What the US data protection law will mean for ad tech and marketers

We’re at a pivotal time in the marketing industry. It has been nearly a year since GDPR arrived in the EU, but the repercussions are still being digested in Europe and beyond. Meanwhile, on the other side of the Atlantic, a data protection ripple effect has been felt far and wide. It is now more vital than ever for marketers to pay due diligence on matters of their data, as well as the data of their partners. But how did we get to this point and what can marketers do to ensure they are in step with the recently proposed regulations that came about in the aftermath of GDPR?

Beyond GDPR

On the heels of GDPR arriving in the EU in April 2018, a private bill defining new online consumer data protection was proposed in California. However, to sidestep the Golden State’s strict rules on such cases, the privately-brought bill was effectively torpedoed by a traditionally-crafted piece of law we now know as the California Consumer Privacy Act (CCPA), which has a defined launch date of January 2020. To quickly push out the regulation, some inconsistencies were overlooked and are in the process of being ironed out.

As these privacy initiatives quickly picked up steam, organizations scrambled to adhere to industry standards. We learned from GDPR that despite a solid two-year period leading up to the law, very few companies actually made efforts to comply until just months before it was implemented. Many observers were surprised that in some cases, the CCPA was, in fact, more onerous than GDPR – an example being that personal data has an even broader definition under CCPA. In the background, while CCPA continued to work its way through the statutory plumbing, another player entered the game.

During his infamous Senate hearing early in 2018, Mark Zuckerberg opined that some regulation is “inevitable.” This statement generated support for a federal privacy law of some kind. With the publication of the CCPA draft text, progress accelerated, not least because of the CCPA’s strict yet ambiguous terms. Key stakeholders argued that a new federal law should, unusually, take precedence over state laws (whereas normally the inverse is true). This growing momentum culminated in a Request for Comment [.pdf] process kicked off by the National Telecommunications and Information Administration, to ascertain what such a federal framework might look like. With the Request for Comment period now closed, it has been revealed that 217 comments were made, from a variety of tech vendors, privacy advocates, brands, government agencies, trade bodies and individuals.

It now remains to be seen how quickly those comments are translated into a federal framework, whether that takes precedence over CCPA, and how well it aligns with GDPR. With all these potential changes in the works, how do marketers fit into the equation and how can they best prepare for the next updates to privacy regulation?

What marketers can do to stay aligned with privacy regulation changes

The core concepts of data protection we can expect to see are transparency and control of data processing, allowing consumers to see what data is being processed, request its removal or transfer and to opt out of such processing.

If you’re in California (or have significant business interests there), it is important to be aware of CCPA, with all its quirks, and expect to comply towards the end of 2019. Elsewhere, pay close attention to how the federal law develops, as this may render CCPA redundant.

Considering recent learnings from GDPR, precautions should start internally. Marketers specifically need to examine how they are targeting consumers and what data they are collecting from them.

• “Can our business fully function without this data on hand?”
• “How are the vendors I work with accredited?”
• “Do I need to consider including a data addendum in contracts for partners?”

These are some of the questions marketers should ask themselves. In an ideal world, marketers should do their best to gain consent of the data they are collecting from the consumer. While this is a challenging task, marketers will need to get creative with the ways they target consumers.

Finally, the best way to ensure something gets done is to hold someone accountable. Companies should be appointing someone to own this initiative and stay up to speed on privacy developments via the IAPP.

U.S. marketers should be wary of what has happened in the EU (at least for now) where volumes of data have dropped, and some data taps entirely turned off. However, it’s not yet time for panic, as the U.S. balance of sensibilities is quite different from the EU. It is to be hoped that the U.S. National Telecommunications and Information Administration absorbs some of the comments they’ve received, such as feedback from the implementation of GDPR and the response to the drafted CCPA text, in order to arrive at a federal law which, if done well, could become the new de facto global standard.

About The Author

Tim Sleath

Tim Sleath is vice president of product management and data protection officer at Exponential. Tim oversees the direction of Exponential’s ad serving platform and data capabilities as well as ensuring the product suite offers appropriate brand safety and data protection for clients, publishers and internet users. Prior to joining Exponential, Tim built the EU business solutions function and led product management at Specific Media. His product management experience outside adtech includes broadband networks at Regus, SMS infrastructure at Schlumberger and GSM systems at Sema Group. Tim holds an MBA from INSEAD, CIPP/E and CIPT from the International Association of Privacy Professionals and is Scrum CSPO certified.