how do we make it simple and create a frictionless user experience.
Legal Consent is definitely NOT a one-size-fits-all solution
How does ‘do not sell’ differ from ‘do not share’ or ‘targeted advertising’ as those terms are used in CPRA and the other state laws?” asks Hahn. “There is quite a bit of overlap.”
‘Do not share’ are disclosures specifically for cross-context behavioral advertising. That is to say, targeted advertising based off data obtained across non-affiliated digital properties. And any disclosure for that purpose requires a ‘do not share’ opt-out mechanism.
—Sundeep Kapur, Orrick
Whereas Kapur notes, ‘do not sell’ is “any disclosure for any sort of consideration.”
There are some differences. Do not sell is narrower. As a simplified example, Kapur offers if you’re sharing data with a measurement provider – measuring campaign effectiveness – that may not be considered a share but could still be considered a sale if you don’t have a service provider agreement in place.
“For targeted advertising, the CPRA uses ‘do not share my data for cross-context behavioral advertising,’ while the non-CPRA laws have an opt-out for the processing of personal data for targeted advertising. They don’t focus on the disclosure of data for targeted advertising, but more generally the processing of it.”
And that’s not “just disclosing data through the bitstream,” advises Kapur, “which could be a share and also processing for targeted advertising.” It also impacts “publishers that use a combination of third-party data and their own data, and the targeted advertising opt-out would cover that.”
“So, in a bit of an ironic way, the opt-out for targeted advertising under laws like Virginia and Colorado are actually broader than the ‘do not share’ under California,” says Kapur.
“It’s a really important point to emphasize that the scope of targeted advertising is broader than the opt-out for share-in furtherance of cross-context behavioral advertising.”
This answers the contention that I hear all the time, which is ‘California, must be the most stringent laws, so if I just comply with that, I must be good everywhere else.’ There is a fallacy in both the premise and the conclusion because actually the other laws are broader.
—Michael Hahn, IAB
“It’s definitely not one-size-fits-all. That’s the issue with having state-by-state privacy laws,” says Kapur.
Why do privacy laws have such a broad definition of “sale” of information?
“If you have a broad definition of ‘sale,’ with disclosures for monetary or other valuable consideration,” opines Kapur, “one could make an argument that when data is sent to a random ad server or across the pond to an adtech partner,” there is no valuable consideration there. “It is just disclosure.”
Ultimately, the broad definition of “sale” is to ensure disclosures for cross-contextual advertising and that the business has some sort of opt-in mechanism.
I recently read an interview with Alistair McTaggart stating that too many industry attorneys were taking the narrow view of sale (which was really never sustainable). McTaggart saw that position being taken, so put in the ballot initiative this new concept which has been copied into all other state laws.
It wasn’t the most rational conclusion from a drafting standpoint, but it was a result of not the most rational approach being taken by certain corridors of industry.
—Michael Hahn, IAB
“The primary difference under the definitions is whether it includes valuable consideration in addition to monetary consideration,” notes Skelton.
“In California, Colorado, and Connecticut, valuable consideration is included in the definition, whereas in Virginia and Utah, it’s not.” All States, however, include some sort of separate targeted advertising or cross-contextual behavioral advertising component.
It’s an interesting place to be in right now because you want to potentially have a single mechanism to comply across the board. But you’re essentially playing whack-a-mole when you get these various state laws with different definitions, components, and requirements. It can be a precarious place to find yourself when you’re thinking about across-the-board compliance on a state-by-state basis.
—Crystal Skelton, ZipRecruiter
New contractual obligations under US privacy laws
“It’s not sustainable to have separate contracts for separate jurisdictions,” states Skelton. “For example, often, when you’re doing targeted advertising, you’re targeting consumers nationwide (or you’re using third parties to do so) and not necessarily using a state-by-state approach.
Updating privacy and data security addendum templates to include the greatest common denominator to address all these State requirements may be a good approach, at least to start with, but you are going to have to navigate those specific differences in definitions and compliance requirements.
Keep in mind,” cautions Skelton, that “under the CPRA draft regulations are due diligence requirements for service providers and contractors. How can one reasonably do that in order to rely on the liability defense under the CPRA?”
“In some cases, it’s very difficult (though not impossible),” offers Kapur, “to get the right contractual privity. Certainly, when talking about the adtech ecosystem. For example, under the CPRA there is a requirement where if you are sending data to a third-party (aka, a non-service provider) you need have a contract in place with that third-party describing the nature of the sale/share and other information.”
In some cases, if we take the broad view – which is certainly the view that regulars have been taking – looking into the nitty-gritty of the ecosystem, it can be really difficult to get where everyone can sign on to something without some sort of industry-wide mechanism
—Sundeep Kapur, Orrick
“For example, when you’re pinging a third-party advertiser ad server, that discloses personal information plus an IP address. If we’re going to take the broad approach and err on the side of caution, how do we get an agreement? There’s definitely an issue there.”
Liability, compliance, and diligence
“Just when you thought you knew the law, you didn’t,” says Hahn. “You thought you didn’t have liability for your partners, unless you had knowledge – or reasonably should have known – what they were doing. But now you don’t have that insulation unless you’re doing diligence.
It took a little digesting just to wrap my head around what does this actually mean in practice. The sheer scope of what is potentially required by this. It not only goes through the procurement process. You’re looking at new vendors and your agencies.
—Crystal Skelton, ZipRecruiter
“You have to set up a regular cadence for review…it’s a tough position to try to be in. How do you start tackling this? Do you put in place these due diligence requirements now, or do you take a wait and see approach? These are draft regulations that may change. And it’s a significant burden,” opines Skelton.
I have been hearing about a few different approaches, says Hahn:
- An entirely unique experience with respect to each state
- Treating California consumers one way and then creating a common experience that complies with all the other laws (as those laws have greater commonality with each other than they do to California), and
- Not determining location or residency of anyone who comes to the site and taking a national approach. Try to create a common set of baselines that will (hopefully) comply with all of the laws.
“A very important voice in this entire process is the CMO and the head of digital marketing who are trying to think through the customer experience,” opines Antonipillai.
Even when one explains what the choices are supposed to be to the consumer, and you start trying to make it simple, it comes across very confusingly. It’s exceptionally hard to explain what the consumer’s choices are. Even to an expert audience.
I see a lot of motion towards simplicity – trying to get a good consumer experience.
—Justin Antonipillai, WireWheel
Antonipillai goes on to note that WireWheel has been helping clients implement due diligence requirements for some time, “but I wouldn’t have guessed that it would have to be for everybody under all circumstances. That’s a huge undertaking.”
Importantly, says Antonipillai, the draft CPRA regulations “suggest that California is generally an opt-out place. However, if you’re using data in a way that’s not reasonable and proportional to the way that the consumer believed it would be used it almost starts to suggest that it becomes opt-in.”
This too makes the consumer experience very tricky. And tricky for business.
Looking to learn more about what is coming in 2023? Let us help you in your compliance journey.