Michael Hahn, Executive Vice President, General Counsel, IAB and IAB Tech Lab and Tony Ficarrotta, assistant general counsel at the IAB, have challenging positions in their work serving the marketing and advertising industry. One of their jobs is to ensure that IAB members have all the information needed to make accurate decisions on privacy.
Earlier this year, California, Colorado, Connecticut, Utah, and Virginia issued their own consumer privacy laws that impact digital advertising.
These new laws affect how brands, marketers, and publishers determine personal data management and leverage for advertising practices.
What constitutes a "sale" of personal information in the context of digital advertising? To improve clarity and consensus around the application of state privacy laws to the digital advertising industry, the IAB Legal Affairs Council asked publishers from sell-side as well as buy-side ad-technology companies and agencies, brands, and law firms.
Survey respondents overwhelmingly indicated that the term “sale” is a broad concept and that it generally captures both the “sharing” of personal information for cross-context behavioral advertising, as well as transfers of personal information for ad delivery and measurement activities.
The survey revealed important areas of consensus on how the state privacy laws apply to the digital advertising industry, as well as areas where views and practices diverge among participants.
For example, most respondents believe that the term “sale” is a broad concept under each state privacy law and generally captures making personal information available for sharing or targeted advertising, ad delivery, and measurement activities.
Nearly half of respondents do not feel prepared to comply with the vendor due diligence obligations required under the laws.
Search & Performance Insider spoke with Hahn and Ficarrotta. What follows are excerpts from the conversation.
S&PI: How does the IAB support members when it comes to all the changes related to privacy?
Hahn: Lawyers are acquainted with trying to comply with multiple regulatory regimes, even beyond privacy. It’s an exercise in understanding clients, the technology they use, and approaching it in a sensible and methodical way.
If you look, for example, at all the state laws that apply to data breaches, you typically find in-house lawyers looking for the highest common denominator. That’s very much what I see most members do, which is reflected in the survey. They take a national approach. It’s one of the tools that the IAB has provided to the industry through the multi-state privacy agreement, which has a national approach.
S&PI: Do similarities and differences in state laws impact a company’s approach to addressing compliance?
Hahn: Many states have very large similarities in different state laws -- such as consumers have the right to opt out of the sale of their information. They have the right to opt out of cross-context or targeting advertising. Those rights are embedded across the states.
There are nuances in certain states. California, for example, has limitations in what service providers can do that don’t exist in other states. Service providers cannot engage in cross-context behavioral advertising, or combine personal information between service different service provider engagements.
There are things that companies need to pay closer attention to with the details. In the broad strokes there are similarities.
Earlier this year, we released The IAB Multistate Privacy Agreement (MSPA) to help tether the laws together and identify the distinguishing factors.
S&PI: What were the most interesting points gleaned from the survey?
Hahn: The first thing is there seems to be a strong agreement that selling personal information is broad concepts across the states. The attorney general’s approach to the concept of sale – specifically in the Sephora case, which only applies to the California law, has had some impact in terms of how the market place expects the same use of the term can be applied in other states.
The second is that there was a strong majority of buyers and sellers who indicated that the MSPA played a critical role in addressing and supporting compliance with state privacy law contractual requirements.
The third is that a majority of respondents,including at least half of respondents representing ad agencies, agree that an ad agency would likely be liable for using certain practices such as putting pixels in the ad creative without taking certain steps for diligence purposes -- especially where the agency does not ensure adequate contracts and controls are in place with publishers who serve that ad creative as required by law.