What US privacy laws do advertisers need to be aware of in 2023?
By John Murphy, chief strategy officer, Confiant
January 28th is celebrated globally as Data Privacy Day. It acts as a reminder that several US state privacy regulations become effective during 2023. As a result, privacy could become more important to the ad ecosystem than ever in the United States, echoing what has already happened around the world. While most publishers and SSPs have taken steps to ensure that they are compliant with regulations, the new regulations make it more complex for publishers who rely only on consent management platforms (CMPs) to enforce compliance on a locality-by-locality basis.
Here's everything advertisers need to know.
US privacy laws taking effect in 2023
Here is a summary of the regulations that have come, or will be coming, into effect during 2023, according to legal publisher Lexology:
● January 1, 2023, the California Privacy Rights Act (CPRA), amending the current California Consumer Privacy Act (CCPA);
● January 1, 2023, the CCPA cure period ends, current exemptions for employee and business-to-business data ends;
● January 1, 2023, the Virginia Consumer Data Protection Act;
● July 1, 2023 the Connecticut Data Privacy Act;
● July 1, 2023, the Colorado Privacy Act;
● December 31, 2023, the Utah Consumer Privacy Act.
In September 2022 the IAB announced the release of their Global Privacy Platform (GPP). The GPP is designed to communicate user consent signals throughout the digital ad supply chain. The GPP supports both the US Privacy and IAB Europe TCF v2 consent strings.
CMPs are tasked with providing notice to users about a publisher’s data-collection practices, storing a record of user permissions, and conveying these signals to the ad ecosystem. All entities engaged in legitimate user-tracking must adhere to these signals to remain compliant. If everything were honest and above board, those in the ad ecosystem would only need to carefully apply user privacy preferences to protect themselves from penalty. But it's not just the violations caused accidentally by legitimate vendors, but those caused by bad ads from threat actors that create the biggest liability for brands, publishers and platforms.
Ad tech is a well-known target of sophisticated threat actors who exploit the complex and fragmented nature of the ecosystem for nefarious ends. Threat actors often break privacy compliance rules for their own purposes, putting brands, publishers, DSPs and SSPs at risk of enforcement penalties, as well as loss of reputation and trust from users. Threat actors serve their bad ads to anyone they choose, regardless of user permissions and privacy regulations.
Regulatory enforcement affects all parties involved in digital advertising, but threat actors often slip through the net. Whether privacy violations occur accidentally, purposely, or even when violations are caused by bad ads, regulatory enforcement views the violations as one and the same. Unfortunately, enforcement cannot usually locate the threat actors to make them accountable when issuing penalties. So, legitimate advertisers, publishers, and platforms are left holding the bag when bad ads cause privacy violations, while threat actors sneak away from regulatory actions.
Confiant’s Privacy Compliance Solutions provides protection against ad privacy violations by going beyond the CMP to enforce what is signaled in the consent string. The unique approach identifies accidental (and purposeful) privacy violations caused by legitimate ads, as well as those caused by bad ads posted by threat actors. Either instance puts brands, publishers, SSPs, and DSPs at risk for privacy violations. Privacy Compliance Solution goes beyond avoiding penalties, to ensure that you remain compliant with your user’s privacy wishes.”
Enforcement is ramping up
Meta ended 2022 with more than $787m in EU privacy fines. It started 2023 with over $410m in additional EU privacy fines for breaking the GDPR rules related to the handling of personal information on Facebook and Instagram. TikTok was fined five million euros in the EU for violating cookie regulations.
The US seems to be following the trends in Europe by targeting platforms and publishers for privacy violations. Recently Google agreed to pay $20m to Indiana and $9.5m to Washington DC, in addition to the $391.5m previous settlement agreement with 40 states over location tracking related privacy lawsuits.
But brands are not exempt from privacy compliance. In August 2022, cosmetics retailer Sephora agreed to pay $1.2m in monetary penalties for violations of the California Consumer Privacy Act related to its targeted advertising practices. In addition, the agreement outlines other compliance steps that Sephora must take before continuing to do business in that state. California attorney general Rob Bonta went on record stating, “I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. My office is watching, and we will hold you accountable.”
What should you do now?
Whether you are a brand, a publisher, a SSP or a DSP, you are a member of the ad ecosystem and must comply with privacy regulations. For some it may mean investments in new solutions that can help identify privacy violations before regulatory authorities do. For others, it may only be updating existing solutions. While both may involve some costs in solutions and/or technical time, those cost and resource issues should be weighed carefully against the potential of fines, operational restrictions and bad publicity. With the focus on the enforcement of these new regulations increasing, doing nothing will most likely become very costly, very soon.
Here’s a short list of actions that brands, publishers, SSPs and DSPs should consider right now:
● Check with your corporate compliance officer and/or legal counsel to make sure that you are fulfilling your obligations under the new regulations
● Update your privacy policy
● Ask your CMP solution provider to make certain that your CMP is up-to-date with the current laws going into effect
● If you are a publisher, consider having Confiant evaluate consent mismatches on your site
Click for more information on Confiant Privacy Compliance Solutions