Why media agencies are prioritizing building privacy expertise this year as a host of new laws roll out

“Privacy is a pretty common word that means so many different things, depending on what your businesses are, what you do and how you want to apply it,” said Ashwini Karandikar, evp of media, tech and data at 4A’s. “Globally, the application of policy [varies] by country, by continent, by region, by marketer.”

Meanwhile, Europe’s General Data Protection Regulation (GDPR) continues to crack down on privacy violations. The European Commission will soon require EU nations to share GDPR investigations and actions taken on them every two months to step up enforcement. For example, the board in January pushed Ireland to raise a data processing fine on Meta from $30.4 million to more than $420 million.

Building privacy expertise

For some agencies, it has become necessary to bring on legal and privacy support. At some of the larger holding companies, it might mean additional hiring on the data and privacy teams and dedicating more resources to this area, Karandikar explained.

“There’s also a lot of work being done with external experts seeking external counsel on these topics,” Karandikar said. “Agencies of all sizes now, not just holding companies anymore, are starting to dedicate resources towards this topic, because it is now material [in order to] do business across the board.”

As Stacey Stewart, U.S. chief marketplace officer at UM, previously mentioned to Digiday, consumers are also getting savvier in understanding how they are tracked online with cookies. And with the increase of privacy laws, she said it made sense for UM to add a chief privacy officer in 2020 and a privacy lead member on each of its accounts. Stewart believes more agencies will have to spend more time working closely with legal as the laws evolve.

Arielle Garcia, chief privacy officer at IPG’s UM Worldwide, sits on the business side and said her role is a unique marriage of two fields within privacy and media agencies. She oversees compliance and client support, and increasingly agencies have developed or embedded privacy roles in their product or account teams.

“This has different flavors at different agencies,” Garcia said. “Either way, it takes someone that has both a strong understanding of regulations and is tracking those developments, but also understands adtech and the data flows … so you kind of need a marriage of both skill sets.”

UM has also recently expanded its efforts to create client privacy champions to focus client needs. Eventually, Garcia said the goal is to both have a central team that is tracking privacy, but also build a “foundational competency” across disciplines to support clients.

Consumers come first

Privacy rules center on protecting consumers. With the rules quickly evolving, agencies will have to be ready to adapt and prioritize their commitment to consumer safety — or risk violations that could erode client trust.

It’s no longer enough to just follow a set of privacy rules, said privacy and data expert Mark Ailsworth, vp of partnerships at security analytics company Opaque Systems. Companies have to focus on mitigating data mishandling and “become trustees of consumer privacy, not just abiders of the rules and laws,” Ailsworth explained.

Besides respecting opt-out and consumer consent at every point of communication, Ailsworth advises rehearsing privacy policies with clients. He suggests that some agencies could benefit from a regular quarterly review and a process to determine the responsibilities of each party.

“Assume the responsibility to record, recognize, and respect opt-outs are yours alone — rather than relying on partners to make the necessary changes,” he said.

Garcia mentioned also watching the Federal Trade Commission closely as children’s online protections and personal or sensitive data privacy regulations develop in the administration.

“That is what we’re watching regularly,” Garcia told Digiday. “On the U.S. side, the FTC is vocal, aggressive, ambitious and really has their sights set on what they deemed to be the most harmful practices. They’re taking a super broad view they have the authority to enforce against practices that are unfair and deceptive.”

Different state regulations

A handful of U.S. states will continue to roll out various data protection laws in 2023, from Utah to Virginia. As these take shape, agencies and their clients need to quickly research the regional differences and understand how it impacts their advertising operations in each area. On top of that, firms still have to comply with ongoing GDPR and California Consumer Privacy Act protections.

“We are actively engaged with agencies and not only discussing how they would be dealing with it statewide, but also taking meetings [with lawmakers] … to really understand how the government is expanding,” Karandikar said.

This means it will be important to stay updated with and review regulatory changes and implement regular internal reviews of these policies, Ailsworth added: “Some state privacy rules have wildly different business eligibility thresholds, so it’s important for companies to be sure that as they grow, they’re keeping up with individual state requirements.”

Media agency Good Apple, for instance, works with health and pharmaceutical clients in certain states where they have to remove targeting due to strict regulations. And in some cases outside of the U.S., targeting restrictions can be  even stricter, said Hyun Lee-Miller, vp of media.

“We have to be very privacy-forward,” Lee-Miller said. “[We are taking] that approach and [adapting] with what’s going on in the industry … that has been moving towards a more consumer-first, privacy-first era.”

And for agencies that are prepared with California’s Privacy Rights Act (CPRA) and CCPA compliance, the good news is that rules in other states should not be too much of a heavy lift. Garcia said the majority of client discussions have revolved around CCPA, which was the first data protection law in the country.

“Being ready for one puts you in a good position to be ready for the other state laws,” Garcia added. “I can’t say outright that CPRA is most stringent – it’s too nuanced to make that type of a hardline claim – but certainly it introduced the most kind of new concepts.”