PubForum+ went down this week amid a whirlwind of discussion about how privacy regulations will affect the future of ad tech, leaving monsters with a taste of cautious optimism, garnished with a dusting of third-party cookie jokes.
Speakers drilled down into granular questions around Apple’s Identifier for Advertisers (IDFA) restrictions and Google’s sunsetting of third-party cookies, however, larger questions loomed about the potential for federal privacy regulation, the broader impact of the recently-passed Consumer Privacy Rights Act (CPRA), and more.
GDPR, CCPA, CPRA, Oh My!
During the “And Then There Was CPRA” session on Thursday, Dec. 10, attorney Jessica B. Lee, Partner, Co-Chair, Privacy, Security & Data Innovations at Loeb & Loeb, LLP further broke down the distinctions between the California Consumer Privacy Act (CCPA), which passed into law in 2018, and CPRA, which passed into law last month.
“I hope you’re not upset to see me,” she joked to AdMonsters Senior Editor Lynne d Johnson, “because I feel like when I’m here, it means that there is a new regulation for us to talk about.”
Lee framed the CPRA as an amendment, put forth by the same lawmakers who introduced CCPA, to bridge the gap between CCPA and the European General Data Protection Regulation (GDPR) privacy law.
“If you break it down, CCPA does give consumers some rights and has some business obligations,” she said. “But at the end of the day, it’s really a law focused on third-party data sharing.”
So how does CPRA bridge the gap between that and CCPA? First things first, CPRA introduces new consumer rights. It also brings in principles of data minimization and storage limitation into the fold.
“This means you only collect what you need. You only store it for as long as you need to store it,” said Lee, explaining this was but one example of a GDPR principle being infused into the CPRA law. She added that, though it passed in November, CPRA won’t go into effect until January 1, 2023. This gives advertisers and publishers alike some time to get prepared.
What else does CPRA add that CCPA missed? For one, it draws a distinction between regulations around collecting personal information and collecting sensitive personal information. The latter term includes precise geolocation information, race, health information and biometrics, sexual orientation, ethnicity and other demographic information.
“Consumers will now have the right to limit the use of that information to only what’s required for the services,” Lee said. “So if you have a website that collects that information for some specific purpose, a consumer will have the ability to limit your use of that for additional purposes like advertising, marketing and profiling.”
Of course, CPRA will also require the need for more privacy language on publishers’ sites. In addition to a “Do Not Sell’ button,” you’ll also need to craft some context for users to understand how they can opt-out of sharing their sensitive personal information that has typically been used for cross-contextual Internet advertising.
The third major distinction that CPRA adds into law is the idea of algorithmic transparency.
“The GDPR limits the use of data for automated decision making, and this is kind of a play on that,” Lee said. “It ultimately means that companies will have to be transparent about how they use algorithms, whether that’s AI or machine learning to make decisions about individuals, placing them into audience segments, or making profiling decisions about them— and giving consumers the right to opt-out of that type of profiling.”
Lee acknowledged that these changes may upend a lot of the activities that PubForum monsters engage in on the daily, and reminded them that the CPRA will also be much more enforced than CCPA was because it also allows for the creation of a California agency dedicated solely to enforcing privacy rights. On top of that, the 30-day grace period that CCPA allows for organizations to clean house will seemingly be no more once CPRA takes effect.
Monsters should also expect CPRA to include more detail around the contractual provisions and language they have to include, including within agreements with third parties when there was a sale that didn’t exist before.
“My hope is that one day our regulators get together and decide on a set of contract language so that every two years we’re not updating these agreements,” said Lee.
The last change she highlighted was the inevitability of a global, browser-based opt-out button, which she stressed was actually already introduced in CCPA. While a study this year showed that opt-out rates didn’t rise as much as anticipated, that could easily change with more language around the sharing of sensitive personal information, or if browsers like Chrome introduce a blanket opt-out button.
“One benefit of the CPRA is that at least on its face… [it] gives you an option between either honoring this global browser-based opt-out or having the links on the site,” Lee said. She added that the specific language of the regulations may clarify this further.
Publishers are Primed to Benefit from Regulation
Lee noted that the industry has already been moving in this direction with Apple putting restrictions on IDFA and Google kicking third-party cookies to the curb. She also stressed that California is just a bellwether state for privacy laws that other states are already working toward, while countries across the globe are similarly building off elements of GDPR and CCPA to enact new legislation.
These changes ultimately mean good things for the publishers willing to get out in front of them. “Of all of the players in the ecosystem, the publishers are in the best position to capitalize on this moment,” said Lee, “deepening relationships with consumers and finding new business models to help the industry go forward.”
Meanwhile, Potential for Federal Privacy Regulation Looms Large
During his “A Most Unclear Programmatic Future” session on Tuesday, Dec. 8, Ratko Vidakovic, founder of ad tech consultancy AdProfs and author of the wildly popular “This Week in Ad Tech” newsletter, reminded AdMonsters Editorial Director Gavin Dunaway that federal regulation could still be very much in play.
“I know the industry is pushing for it,” Vidakovic said, “because nobody wants to have a CCPA in every state.” He then added that the question of whether federal regulation is coming may almost be irrelevant, as GDPR and CCPA already created conditions for platforms to make their own unilateral policy actions and decisions.
“I’m talking about Google and Apple,” continued Vidakovic, “and I think their policy decisions are far more impactful than anything that regulators have done up to date.”
In her Thursday session, Lee stressed that with the incoming administration a future federal privacy regulation became a lot more likely, specifically because of Kamala Harris and her track record as a former California Attorney General.
“She is behind a lot of California’s previous privacy regulations,” Lee said, “and privacy is very important to her. So I think people in D.C. feel very optimistic about now being the best possible chance to get federal privacy regulation.”
Vidakovic, meanwhile, expressed some skepticism over federal regulations. He believes that the impact of regulations, by and large, has been to create conditions for large platforms to “use the privacy narrative as a pretense for shutting down information… raising their walled gardens and using it in a seemingly anti-competitive manner.
For Lee, the likelihood of any federal regulation actually passing hinges on what happens with the Georgia runoff elections in January—if the House and Senate are divided, the gridlock that ensues will prevent such legislation from getting passed.
“But I think we’re going to get a federal privacy bill,” she concluded. “It will happen now. And we really want to be pushing. This is an opportunity to have a seat at the table because a number of organizations are really active like the IAB, PRAM, Google Sandbox. And if the industry groups are lobbying support and if we can get something done in the next two years, a lot of the pain points that I raise about CPRA might go away to a certain extent if we can have a more reasonable federal privacy bill. Then, I would say I’m cautiously optimistic.”