IAB tells Congress to pass broad privacy legislation, but outlook is mixed

IAB CEO Randall Rothenberg and EVP Dave Grimaldi delivered testimony to both houses of Congress on the industry’s desire for federal privacy legislation to avoid the impact of new state privacy laws that could create massive compliance headaches for the martech and ad tech industry next year. Despite compelling arguments against an emerging “patchwork” of state privacy laws, however, the outlook for new privacy rules in Congress before the 2020 election is unlikely.

Intent of state laws praised, methods decried. In testimony before the Senate Commerce Committee, Rothenberg praised the intent of the California Consumer Privacy Act (CCPA) and other emerging state laws meant to protect consumer privacy. However he caution that “elements of these proposals are reactive and risk stifling what should be understood as a uniquely American technological advantage.”

Rothenberg also advocated for an industry-government collaboration modeled on automotive safety regulations. “Our goal should be to find the three or five or ten practices and mechanisms – the seat belts and air bags of the Internet era — that companies can implement and consumers can easily adopt that will reinforce privacy, security, and trust.”

‘Don’t follow GDPR, CCPA’. The IAB’s Grimaldi, testifying before the House Subcommittee on Consumer Protection and Commerce, counseled Congress to avoid relying on the EU’s GDPR or CCPA as models.

“These frameworks are not new approaches, only more restrictive versions of the existing privacy paradigm. While well-intentioned, their rigid frameworks impose significant burdens on consumers, such as rampant over-notification leading to consent fatigue in consumers and creating an indifference to important notices regarding their privacy,” said Grimaldi.

While they may impose burdens on consumers to consent to data collection (pop-up fatigue), the real burdens are imposed on the companies to comply with the rules. In contrast to these “old frameworks,” the IAB asked Congress to develop new rules about data collection practices, governed by several principles according to the testimony:

• Prohibitions on a range of harmful and unreasonable data collection and use practices specifically identified
• Distinguish between data practices that pose a threat to consumers and those that do not, rather than taking a broad-brush approach to all data collection and use
• Incentivize strong and enforceable compliance programs, and thus universalize compliance, by creating a rigorous “safe harbor” process in the law
• Preempt state privacy laws

State laws with teeth. Though consumer benefits lead the discussion, the IAB and other business groups ultimately seek to avoid the operational burdens and financial penalties embedded in some of the state laws. For example, CCPA may gain additional amendments that would allow consumers to sue individually and as a class for monetary damages for violations of the law. That could expose technology companies to billions of dollars in liability. Currently there are only regulatory penalties.

Other states such as Massachusetts and Washington have pending privacy legislation that in some ways go beyond CCPA. Both impose statutory monetary penalties per data breach or incident. This is what the industry is really afraid of, not to mention the compliance nightmare of dealing with multiple state privacy frameworks, creating considerable uncertainty about which ones to follow.

Why you should care. When GDPR took effect very few companies in Europe were prepared, despite many press releases to the contrary. The same thing is happening in the U.S. it appears. Other than the largest technology companies, few in the industry have processes in place to get ready for CCPA in 2020, not to mention other potential state laws that may go further. In the interim, there will be litigation that argues laws like CCPA violate the Commerce Clause of the U.S. Constitution because they seek to regulate interstate commerce.

Regardless, companies need to start educating themselves about CCPA (and other laws) and get ready for a very different privacy and data collection environment — whether it’s governed by CCPA, a more aggressive FTC or new federal legislation.