In today’s Rundown, the ad industry is caught unprepared. Stateside, California’s privacy law, also known as the CCPA, is going into effect in just a few months. The rules are up in the air, as is the level of preparedness from the ad industry. Meanwhile, it’s also trying to figure out how to adjust for a cookie-less future, as data protection regulations call for some checks on how businesses use user data.
It’s time to officially start the clock on the advertising industry’s last-minute scramble to comply with the California Consumer Privacy Act before the privacy law takes effect on January 1, 2020. Last week. California’s legislative session concluded for the year. That marked the end of the amendment process that the advertising industry had hoped would clarify some of the law’s provisions, such as what the law considers to be a household and what qualifies as de-identified information and would thereby be exempted from the law.
Those questions remain up in the air, but the industry’s hopes for receiving answers before California’s privacy law takes effect on January 1, 2020, are falling. To be clear, it is possible that the ad industry will receive some clarifications before the law takes effect. The California attorney general’s office is charged with enforcing the law and is expected to issue sometime in October a draft of the rules it will use to enforce the law. However, it’s also possible that those rules will not be finalized until after the law takes effect.
California’s governor has until October 13 to sign or veto any amendments to CCPA that the legislature has passed. Whether or not the governor approves the amendments is almost beside the point since none of the amendments would meaningfully change the law with respect to online advertising. However, the AG’s office is likely to wait until the law is finalized to issue its rules. That’s when things get tricky. Once the AG’s office initially releases its rules, there will be a 45-day public comment period for the AG’s office to solicit feedback on potential changes to the rules.
If changes are made, then there would be another 15- or 45-day public comment period, depending on how substantive those changes are. If major changes need to be made to the initial set of rules, then that would mean companies would have to wait at least 90 days between when the rules are initially released and their final versions are made available, which would be sometime in mid-January after the law takes effect. (Are you still with me?)
Companies cannot afford to wait until the final rules are released to comply with CCPA. In fact, they cannot afford to wait another day to comply. The law includes a 12-month lookback window that puts companies on the hook for any personal information they have collected from California residents since January 1, 2019. Companies that had to comply with GDPR had a headstart in complying with CCPA because the European privacy regulation forced them to take an inventory of the data they collect from people, and companies that did not need to comply with GDPR have previously and repeatedly been advised to do this data management work.
However, it’s unclear to what extent companies are adequately prepared to comply with the law. One agency exec said that larger clients have already had wheels in motion to comply with the law and are likely to be prepared come January 1. However, smaller clients with fewer resources to expend on compliance had been waiting to see how the amendment process would shake out, a stance that privacy experts at law firms have similarly observed among clients with smaller budgets. “We expect to go lockdown in Q4,” said the agency exec. — Tim Peterson
Beyond the cookie
The scramble to figure out how to identify and reach audiences without relying on third-party cookies, is well and truly on.
Data protection regulators have called time on what many have for years, referred to as the “ad tech wild west” and are demanding businesses use individuals’ user data more responsibly. And yet, it’s the browsers rather than the regulators that have accelerated the current sense of urgency around finding alternatives to third-party cookies. Google has already culled its core attribution tool (DoubleClick IDs) on the grounds that it jeopardized its own data-protection compliance, while Apple continues on its anti-tracking warpath, closing off the ability to programmatically monetize Safari audiences. A continuous drumbeat of paranoia now runs under the surface at publishers and ad tech vendors in particular, that Google will in time further tighten data-privacy controls within future products.
Should that happen, the ramifications for the rest of the ad tech, marketers and publishers, could be severe. Meanwhile, the uncertainty over how long the third-party cookie will last is already causing digitally-savvy advertisers confusion over what tech to invest in, to drive 2020 customer acquisition strategies.
Naturally, there are opportunities to be had for those smart enough to figure them out first. Publishers are busy developing and pitching alternative forms of ad targeting which leverage their own authenticated audience data while bigging up contextual-targeting opportunities. Independent ad tech also prides itself on its ability to adapt to market challenges and fluctuations, but it will be some time before anyone will have the answer of what standardized currency can eventually replace the third-party cookie. — Jess Davies