As data privacy remains a crucial focus in ad tech, upcoming concerns for 2024 include the enforcement of state laws like Washington’s My Health Data Act, the exploration of PETs to navigate restrictions on sensitive data, potential shifts in business models to secure opt-in consent, and the need for companies to prepare for audits, assessments, and accountability amid a lack of federal privacy regulations.
Last year, for Data Privacy Day, fellow privacy lawyer Farah Zaman, pondered whether the recent focus on data privacy in advertising would continue.
Well, another year around the sun, and data privacy is still a hot topic in ad tech. Data privacy and compliance are at the forefront of every publisher’s list of concerns. With cookie deprecation finally here, how could it not be? Whether ad tech is thinking about testing the Privacy Sandbox or alternative IDs, or even the lack of federal privacy regulations — data privacy remains a hot topic for the industry.
Here are five trends in data privacy where we’ll see a lot of action (or not).
5 Data Privacy Trends to Watch in 2024
The My Health Data Act and its Implications on Sensitive Data
This will be the year of reckoning for how we use sensitive data, focusing on using health-related data. 2023 brought us Washington’s My Health My Data Act (and its Nevada copycat), as well as multiple comprehensive state laws requiring an opt-in for collecting or using sensitive data (including sensitive data inferences). In 2024, those laws will either go into effect or regulators will start to enforce them.
In Washington, where private citizens can bring lawsuits against companies that violate their rights under the law, I expect to see almost immediate enforcement as class action lawyers will look to cash in on a new income stream. Everything from creating addressable audiences for pharmaceutical and healthcare companies to measuring the ad’s effectiveness will become more difficult in 2024 without consumer consent. While this problem is limited to a handful of states for now, this number will continue to increase in the next few years so that a state-specific approach (geo-filtering audiences) will no longer work. Companies will have to look to other options, which brings me to my second point.
Who Doesn’t Love PETS?
PETs will get a fresh look. There has been talk of privacy-enhancing technology for the last few years. With the rise in restrictions on sensitive data, companies will start to invest more into understanding the viability of PETs to help them reach audiences in a privacy-protection way (rather than engaging in privacy theater).
Regulators are also interested in this technology. Still, we should expect them to look at these solutions critically and employ experts to help them determine whether (from a mathematical perspective) they can use them to deliver and measure advertising without revealing individual user data. *Note: Data Clean Rooms are not PETS; they must leverage PETs to offer a privacy-safe solution.
Experiments in Consented Data
I have yet to see a widespread effort to get opt-in consent for using sensitive information in the states that require it. Likewise, I haven’t seen companies take advantage of the ability to ask California consumers to opt-in to the “sale” of their data 12 months after opting out. However, the continual tightening of the faucet on data may push companies to have a change of mind. Companies may offer financial incentives or other benefits in exchange for consumer consent. Similar to companies experimenting with the “pay or ok” model in the EU, the shift in regulation will cause companies in the U.S. to think about whether business models here need to shift to weather these changes.
Audits, Assessments, and Accountability
Most state privacy laws include some combination of audit requirements, internal assessments, and accountability. Companies that share or make data available to other companies are required not only to have the right to audit those companies to confirm compliance with their contractual restrictions, but regulators expect them to actually exercise those audit rights (something that does not happen with widespread consistency today).
Companies must prepare to conduct and respond to audit requests, which means having information and documentation together. This has been a work in progress for many companies. Starting in March, these audit requests may also come from the CPPA (California Privacy Protection Agency) for companies subject to California’s laws. Likewise, regulators are discussing a new package of regulations requiring companies to assess their cybersecurity posture and the risks of using automated decision-making. Companies that do not have a process for evaluating themselves and providing that documentation to partners and regulators will have a lot of catching up to do in 2024.
All State, No Federal
I’m going to keep this short and sweet. More state laws. No federal law.