Back to top

Blog

Submitted by David LeDuc on January 19, 2021

Enacting a national consumer privacy framework is a clear priority among leaders on Capitol Hill in both parties and with the incoming Biden-Harris administration. Following the election in November, the NAI held a great panel discussion exploring the outlook for a national consumer privacy framework in 2021, with a focus on key issues for digital advertising. (If you missed it, you can watch the recording here).

The results of the recent Senate runoff elections in Georgia are likely to have a major impact on the national privacy debate. After Joe Biden and Kamala Harris are inaugurated, Democrats will take control of all the major tech policy apparatus in Washington—the White House, both houses of Congress and Federal Trade Commission (FTC). That will impact the direction of draft legislation coming out of the gates. As the 117th Congress gears up, these are the key issues we are tracking.

Major Areas of Agreement

First, and most importantly, belief in the need for a federal privacy law remains strong on both sides of the aisle. Incoming Senate Commerce Committee Chairwoman Maria Cantwell (D-WA) introduced the Democratic proposal, the Consumer Online Privacy Rights Act (S. 2968) in the last Congress. Last fall, then-Senate Commerce Committee Chairman Roger Wicker (R-MS) introduced the Republican proposal, the SAFE DATA Act (S 4626). While these proposals don’t line up exactly, there is general agreement on multiple key issues, such as establishing a clear set of “rights” for consumers, including enhanced data transparency requirements and consumer control over their data (generally this includes access, deletion and portability, and in some cases, correction). In the wake of the California Consumer Privacy Act (CCPA), these rights aren’t likely to require too much wrangling or pushback from the business community.

There is also agreement on key aspects of enforcement. Both proposals would empower the FTC as a strong lead regulator, and provide for joint enforcement with state attorneys general, with penalties for privacy violations. These are key elements that will benefit consumers and businesses alike.

Challenges and Potential Pitfalls

It’s no secret that federal preemption and a private right of action are the two major fault lines threatening consensus for a national privacy framework. If preemption is going to happen, the House Speaker Nancy Pelosi (D-CA) and the 52 members of the House from California need to be confident that the law is a lasting improvement over not only the CCPA, but also the recently enacted California Privacy Rights Act (CPRA). And if the third time is the charm for the Washington Privacy Act, Chairwoman Cantwell will need sufficient motivation to preempt her state’s new law. So the bar could be getting higher on preemption. Given that the CCPA already has a limited private right of action for data breaches, and a new Washington law could provide a new right for Washingtonians, it would be difficult for a national privacy law to take these rights away.

Beyond these major issues, there are several others where alignment will be necessary. The role of consent will continue to be a major area of debate. Despite widespread agreement among privacy experts and policymakers that broad consumer consent requirements have limited value, both Republican and Democratic Senate proposals doubled down on this approach in the last Congress. Not only are broad consent requirements for data collected via the internet likely to be a key component of any federal law, it also is likely to include protections from “dark patterns,” or deceptive business practices that mislead consumers or coerce consent.

There is also debate about the role of large tech platforms; the use of algorithms; and the elephant in the room, online content moderation. If congressional drafters of a national privacy framework dive into this rabbit hole, the likelihood of passage during the 117th Congress is quite low.

To get to an effective national privacy law, Congress and the new administration should focus keenly on the role of the FTC as a strong national regulator. While there is agreement on this conceptually, there needs to be more focus on specific reforms and new regulatory authority for the FTC to effectively protect consumers from unexpected and harmful misuses of their personal data. If Democrats and Republicans can reach consensus on this key issue, including substantial additional resources, it could take substantial pressure off the preemption debate, obviate the need for a private right of action, and provide the type of national regulatory oversight—in conjunction with state AG enforcement—that is much needed, but that the states are ill-equipped to provide through a patchwork of laws.

Submitted by Anthony Matyjas... on December 16, 2020

After what has been an unusual year globally, the NAI compliance team is finalizing the 2020 compliance review process. This annual undertaking by all NAI member companies and NAI staff went on as scheduled, with no major complications, in spite of the many challenges this year has brought, including the global health crisis, resulting financial and staffing issues, newly enforced legislation in California, and large-scale technological changes announced by providers of popular mobile platforms and web browsers.

During the 2020 review process, NAI staff had an opportunity to engage with all member companies, which provided a clear picture of the current state of privacy and technology in the digital advertising ecosystem, including member compliance with NAI requirements, including those where enforcement has been deferred to allow the technology and infrastructure catch up with the NAI’s newest industry-leading protections.

When the NAI began enforcement of the 2020 Code of Conduct, on January 1st, 2020, the application of two key provisions of the Code was delayed, and ultimately rescheduled to January 1st, 2021.

First, the 2020 Code requires member companies engaged in Audience-Matched Advertising to provide a PII-based opt out from these activities for users on the NAI industry page. The technical development of, and integration with, this new tool had been delayed due to other competing demands and reduced staffing resources at member companies. The NAI is launching the beta version of its new opt-out tool early in the new year, with several member companies available at launch. Any remaining members who need to integrate with the tool will need to finalize this process before July 1, 2021.

Second, the 2020 Code raises the bar on the notice necessary for consumers to express informed Opt-In Consent to digital advertising uses of Precise Location Information. Because platform controls provided by device manufacturers do not always allow for the provision of such notice, NAI members must take technical and contractual steps to ensure that this notice can be presented to users by the mobile applications that collect location data. NAI staff and members have been working to operationalize these changes in the mobile digital advertising ecosystem over the past year, with significant progress in various areas of engagement. The NAI will soon be able to provide all members with access to code, generously provided by one of our Board members, that can be inserted into any company’s SDK in order to surface the required notice to users. The NAI has also worked with member companies to help with the adoption of new contractual measures intended to ensure this notice is provided by app publishers. The NAI believes that these developments allow for NAI staff to begin rolling out enforcement in 2021, while allowing members an opportunity to cure any related non-compliance discovered during the 2021 compliance review process.

The NAI is pleased with the progress its members have made in 2020 in spite of the many challenges to the digital advertising ecosystem, and the economy more broadly. We will be posting more details very soon regarding the launch of the new opt-out tool beta, so we encourage you to monitor this space for further developments.

Submitted by Tony Ficarrotta on October 13, 2020

Preparations for compliance with the California Consumer Privacy Act (CCPA) have been checkered with uncertainty ever since the law passed in 2018, with many questions still unanswered about how the CCPA and its implementing regulations will apply to the digital advertising ecosystem.  

One strategy for CCPA compliance that many businesses are exploring (or are already relying on) is the use of contracts to designate their ad-tech vendors as “service providers.” In theory, a business’ use of a service provider contract in connection with its transfer of “personal information” to an ad-tech vendor would prevent that transfer from being classified as a “sale” of personal information, and therefore potentially help many publishers and advertisers avoid the “do not sell” link and opt out otherwise required by the law.

However, brands and publishers should think twice before pursuing this approach, because while the initial appeal of using service provider contracts for programmatic advertising  is clear, the potential adverse impacts of doing so may not be, at least initially. Amid understandable confusion around the application of “service provider” contracts for complex digital advertising transactions, some businesses have come to the over-simplified conclusion that designating their ad-tech partners as service providers is a silver bullet that can solve their toughest CCPA compliance burdens without sacrificing business results.

This is most likely false. Experience is beginning to show that the use of service provider contracts by digital media publishers and brand advertisers to govern their relationships with ad-tech vendors has serious drawbacks.  The over-use of service providers can lead to multiple bad effects, including the degradation of individual business results, creation of unhealthy and anti-competitive market dynamics, and, ironically, increased compliance risks.

Individual business results are likely to suffer under a service provider regime because the CCPA’s strict requirements on how service providers are permitted to use personal information may prevent vendors from engaging in the data processing necessary to provide their services, or limit their operations to the point where the service is rendered ineffective.  Two of the biggest players in digital advertising -- Google and Facebook -- have not been shy about this fact.  While both of those companies have indicated they will act as CCPA service providers for publishers and advertisers in limited circumstances, Facebook has warned advertisers that doing so may have “an impact to campaign performance and effectiveness, and retargeting and measurement capabilities will be limited”; and Google has indicated that it will not “create or update profiles for ads personalization or use existing profiles to serve personalized ads'' relating to data to which restricted data processing -- which Google requires in order to act as as service provider -- applies.  Limitations on the use of consumer profiles to personalize ads will likely impact a publisher’s ability to monetize its ad inventory.  Publishers and advertisers shouldn’t expect anything different from their other ad-tech vendors, even if they have not released public guidance to that effect.

Beyond individual business results, brands and publishers should also consider the broader market dynamics they are influencing by limiting the availability and use of third-party data through service provider contracts.  The CCPA only limits the transfer of personal information from one company to another, either by allowing consumers to opt out of “sales” of personal information, or by tightly restricting how service providers can handle non-sale transfers of personal information. Large first-party platforms with their own proprietary data stand to benefit from those restrictions because they don’t need to rely on anyone else for data assets. On the other hand, third-party ad-tech vendors use collective information to enhance the quality of the services they provide to each of their clients individually, putting them at a competitive disadvantage under the CCPA.  These effects are exacerbated by the overuse of service provider terms, which allows walled gardens to continue to enhance their products and services using their own first-party data, while preventing other ad-tech companies from doing the same using third-party data, to the detriment of both ad-tech companies and the businesses they serve.

If walled gardens continue to grow more dominant as a result, publishers may see their ability to monetize ad inventory suffer, and advertisers are likely to see reduced value in the measurement and conversion services they rely on their ad-tech vendors to provide, as well as an overall reduction in the value of interest-based advertising for reaching their audiences.This free-rider problem will at first harm the digital advertising ecosystem as a whole by hampering the ability of third-party ad-tech companies to compete with large, first-party platforms. Over time, however, it’s publishers and brands who will suffer from a less competitive marketplace, but only after it’s too late and the competitive harms have set in.

Finally, and perhaps counterintuitively, publishers and brands that see service provider contracts as the way to go are likely to see greater compliance risks compared to those that are willing to classify their ad-tech vendors as “third parties.”  For example, because it is still unclear under the law and implementing regulations, and therefore unknown, how the California Attorney General will interpret the service provider provisions in the CCPA as they apply to specific digital advertising use cases, it’s possible that the contracts being used to designate ad-tech vendors as service providers may be determined to be inconsistent with the requirements of the law.  In that case, there may be a risk that the brand or publisher could be accused of having sold personal information to an ad-tech vendor without posting a required “Do Not Sell My Personal Information” link, or in contravention of a consumer’s request to opt out of sales of personal information.  Further, businesses relying on service providers must contend with the added complexity of responding to consumer requests for access to or deletion of personal information in concert with their service providers.  There is no corresponding requirement to coordinate with vendors designated as “third parties” for those requests.

Service providers are not solely responsible for managing these compliance risks. Depending on the circumstances, both a service provider and the business that engaged the service provider may be liable for uses of personal information that do not satisfy the CCPA’s requirements.  And while we may not know for certain what service providers can and cannot do for before the Attorney General begins taking enforcement actions on that issue, it is an area to watch closely for compliance risk.  Brands and publishers should bear in mind that the costs of violations can add up quickly – $2,500 for each violation or $7,500 for each intentional violation.

Taking all of these drawbacks together, brands and publishers should be thinking twice, maybe three times, about whether “service provider” contracts really are a silver bullet for CCPA compliance, and should be actively exploring alternatives to service provider arrangements with their ad-tech vendors to avoid negative side effects.  Given the very low rate of opt outs businesses are seeing, designating ad-tech vendors as third parties and posting a “do not sell my personal information” link in a webpage footer may be a small price to pay to keep the full range of products and services ad-tech companies can offer while keeping compliance risks low.

For brands and publishers seeking to think these issues through in more detail, we encourage you to read the NAI’s white paper on the use of ad-tech companies as CCPA service providers.

Submitted by Leigh Freund on September 30, 2020

The NAI welcomes GroupM’s Tamera Reynolds and Audrey Trainor of MediaMath to the NAI Board of Directors. They join Dan Hegwood, Markus Ruhl, and Matthias Mattiesen as new board members in 2020.

Tamera Reynolds is a Senior Partner and Associate General Counsel for the international media investment company, GroupM. Reynolds is responsible for strategic tech and data partnerships and data privacy compliance, across GroupM and its agencies. 

Reynolds previously was VP of Global Legal Counsel for Xaxis, the advanced programmatic arm of GroupM. While at Xaxis, she led (and continues to lead) legal and privacy support across a broad range of business functions including technology partnerships, intellectual property, privacy, and new business and policy initiatives.  

Prior to joining Xaxis, she worked at Sahara Media, Inc. and was instrumental in successfully executing an IPO during the 2008-09 financial crisis. The company subsequently was acquired by Youblast Global Inc.

“Tamera’s fifteen years implementating lawful and ethical procedures across multiple countries in the media industry makes her an exciting addition to the board,” said NAI President and CEO Leigh Freund. 

Audrey Trainor, Data Policy & Governance Manager at MediaMath, develops strategy on policy and process implementation around privacy, data use, and compliance. Her work helps ensure data is used ethically while ensuring continued growth at MediaMath. 

In addition to her leadership role with MediaMath’s Data Policy & Governance team, Trainor has led the NAI Precise Location Data and Opt-In Consent Guidance Working Group and served on the board of the Better Business Bureau of Metropolitan New York. 

“Audrey is an expert data policy strategist,” said Freund. “She works every day to make sure responsible data policies are part of an accountable and addressable supply chain for digital advertsing,” 

Tamera and Audrey join three board members appointed earlier in 2020, bringing the total membership on the board to twelve. Board members appointed in 2020 include:

  • Dan Hegwood – Xandr, Vice President, Legal

Dan Hegwood is Group VP for Xandr, and is responsible for Xandr’s global public policy program spanning privacy and other regulatory matters.  Hegwood also leads a team of attorneys covering Xandr’s international sales and operations.

  • Markus Ruhl – Global Data Privacy Officer, Publicis Groupe

Markus is a qualified attorney in Germany with over 20+ years of experience in various industries. He has worked for many years on emerging technologies, policy and global privacy issues, and spoken at privacy and security conferences.

  • Matthias Matthiesen – Quantcast, Senior Privacy Counsel

In his role as Quantcast’s Senior Privacy Counsel, Matthiesen works to manage the company's global privacy and data protection program and drive positive privacy and data protection changes at an industry level. Prior to joining Quantcast, he served as director of privacy and public policy at the Interactive Advertising Bureau Europe where led the industry’s strategy and approach to privacy and data protection in response to the GDPR and ePrivacy Regulation. 

The Network Advertising Initative’s other board members are Chairman Douglas Miller – Vice President and Global Privacy Leader, Verizon Media; Vice Chairman Ted Lazarus – Director of Legal, Google; Alan Chapell – President, Chapell & Associates (representing Eyeota); Dana Edwards, Senior Vice President, Engine Group; Duncan McCall, CEO & Co-Founder, PlaceIQ; Ken Dreifach, share holder, ZwillGen (representing Adroll), and Paul Harrison, Co-Founder & Chief Technology Officer, Simpli.fi.