With California privacy law, industry tries to avoid a repeat of GDPR scramble

In August, the ANA and IAB were among 38 organizations that sent a 20-page letter to California state legislators asking for changes to the law, including a delay in the law’s implementation; clarification of the law’s de-identified data exemption, which is of particular interest to the programmatic advertising ecosystem; and language stating that targeted advertising does not qualify as selling people’s personal information when the ad seller does not provide the ad buyer with that personal information.

That letter led to a small victory for the organizations: An amendment to the law passed in August stipulates that enforcement of the law will not begin until six months after the California attorney general finalizes its regulations or on July 1, 2020, whichever happens first.

The potential for a six-month enforcement extension is not nothing, especially for companies that are starting their compliance efforts from scratch because they didn’t have to worry about the GDPR. Marketing technology company Cheetah Digital spent at least a year and a half getting its GDPR compliance program in place, said Cheetah Digital security analyst Alex Krylov. “As much lead time as possible to digest the regulations is crucial to any compliance organization,” he said.

To that end, the trade organizations are also assessing the law’s impact on their members and educating them. The ANA has been hosting webinars that have been popular, with as many as 70 people showing up, said Dan Jaffe, group evp for government relations at the ANA, with nearly 2,000 members.

By the end of September, the IAB’s legal affairs committee will formally convene a subcommittee that will be charged with drafting a guide to best practices and suggestions for compliance, said Brad Weltman, vp of public policy at the IAB. He expects the guide to be available by March 2019.

In the meantime, the IAB is advising companies to do an inventory of the data they collect and to categorize that data in accordance with the law’s sweeping definition of personal information. Companies will want to have completed that work before Jan. 1 because when the law takes effect, it will retroactively apply to data that companies had collected in the prior 12 months.

On Dec. 3 in New York, the MPA will host an event in part to educate members and non-members on the privacy law, said Rita Cohen, svp of legislative and regulatory policy at MPA.

That the industry’s education efforts are only beginning to ramp up may seem troubling. Companies have little more than 15 months until the law takes effect, and it took Cheetah Digital at least 18 months to comply with the GDPR. However, there could still be more amendments that could negate or complicate early compliance.

“Companies, however diligent they want to be in regard to the issue, are potentially shooting at a moving target,” said Jaffe.

Further complicating compliance efforts, the California legislature is on recess until after this year’s elections, so no changes or clarifications can be made until the next legislative session begins. As a result the earliest that any amendments are expected to be passed is February, said Jaffe.

“People are going to have to go forward and figure out how to operate in this vacuum right now, which is challenging,” said Weltman.