Publishers are preparing for 2023’s new consumer privacy laws

Melissa Cooper, vice president of privacy and compliance, Sovrn

It seems like only yesterday that publishers were scrambling to understand the ramifications of the General Data Protection Regulation (GDPR) in the EU and U.K. and the California Consumer Privacy Act (CCPA). A new set of state-specific privacy regulations is scheduled to take effect in 2023. 

Starting in 2023, five U.S. states (California, Virginia, Colorado, Connecticut and Utah) will require companies to offer an opt-out on the collection and sale of personal data, as well as targeted advertising. California’s new regulation amends and expands on the requirements of CCPA, while the other four represent an entirely new set of obligations. 

A new approach to consent

U.S. data privacy laws are currently built on an opt-out model, meaning personal data can be collected and processed unless the individual indicates otherwise. 

However, many new laws require companies to provide notice at the time data is collected. 

The new laws take effect throughout the year, and while all five state laws feature similar language, their requirements differ slightly. 

For instance, California and Colorado require companies to respect a “universal opt-out” signal, and the states plan to publish technical specifications on how to comply with their requirements. Colorado further requires that, as part of respecting the opt-out signal, companies must “…be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation.” 

Meanwhile, neither Virginia nor Utah include an obligation to respect a universal opt-out preference signal, but they do require companies to provide a way for consumers to opt-out.

In the world of digital advertising, where auctions happen in a matter of milliseconds, these new approaches present a significant challenge, but a consent management platform (CMP) can streamline a publisher’s compliance efforts. This tool presents site visitors with choices according to state-specific requirements regarding using their personal data, which can be compiled into a consent signal and leveraged by all downstream partners.

Each of the five state laws uses unique revenue and data volume thresholds to determine applicability and specific exemptions. Publishers should consult with legal counsel to determine which laws apply and how best to comply with the relevant requirements. That said, even small publishers that fall below these thresholds should prepare for the new requirements, as the technology partners and other vendors they work with are likely subject to the new laws. A few examples include privacy policy disclosures, notice at the time of data collection, opt-out mechanisms and processes for supporting the exercise of data rights.

New technology aids in compliance

These new and varied consent requirements present a significant technical challenge for publishers, largely because they lack visibility into the residence of each site visitor. This makes it difficult to determine the applicable data rights — and indirect identifiers like IP addresses tend to be fallible with so many people using mobile devices or a virtual private network to mask their location.

Fortunately, publishers have a powerful, proactive partner in the Interactive Advertising Bureau (IAB). The IAB Tech Lab was instrumental in developing the California, U.K. and EU consent signals that have been widely adopted for CCPA and GDPR compliance. 

After two years of industry collaboration, IAB Tech Lab has released the Global Privacy Platform (GPP). This flexible, scalable technology can pass privacy, consent and consumer choice signals from a publisher’s CMP via the browser or an API. It provides a framework for all parties across the digital advertising supply chain to recognize and act according to each consumer’s preferences on personal data processing and targeted advertising.

How publishers are preparing to future-proof their revenue

At the end of the day, online publishing is a business. And while it’s critical to safeguard consumer privacy and stay in compliance with ever-changing laws, publishers must also protect their ability to earn revenue. 

Using a CMP and the IAB’s GPP makes it easier to comply with complex privacy regulations — without reinventing the wheel. They also help to streamline compliance throughout the digital advertising supply chain so a publisher’s downstream partners can support their revenue opportunities.

Publishers know their audiences better than anyone else and are well-positioned to gather information about users directly whenever they visit. Collecting first-party data does carry notice and disclosure requirements, but the rules surrounding its use are more flexible than for third-party data. And first-party data provides valuable insights for advertisers, who are willing to pay premium rates for access to relevant, engaged audience segments.

Relying on partners is critical, whether it involves publishers reaching out to their partners throughout the advertising ecosystem or joining an IAB working group. Most will be more than happy to discuss their approach to data privacy and demonstrate how their tools and technology can support your compliance efforts.

While the future of privacy legislation is impossible to predict, there’s no question that laws around the globe will continue to evolve. Taking advantage of technologies such as the IAB’s GPP will help publishers adapt to changes in existing privacy regulations and quickly implement new technical requirements. 

Sponsored by: Sovrn

More from Digiday

With the rise of the chief AI officer, it’s time to examine ‘czar’ culture

Even if it’s a familiar pattern — hot new thing, new C-Suite exec to tackle said thing, a few years go by and that C-Suite position no longer exists as everyone is now doing said thing (or it was a fad that has since faded away) — does it make sense for businesses to continue to appoint new czars with every new trend? 

Why Cava’s bid for brand awareness means prioritizing streaming ads

Fast-casual restaurant chain Cava has been in growth mode over the past year and is leaning into streaming ads in an effort to boost brand awareness.

A history of middle manager stress: The Return podcast, season 3, episode 1

In episode one, McKinsey partner Emily Field tells us more about why middle management is critically important to the workforce.