home

Media Law Resource Center

Serving the Media Law Community Since 1980

Home

New Digital Advertising Regulations Require Operational Changes

By Gamelah Palagonia

Digital advertising depends on sharing and using consumer behavioral data, which may include selling that data to downstream third parties. Section 1798.115(d) of the California Consumer Privacy Act (CCPA), prohibits businesses from selling consumers' personal information that they do not receive directly from the consumer, unless the consumer has received "explicit notice" and is able to opt out of that sale. This creates uncertainty for downstream third parties that can't provide the explicit notice and/or opt-out opportunity to the consumer that websites and mobile application publishers can. Thus, the need for an industry compliance framework has arisen.

In September, numerous stakeholders in the digital advertising industry assembled at the Interactive Advertising Bureau's (IAB) headquarters in New York for a preview of its CCPA Industry Compliance Framework. To address the challenges of the CCPA's do-not-sell obligation, the IAB and IAB Tech Lab proposed a technical solution that includes the sending of a variety of signals by the publisher to downstream third parties in the advertising ecosystem. Furthermore, they sought to address the lack of a contractual relationship between the publisher and downstream third parties by developing a limited-service-provider contract, scheduled to be released by mid-November.

In addition to operationalizing CCPA's do-not-sell requests with downstream third parties, publishers and advertisers will need to develop a technical solution to integrate opting out of cookies on their websites and applications for cookie providers.

Operational changes required

CCPA and laws like it proposed in other states create new obligations and impose operational changes that many businesses have yet to fully comprehend. The first step toward CCPA compliance is recognizing that it requires a fundamental change in how businesses handle personal data.

Examples of operational changes are rooted in the CCPA's notice obligations:

  • "Notice at Collection of Personal Information" – CCPA requires businesses to provide notice communicating to consumers the type of personal data they are collecting and the purpose of such collection.
  • "Notice of the Right to Opt Out of the Sale of Personal Information" – CCPA requires businesses that sell consumers' personal data to communicate to consumers that they can opt out of the sale of their data to third parties.
  • "Notice of Financial Incentive" – CCPA requires businesses to notify consumers being offered financial incentives or price differentials in exchange for using their personal data.
  • Privacy policy – CCPA requires businesses to clearly disclose in a privacy policy their online and offline business practices regarding the collection, use, disclosure and sale of personal data.

One of the major obstacles that businesses face when implementing these operational changes is not properly budgeting for the costs of compliance.

Cost of compliance is high...

Legal, operational and technical costs associated with adapting business models to bring technology and infrastructure systems into compliance, must be taken into account when budget forecasting. These costs will vary considerably based on the maturity and size of the business, industry sector, type of data collected or used, the geographic footprint and current data privacy practices and systems.

A recent CCPA Economic Impact Assessment Report prepared for the California attorney general's office by an independent research firm concluded that the CCPA could cost businesses $55 billion in initial compliance costs. In addition, total compliance costs for all companies subject to the law could be as high as $16 billion over the next decade, according to the report.

...But cost of non-compliance is higher

The California attorney general has enforcement powers and may bring actions for violations of the CCPA. In addition, consumers will have a private right of action only for the unauthorized acquisition of non-encrypted or un-redacted personal information and be entitled to the greater of actual damages or statutory damages of $100 to $750 per violation.

Enforcement actions by the AG and consumer private actions will both require notice to the non-compliant business and a 30-day period to remedy. If the violation is not remedied, the attorney general may seek an injunction and a civil penalty of no more than $2500 for each violation, or $7500 for each intentional violation.

Depending on the size of the class, the potential costs to defend AG actions and consumer private actions could often outweigh the costs of compliance.

Compliance with GDPR does not mean compliance with CCPA

Assuming compliance with the General Data Protection Regulation (GDPR) automatically equates with CCPA compliance could be a costly mistake for companies. While there are many similarities, there are also important differences. Unlike the GDPR, the CCPA applies to any data that can be directly or indirectly associated with a consumer or household. This is an especially important distinction when it comes to digital advertising.

Compliance with the CCPA will be costly and it necessitates operational changes. Consumer protection laws like the CCPA have been proposed in other states such as New York. Businesses that view the CCPA as a baseline and become compliant now will be better positioned to succeed and comply with future consumer protection laws. Another benefit to the responsible handling of personal data and compliance with consumer protection laws is a higher level of consumer trust, which is always a good thing.

Gamelah Palagonia is Senior Vice President for Network Security, Data Privacy and Technology Errors & Omissions at Willis Towers Watson. Her article was originally published on her company's Insights blog.

 
Joomla 1.5 Template from JoomlaShack