As an era of self-regulation ends, marketers fear uncharted, risky waters for data privacy

Marketers are scrambling to prepare for pending data privacy legislation in the U.S., namely the California Consumer Privacy Act of 2018 (CCPA) that could potentially bring significant fines down on non-compliant businesses when it goes into effect next year. While that law, which has been flagged by the major trade associations as being rushed and far too vague in its language, is essentially an inevitability, it has also heralded similar proposals for laws in states like New Jersey and Washington, suggesting that navigating digital advertising's legal waters will only get considerably more complex from here.

"This is the issue of the moment — it's certainly our No. 1 government priority," Dan Jaffe, group executive vice president of government relations at the Association of National Advertisers (ANA), told Marketing Dive. "Things are moving very quickly, [and] not just in California."

The arrival of the CCPA and other state-level bills that aim to offer similar consumer protections, but that will have potentially vastly different parameters, signals that the era of a largely self-regulated online environment is drawing toward a messy conclusion. As a response, there's a swelling movement among both the major ad trade bodies, including the ANA, and high-profile business executives, like Apple's Tim Cook, for a comprehensive, single federal U.S. privacy law — one potentially modeled closer to the EU's General Data Protection Regulation (GDPR). The challenge of sticking with myriad state-by-state bills, according to critics, is an unprecedented compliance headache that would demand marketers wrest complete control over their data and build out compliance teams, either internally or externally, that can assure data is collected and applied soundly based on what individual states deem fair.

"Even if they only have minor differences — and a lot of these privacy bills are not going to have minor differences — every time I have a different set of rules when I'm operating in such close capacity in all of these different markets, my opportunity for violating the rules goes up exponentially," Alison Pepper, SVP of government relations at the agency trade group the 4A's, told Marketing Dive.

And while many of these proposed state-level laws appear to be a response to controversies surrounding large digital advertising platforms, such as Facebook, they could end up pinching smaller businesses that don't have the time, resources or budgets to meet such compliance burdens, mirroring an issue that's previously arisen under GDPR. In the meantime, the CCPA remains the key battleground for shaping the degree of influence that marketers will have in helping to guide the specifics of the language of the law in a new era of regulation for the U.S., and how business-friendly, or not, those regulations could be.

"A single breach under the CCPA, even if no harm can be shown, can face companies with hundreds of millions [of dollars], if not larger, penalties," Jaffe said. "For many companies, if you get this wrong, you could very well be out of business."

All eyes on California

The CCPA is the most pressing concern among marketers for now, not just because it's so close on the horizon, but also due to the manner in which it came to be. Initially a ballot initiative in California, the bill was passed in five days with virtually no opposition in the state senate or assembly and with "little to no discussion" from industries, per Pepper. That's a stark contrast to similar bills in the U.S. or something like the GDPR, which gave marketers several years of lead time to offer their input and then prepare for a May 2018 implementation.

"A single breach under the CCPA, even if no harm can be shown, can face companies with hundreds of millions [of dollars], if not larger, penalties."

Dan Jaffe

ANA, group EVP, government relations

Because of this, many marketers believe that some of the language in the CCPA is too vague, potentially by accident and in ways that will ultimately hurt the consumer. A group of the ad trade bodies, including the 4A's, ANA, IAB, AAF and NAI, recently penned a letter to the California attorney general asking for greater clarification on what the scope of "personal information" mentioned in the bill includes and how the law's non-discrimination requirements will affect services like loyalty programs. As it stands now, the CCPA suggests that businesses can not discriminate in price or service to consumers who opt out of sharing their data, but that same data sharing is what allows many loyalty programs to exist in the first place.

"As a retailer, if it's a one-way exchange, and there's no value exchange back from the customer, what's the incentive in offering the discounts?" Pepper said. "If it's all liability and no reward, why would you do it?"

Some groups, such as the 4A's, IAB and the Digital Advertising Alliance, have also more recently pushed for greater clarification around issues like treating pseudonymized data the same as personal information, which is currently the case under the CCPA.

"It's not that we have any problems with the goals of the bill — which is to give consumers more control over their data — it's, now that it's come out, the more we looked, the more questions that we have," ANA's Jaffe said.

"We can't even advise our members how to comply," he added, referencing the ANA network of more than 1,100 member companies, which includes top advertises like Procter & Gamble, PepsiCo and Visa.

No time to lose

The ANA has testified twice, once in San Diego and once in Sacramento, to present suggestions that would untangle some of the language in CCPA. The high number of public hearings being held to debate the law signals that the AG is open to listening to the industry, according to Ashok Chandra, a senior partner and director of privacy at the WPP agency GroupM.

But even as marketers remain eager to see greater clarity in the CCPA, the reality is that its official rollout is only months away, meaning that they must hunker down now, including by working with either internal or external legal teams to figure out compliance, coming up with opt-out disclosures and being ready to response to peoples' request for all of their data.

"We have to go with what's already been passed right now," Chandra said in a phone interview. "That's one of the good things about these other [state] laws … A longer legislative process is better for everyone, because it's a very complex industry we work in."

Those confident in their readiness for prior laws like the GDPR also shouldn't be resting on their laurels, legal experts warned, though the EU rules in some way serve as a healthy trial run to other legislation.

"GDPR is an opt-in bill, CCPA is an opt-out bill — they have different data that they collect," Jaffe said. "Even if you've spent millions or hundreds of millions, which some of our members have spent to be GDPR compliant, that in no way says you're compliant with the CCPA."

Weaving a complex web

If the GDPR, which did have a longer lead time, serves as a more carefully considered way to handle data privacy legislation than the CCPA is proving to be, it still exposes some of the challenges in having a far-reaching law that's fairly open to interpretation.

In Europe, individual countries' data protection authorities are allowed to issue their own judgments about what does or doesn't run afoul of the regulation. France's CNIL recently slapped Google with a fine of 50 million euros for breaking GDPR rules around transparency and the need for a "valid legal reason for processing people's data for advertising purposes." The financial penalty, the largest yet issued under the EU law, is a potential red flag for other businesses, according to the 4A's Pepper.

"Google was not dismissing GDPR — they took it very, very seriously," Pepper said. "Look at Google's resources … If Google couldn't do it right, how are medium and small-sized companies supposed to do it right?"

Other GDPR complaints have recently scrutinized popular advertising frameworks, such as the IAB Tech Lab's OpenRTB (the IAB has strongly contested that their system violates the law). Another risk for marketers is believing that GDPR, CCPA or other potential data laws are strictly limited to the digital world, where most modern privacy controversies stem from. In reality, these laws can touch on privacy in an incredibly broad sense. A recent Austrian GDPR fine, for example, pertained to a CCTV camera filming a public sidewalk. That level of real-world impact could possibly be reflected under the CCPA.

"CCPA goes beyond the internet and beyond mobile to online and offline data collection," ANA's Jaffe said. "What do you do at the cash register at a retailer? How do you provide the type of disclosures that they would want under the CCPA?"

Rethinking data

If marketers are growing worried about how to grapple with an increasingly complex legal web around data collection, they must also understand that consumers are demanding greater accountability. A recent report by the ExpressVPN found that 82% of surveyed Americans believe U.S. Congress should do more in 2019 to regulate how tech companies collect and apply data.

The study also found that 89% of respondents believe they themselves should be able to decide who can share their personal data — a degree of power the CCPA, at least on paper, wants to enable. At the root of these anxieties are major scandals like Facebook's failure to account for Cambridge Analytica, which "absolutely" have helped to inform the current regulatory climate, according to GroupM's Chandra.

"It's important to let legislators know that we aren't lax," Chandra said. "Cambridge Analytica was not the norm but very much an outlier for the industry. Unfortunately, it was a very well-publicized outlier."

"As we go forward, industry proactively working with governments is the way."

Keith Weed

Unilever, CMO

Despite the obstacles ahead, marketers dedicated to repairing trust in a broken digital ecosystem could see the new wave of regulations as an opportunity for education and deeper partnerships. Chandra suggested these discussions are a means of informing both consumers and governments about the positive work the advertising industry does in keeping a clean house, such as through self-regulatory initiatives like TAG, which has proven successful in combating online ad fraud. The call for a more collaborative approach has been echoed by marketing thought leaders as well.

"I don't think anyone has all of the solutions here, but collectively, we certainly do," Keith Weed, Unilever's outgoing chief marketing and communications officer, said on a panel at the Consumer Electronics show in January.

"I've certainly found in Europe that GDPR has been a really positive step," he said, responding to Marketing Dive's audience question about how Unilever is thinking about new data privacy laws. "As we go forward, industry proactively working with governments is the way."

In a period of great uncertainty, one thing does appear clear: Marketers must retool how they think about data and the ways in which it supports their business, or otherwise risk imperiling that business altogether.

"The most practical thing you can do is look at what you're collecting. Do you need it, does it have value?" the 4A's Pepper said. "The days of just hoovering up everything and deciding what to do with it after the fact are over."