The Gaping Hole in Compliance
October 8, 2020
By now, many brands have spent enormous resources ensuring internal compliance with the GDPR and CCPA. You — or your agencies — have put systems into place to request, track and store consent of the consumers within whom they engage throughout the digital universe.
But are you covered? You’re not if any part of your supply chain — from the DSP, data company, ad network or exchange — isn’t fully also compliant. If any vendor isn’t, you face substantial risks, which I lay out below.
Compliance Is Greater Than Consent
First and foremost, let’s talk about what you’re actually responsible for. Compliance is more than prompting consumers to accept cookie settings when they first arrive on a website and storing that consent somewhere. The CCPA guarantees consumers the right to know which data is collected about them, who it is sold to, the ability to access that data as well as opt out. The GDPR also guarantees those rights, along with the right to erasure, to object, to restrict processing and more. The point is, compliance is complex and covers a lot of ground, which can leave brands exposed if you don’t account for all consumer rights beyond consent.
The Onus of Vender Compliance Is On You
It seems logical to assume that the tech partners you rely on to execute your campaigns are the ones who must answer for any violation of a privacy right that occurs within their systems, but that’s not the case. As the party that ultimately benefits from an interaction with a consumer, both the CCPA and GDPR put the onus of vendor compliance squarely on you.
GDPR Article 24 states that “the controller” (which would be you, the advertiser), “shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Recital 74 goes on to explain that the controller is responsible — and liable — for processing done on its behalf by a third party. Meanwhile the CCPA leverages “agency law,” which essentially says that any act by an agent who acts on your behalf is your responsibility (i.e. you and your agent are one and the same). Like the GDPR, the CCPA holds you accountable if any third party or service provider runs afoul of the regulations while acting on your behalf.
Warning: Complexity Ahead
The GDPR and CCPA are just the beginning. You are likely to face a patchwork of Federal and State privacy regulations in the very near future. Last May, Nevada adopted new privacy legislation and included a consumer opt-out right. Meanwhile, legislators in 14 other states across the country have recently proposed their own CCPA-like privacy bills.
To say that privacy regulations are a bit of a moving target is an understatement. The Washington Privacy Act failed on two occasions to pass the legislature, but we can expect advocates to keep trying. The Texas Privacy Protection Act also failed to set specific policy to date, but it did establish a Privacy Protection Advisory Council to study data privacy laws in advance of the next legislative session.
It’s anyone’s guess what the outcome of these delays and negotiations will be, but we can safely assume they’ll further increase the complexity of compliance. When one digs into the weeds of the bills under consideration, the word “like” in the phrase “CCPA-like” is telling — and ominous. Each state is likely to spell out highly specific requirements for its citizens’ data. Complying with the spirit of a regulation won’t cut it; you’ll need to meet the letter of every regulation in each Act that’s passed.
Replace Frameworks with Agreed Upon Vendor Assessments
A lot of brands put their faith in privacy frameworks, which were fine — until California and Nevada passed laws and imposed defined standards that frameworks just don’t meet. And those frameworks are not likely to accommodate the patchwork of requirements coming down the pike.
At the same time, every entity in the digital ad tech sphere has developed its own privacy contract, but the language and scope can vary. As an advertiser, you can’t easily determine if a partner is truly compliant, which is a big problem considering you’re likely liable for their actions.
There’s one way the industry can address the vulnerability, and that is to develop an agreed upon vendor assessment, with precise language, that discloses whether or not the vendor is in full compliance with all the specific requirements of all applicable regulations. This assessment can serve as a common basis for doing business. No doubt this is a difficult task to accomplish, but coming together to tackle a problem is a hallmark of this industry. It’s time to do it again.
Richy Glassberg is founder and CEO of SafeGuard Privacy.
The views and opinions expressed in Marketing Maestros are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.