Melissa Cooper, vice president of privacy and compliance, Sovrn
It seems like only yesterday that publishers were scrambling to understand the ramifications of the General Data Protection Regulation (GDPR) in the EU and U.K. and the California Consumer Privacy Act (CCPA). A new set of state-specific privacy regulations is scheduled to take effect in 2023.
Starting in 2023, five U.S. states (California, Virginia, Colorado, Connecticut and Utah) will require companies to offer an opt-out on the collection and sale of personal data, as well as targeted advertising. California’s new regulation amends and expands on the requirements of CCPA, while the other four represent an entirely new set of obligations.
A new approach to consent
U.S. data privacy laws are currently built on an opt-out model, meaning personal data can be collected and processed unless the individual indicates otherwise.
However, many new laws require companies to provide notice at the time data is collected.
The new laws take effect throughout the year, and while all five state laws feature similar language, their requirements differ slightly.
For instance, California and Colorado require companies to respect a “universal opt-out” signal, and the states plan to publish technical specifications on how to comply with their requirements. Colorado further requires that, as part of respecting the opt-out signal, companies must “…be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation.”
Meanwhile, neither Virginia nor Utah include an obligation to respect a universal opt-out preference signal, but they do require companies to provide a way for consumers to opt-out.
In the world of digital advertising, where auctions happen in a matter of milliseconds, these new approaches present a significant challenge, but a consent management platform (CMP) can streamline a publisher’s compliance efforts. This tool presents site visitors with choices according to state-specific requirements regarding using their personal data, which can be compiled into a consent signal and leveraged by all downstream partners.
Each of the five state laws uses unique revenue and data volume thresholds to determine applicability and specific exemptions. Publishers should consult with legal counsel to determine which laws apply and how best to comply with the relevant requirements. That said, even small publishers that fall below these thresholds should prepare for the new requirements, as the technology partners and other vendors they work with are likely subject to the new laws. A few examples include privacy policy disclosures, notice at the time of data collection, opt-out mechanisms and processes for supporting the exercise of data rights.
New technology aids in compliance
These new and varied consent requirements present a significant technical challenge for publishers, largely because they lack visibility into the residence of each site visitor. This makes it difficult to determine the applicable data rights — and indirect identifiers like IP addresses tend to be fallible with so many people using mobile devices or a virtual private network to mask their location.
Fortunately, publishers have a powerful, proactive partner in the Interactive Advertising Bureau (IAB). The IAB Tech Lab was instrumental in developing the California, U.K. and EU consent signals that have been widely adopted for CCPA and GDPR compliance.
After two years of industry collaboration, IAB Tech Lab has released the Global Privacy Platform (GPP). This flexible, scalable technology can pass privacy, consent and consumer choice signals from a publisher’s CMP via the browser or an API. It provides a framework for all parties across the digital advertising supply chain to recognize and act according to each consumer’s preferences on personal data processing and targeted advertising.
How publishers are preparing to future-proof their revenue
At the end of the day, online publishing is a business. And while it’s critical to safeguard consumer privacy and stay in compliance with ever-changing laws, publishers must also protect their ability to earn revenue.
Using a CMP and the IAB’s GPP makes it easier to comply with complex privacy regulations — without reinventing the wheel. They also help to streamline compliance throughout the digital advertising supply chain so a publisher’s downstream partners can support their revenue opportunities.
Publishers know their audiences better than anyone else and are well-positioned to gather information about users directly whenever they visit. Collecting first-party data does carry notice and disclosure requirements, but the rules surrounding its use are more flexible than for third-party data. And first-party data provides valuable insights for advertisers, who are willing to pay premium rates for access to relevant, engaged audience segments.
Relying on partners is critical, whether it involves publishers reaching out to their partners throughout the advertising ecosystem or joining an IAB working group. Most will be more than happy to discuss their approach to data privacy and demonstrate how their tools and technology can support your compliance efforts.
While the future of privacy legislation is impossible to predict, there’s no question that laws around the globe will continue to evolve. Taking advantage of technologies such as the IAB’s GPP will help publishers adapt to changes in existing privacy regulations and quickly implement new technical requirements.
Sponsored by: Sovrn
More from Digiday
How Bluesky hopes to win over publishers (and users)
Bluesky courts publishers with a simple pitch: trust and traffic.
Who are the winners and losers of Omnicom’s proposed acquisition of IPG?
While the deal’s official close is still a long way off and there may be regulatory hurdles to clear before the acquisition is complete, it’s still worth charting out who the winners and losers may be.
Holding pattern: Omnicom, IPG and the deal that’s leaving marketers on edge
How Omnicom’s proposed acquisition of IPG keeps marketers guessing.