Data Privacy Legislation and Digital Advertising
Read time: 6 minutes
Global regulation around data privacy has the potential to completely reshape the advertising landscape.
GLG spoke with Peter Kosmala, Former Vice President of Platform at Dataxu, to unpack some of the latest legislation in California and Europe, and what it means for the industry. Below are a few select excerpts from our broader discussion.
How does the California Privacy Rights Act (CPRA) differ from the California Consumer Privacy Act (CCPA)?
The CPRA is essentially a ballot initiative that will layer over the existing CCPA law. CCPA was enforced in January 2020 and sets forth some significant requirements for organizations that are serving or using the personal data of California residents. But there was some significant lobbying against the law from the industry that removed certain provisions. CPRA is an attempt to get those back into the law.
CPRA would strengthen the existing CCPA by giving a definition to data sale, service provider, and sensitive personal information, which were defined rather vaguely in the original CCPA.
What this new law means is a very European-style approach to data privacy regulation in the United States. This hasn’t really existed before. The concern from a business standpoint is that we’re going to see a lot of different U.S. states crop up, like California, and stand up in the absence of law and try to enforce their own requirements.
How does E-Privacy in Europe differ from what we’ve seen with GDPR (General Data Protection Regulation)?
In Europe, they’ve had a separate privacy law called the E-Privacy Directive that’s been in effect since 2002. It was amended in 2009 to address cookie consent requirements. But now, like the GDPR before it, they decided that they want to convert what’s essentially a framework into a binding regulation.
The E-Privacy regulation is a similar proposal. It has not yet been passed, but it seeks to take what the E-Privacy Directive that currently exists did — but make this a little bit more vigorous in its enforcement, and attach actual fines to it, and others of significant requirements. Previously, the E-Privacy Directive applied only to telecommunications services and companies. Now, they’re expanding through the E-Privacy regulation and including things like all electronic communications, whether that’s voice, email, text, Wi-Fi providers, etc. It’s even going into ancillary areas, like the internet of things and CTV, connected television, or over the top. These are all areas where personal data comes into play, and that this regulation will seek to address.
How long do advertisers have to become compliant once this is placed into law?
It will be a good year or more before CPRA goes into force, so there will be an opportunity for businesses to get ready, depending on their size, scale, and familiarity with the requirements and what personal data they have. They’ll have to go through to inventory their data, classify it properly, and determine, in consultation with their privacy officer and their legal and technical experts, what comes under scope of the law.
In the European example, I think we’re still far away from that approaching. And when they ratify it, there should be at least a year before the data protection authorities would start to apply their power under that law. Organizations need to be thinking about it now, though, rather than waiting for it to come out.
How are international advertisers thinking about these policies and being compliant across state borders here in the U.S., as well as internationally? Would they take an approach of restructuring by market or aim to be compliant to all these things in every state or country?
It really depends entirely on the risk threshold of the company and what they’ve determined to be their sensitivities and strategy. But playing that conservatively could be very labor intensive and expensive, when in fact those legal requirements don’t apply in quite the same way in, for example, countries in Latin America, or emerging privacy regimes in Asia or the Asia Pacific region, or even Canada or Mexico.
What are your thoughts on the potential impact of the 2020 election on the advertising landscape?
Given everything that’s going on right now with COVID-19, and all the urgent matters relating to the economy, the environment, and immigration, the question is: where does data privacy or data-driven advertising or digital media fare relative to that? I am a little doubtful that we’ll see immediate movement on these issues as the first agenda item coming out of the new administration.
If there are hearings, however, you can expect to see some consistent viewpoints from both parties. Republicans are pressing tech companies on data issues for slightly different reasons. It has more to do with freedom of speech and having open and fair representation of different viewpoints. For the Democrats, it’s more of a pure privacy issue. Do consumers have a voice in this process? Are their interests and preferences being reflected? Do they know what’s happening? Is everything being accountable and transparent in the process? So, they are pushing it more from a pure privacy standpoint, but nonetheless, those are two aligned points of view when it comes to moving forward what would be a first federal law.
With the growing interest in video advertising and some of the growth that we’ve seen in CTV over DSPs in the last maybe year or two, how are regulators thinking about user data stores for companies in the OTT and CTV space?
Advertisers want to know and want to connect with consumers who are not only attractive to them demographically but have also demonstrated a real investment in the product or the service, like a Roku where they’re fully engaged in the content. And if you’ve got the data in store to help enrich that understanding of who that customer is and how to market to them over time and build strong conversations, that is an enormous asset.
About Peter Kosmala
Peter Kosmala is a digital media pioneer and a recognized thought leader in data privacy. Currently, he advises clients in the finance, IT, and advertising sectors on the evolving business and regulatory environments for digital media and data privacy as founder and principal of PRIVAT LLC. Peter formed the nucleus of the first online ad sales team at WIRED magazine and Hotwired, the first ad-supported website. He served as the first managing director of the Digital Advertising Alliance and oversaw the expansion of the YourAdChoices consumer data preference program. Peter also managed the self-regulatory program for the Network Advertising Initiative, one of the earliest online advertising trade groups. He was instrumental in growing the International Association of Privacy Professionals (IAPP) from a tight-knit compliance community to a global membership body as its first Vice President. He led the creation of the first professional certification in data protection, the IAPP Certified Information Privacy Professional. Prior to founding PRIVAT, Peter held senior technology and public affairs roles at both companies and trade associations. He has represented industry in technical standards bodies, working groups, and policy roundtables. His roots are in the advertising business at agencies MVBMS Partners/EURO RSCG and Wells Rich Greene/BDDP.
This digital advertising industry article is adapted from the October 21, 2020, GLG Teleconference “Advertising Landscape: Evolving Regulation and Tech Stack” If you would like access to the full teleconference transcript or would like to speak with digital advertising industry expert Peter Kosmala, or any of our more than 700,000 industry experts, contact us.
Enter your contact information below and a member of our team will reach out to you shortly.
Subscribe to Insights 360
Enter your email below and receive our monthly newsletter, featuring insights from GLG’s network of approximately 1 million professionals with first-hand expertise in every industry.