If the current state of data privacy feels like a bit of a trainwreck to you, you’re not alone. In the US, we seem to be on our way to having 50 states all with their own data privacy laws before anything gets passed at the federal level. This lack of decision is affecting adaptation and innovation in the adtech industry. Many companies in the tech space have been frustrated because there is too much uncertainty and without precise rules and parameters, there is no clear path forward.
This article will explain what could be on the horizon for data privacy regulations, the changes technology companies are making, and what advertisers can do to stay compliant during the next few years of uncertainty.
What Is Creating Uncertainty in Data Privacy Regulations?
There are five main factors creating uncertainty in the direction of data privacy.
- New data privacy regulations continue to be created that muddies the water for companies operating across U.S. states and global regions. Example: Ebbie Yazdani, federal policy director at TechNet, told privacy fellows at the National Press the cost of state regulations. “If we allow a patchwork of state laws to continue building, and/or if Congress is unable to fully preempt state laws, there’s going to be a tremendous cost to America’s economy and technology leadership,” Yazdani said, citing a study that said if 50 states enacted their own privacy laws, it would cost $1 trillion for the economy over 10 years.
- Existing regulations are adding amendments to add further restrictions. California already amended the CCPA with the CPRA and existing federal authorities are extending their reach. Similarly, as lawsuits occur, they add new definitions to regulations, like the Schrems lawsuits have in the EU. Example: The HHS (which regulates HIPAA) provided guidance that would make pseudonymous data PHI under HIPAA when collected on sites run by covered entities.
- Lawsuits are starting to create havoc with added debate around how to enforce the regulations globally. Additionally, the private right of action in certain state privacy bills increases the likelihood of class action litigation. Example: Lawsuits and fines aren’t just happening in reaction to data breaches. In September 2022, Ireland’s Data Protection Commissioner (DPC) fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, which was made more public when users upgraded their profiles to business accounts to access analytics tools. Meta is fighting the lawsuit, in disagreement with how the fine was calculated.
- The U.S. federal government is struggling to figure out its role. There have been attempts at federal privacy legislation, but they have not been successful. And existing federal bodies are extending their authority to try to cover this gap. Example: The federal government has made multiple attempts to pass federal privacy acts. The most notable is the American Data Privacy and Protection Act (ADPPA) which has failed to be passed due to concerns over conflict with the California Privacy Act (CPA).
- Technology doesn’t have a clear path forward. Companies that collect digital data and create products around data are disagreeing on the appropriate path forward since there isn’t a clear future state for privacy regulations. Example: Google Chrome continues to delay cookie deprecation and enhance their Topics approach in Sandbox, even with concerns from outside parties.
Throughout all of this uncertainty, data usage is under a microscope from the state Attorney Generals and EU Privacy Regulators. Every company collecting, analyzing, and using data is vulnerable to being targeted with a lawsuit and non-compliance fees.
Will a U.S. Federal Law Soon Usurp State Regulations?
At the end of the first quarter of 2023, there were five states with signed data privacy laws and another 19 are in the works—some of which have multiple active bills. It is expected that around four or five of these will get passed in 2023, with the rest to follow in 2024 and future years to come.
There have been a few attempts at the federal level to establish new data privacy regulations. Multiple federal leaders, including Sen. Amy Klobuchar (D-Minn.), have introduced federal data privacy laws without success. Sen. Suzan DelBene (D-Wash.) proposed online data privacy legislation that would give consumers control over their data and the Federal Trade Commission the right to enforce it.
The most well-known recent attempt has been the American Data Privacy and Protection Act (ADPPA). The ADPPA was a United States proposed federal online privacy bill that, if enacted into law, would have regulated how organizations keep and use consumer data. Unfortunately, advocates of California’s CCPA felt the ADPPA wasn’t strong enough to protect Californians. House Speaker Pelosi aligned herself with the Californian advocates, issuing a statement that the ADPPA, “must continue to protect Californians — and states must be allowed to address rapid changes in technology.”
The American Data Privacy Protection Act (ADPPA) has bipartisan support and is the closest the U.S. has come to passing a comprehensive consumer data privacy law. But it hasn’t passed yet. In 2023 Rep. Kathy McMorris Rogers is expected to reintroduce the bill.
Should the ADPPA at some point get passed into law, it is important to understand the differences between it and the CCPA. The ADPPA goes significantly beyond the CCPA in placing the burden of protecting information on those that process it instead of the individuals who generate it. Here are some of the key differences:
- It spells out and limits the allowable uses of data.
- It requires privacy and algorithmic impact assessments.
- It extends civil rights protections online, protecting against manipulation.
- Provides the individual a much broader right to sue.
The ADPPA would be the first comprehensive privacy legislation to extend civil rights protections to discrimination in the use of personal information and require all businesses and nonprofits to incorporate privacy by design when assessing their use of algorithms.
But will it pass anytime soon?
There is significant polarization on this topic that is creating paralysis. With more states having their regulations come into effect in the near future, it appears that the federal government will look to the experience the states have to form a template for how this will work at the national level. Meaning, we may be years out from seeing a national regulation to clarify and simplify data privacy compliance.
What Is the ePrivacy Regulation Relative to GDPR?
The General Data Protection Regulation (GDPR), is the European Union’s data privacy regulation that has been in effect since 2018 and is widely considered to be the most strict regulation globally.
The ePrivacy Regulation has also recently been proposed in the EU. This regulation creates a consent standard for cookies. The regulation also offers some ground rules for when data may be processed, with, for example, the use of pseudonymized or anonymized data. This regulation will be applicable to traditional electronic communication service providers, such as mobile and landline telephone operators, but will also cover Internet instant messaging and VOIP apps (email, apps, etc.), as well as machine-to-machine communications such as the IoT.
While GDPR only applies to the processing of personal data, ePrivacy regulates electronic communication even if it concerns non-personal data. Also, in the case of cookies, ePrivacy generally takes precedence. It is expected that the ePrivacy Regulation will take effect sometime in 2023, and there will be a 24-month transition period.
The US and EU signed an agreement toward the end of 2022 that regulates the collection of data between the US and EU governments on each other’s citizens called the EU-U.S. Data Privacy Framework. This replaces previous agreements (Privacy Shield and Safe Harbor), which had been overturned by the Court of Justice of the European Union (CJEU) because of concerns around EU government surveillance of EU data subjects without controls. The new agreement imposes limitations and safeguards on access to data by US intelligence agencies and establishes an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
Harness Global Digital Data for Future Marketing Success
Leverage real-time interest data to deepen customer engagement and maximize results for planning, targeting, measurement, and more.
How Is Adtech Changing to Account for Data Privacy?
Google continues to push out its third-party cookie deprecation in Chrome. It has now been delayed until the second half of 2024. Google is trying to create the appearance that the Privacy Sandbox is viable so they can meet their commitments to the UK CMA.
The World Wide Web Consortium (W3C) recently said Google’s Topics ad platform is not good for privacy so they aren’t working on it. The W3C Technical Architecture Group (TAG) raised a series of concerns from their early design review of the Topics API. The TAG representative wrote that Google’s proposed Topics API fails to protect users from “unwanted tracking and profiling” and maintains the status quo of “inappropriate surveillance on the web.” Their representative commented, “We do not want to see it proceed further.”
Browser engine developers Webkit and Mozilla also have spoken out negatively about Google’s approach, warning of privacy deficiencies. Mozilla went so far as to say that Topics is “more likely to reduce the usefulness of the information for advertisers than it provides meaningful protection for privacy.”
While Google works to come up with a workable solution, companies are still able to make use of third-party cookies from Chrome users. While that is good news for some, the delay is also postponing development efforts for alternative solutions and keeping data privacy as a continued concern for advertisers working with this data.
Meanwhile, major European Telecoms have gotten permission to create their own advertising platforms instead of losing business to big tech. Orange, Vodafone, Telefonica, and Deutsche Telecom are creating TrustPid, a joint advertising platform. The development of their own “privacy first” advertising platform has been in the works for two years. It will allow the four businesses to develop a competitor to major tech companies including Amazon, Apple, Google, and Meta. This is being developed in accordance with the GDPR and the upcoming ePrivacy Regulation so it may very well become a privacy template for future advertising platforms.
US companies are following this closely as EU regulators have been saying for years that the only way to pull info from the terminal equipment of a user for ad targeting is via consent. But the regulations make consent incredibly difficult to obtain. If TrustPid has figured out a way to make this happen, the world will be interested to see what they are doing that the EU regulators like.
Universal IDs (UID)
EU Privacy Regulators are encouraging tech companies to move toward needing consent for any UID. However, they have a big problem with the way Apple is implementing this. Apple’s App Tracking Transparency policy forces app developers to display an additional (Apple-designed) prompt to request permission from end users for the developer to “track” the user, even when the user has already consented to the sharing of its data through the developer’s own consent tool. Concerns that this removes data-based competition and consumer choice across the Apple ecosystem have triggered investigations by multiple European authorities.
Bottom line? For now, obtaining consent is king. But there still isn’t a clear path for the future.
What Can Advertisers Do to Protect Themselves among the Uncertainty?
Eventually, the U.S. federal government will come through with legislation that clears up the confusion amongst the state laws. And eventually, Google will finally deprecate third-party cookies. However, both of these major changes are likely a few years out.
In the meantime, advertisers need to ensure they are working with data providers who are compliant with active data privacy regulations. Understanding the main aspects of the US state-level regulations is helpful to validate third party data providers are privacy-compliant. Look for data partners that have multiple options for handling consent (both opt-out and opt-in). They will also have plans in place for handling data requests and privacy lawsuits.
Key aspects of privacy-compliant third-party data providers:
- They have a broad definition of personal information that includes pseudonymous IDs. The regulations have a broad definition of personal information that now includes pseudonymous IDs. Note: Every ad tech company has a unique ID which is still processing personal data so make sure they are handling this appropriately.
- They have clear opt-out and opt-ins as needed. A privacy-compliant provider will provide clear opt-out and will have opt-in for sensitive data such as health, religion, etc.
- They have a way to handle data subject access requests. Pseudonymous data is hard to verify when a request comes in. A privacy-compliant provider will have already figured out how they are doing this.
- They have a plan for handling a private right of action. Attorney Generals have the ability to sue to enforce laws and it is important to know that your data provider has a plan to address and show compliance before a formal lawsuit is filed.
Making sure your data partners are working within the data privacy regulations today and into the future is critical. It is better to plan for the highest restrictions now before it’s too late and the only way to do that is to not do it alone, but to work with a privacy-first data partner like ShareThis.