In this piece, our experts from both sides of the Atlantic discuss their thoughts on what to look out for in 2020:
Europe
1. Crunch time for e-Privacy legislation (Privacy and Electronic Communications Regulations 2003 or PECR)Continued confusion on cookie rules
PECR is existing legislation, close to celebrating its eighteenth birthday, that covers various technology issues around data protection, including direct marketing by email, SMS, fax (a sign of its age!) and cookies. The EU had originally intended to update this legislation, replacing it with an EU-wide regulation, to coincide with the coming into force of GDPR on 25 May 2018. Roll forwards over 18 months, and there is still no agreement on the proposed text, with the most recent and advanced version being thrown out at the end of 2019 by a number of EU member states. It is currently back to the drawing board entirely, and some are even predicting that the legislation will be abandoned in 2020. Very frustrating, but many of the proposals were extremely unpopular.
Why is this important? Many companies had been holding off on certain changes to their technology and use of cookies, for advertising in particular, expecting this legislation to finalise what exactly was expected. It had almost become an excuse – ‘let’s wait and see’. However, the ongoing issues with the legislation mean waiting is not appropriate. Companies need to focus on existing law and emerging regulatory trends as explained below.
2. Continued confusion on cookie rules
Given the pain of PECR’s slow-moving developments, the void has been filled by various regulators publishing guidance around their expectations for cookie compliance. The European Data Protection Board also published guidance explaining the interplay between the existing PECR rules and GDPR. The problem is that the regulators (see the UK, French, German and Spanish regulatory approaches) have been saying different things, leaving companies panicking about updated cookie banners and consent mechanisms and struggling to implement solutions that are consistent with the varied approaches across Europe but don’t wipe out opportunities for deploying advertising and analytic cookies. No mean feat! We will see companies continue to wrestle with this issue in 2020 as more are forced to commit to a particular solution, cookie providers change their own terms around consent requirements (so the issue becomes not one of just regulatory enforcement but breach of contract) and more new guidance emerges from other regulators.
3. Enforcement on the rise
Fines and enforcement activity around adtech were pretty slim on the ground a year ago, but we are seeing a huge amount of attention in this area. 2019 saw fines imposed by the Belgian Data Protection Authority in December and the Spanish Data Protection Authority earlier in the year, on separate companies for failing to have appropriate cookie notices and consents. The big one, however, was the €50 million fine imposed by the French Data Protection Authority, CNIL, on Google. This fine focused on failures to have appropriate transparency, and information and consents around ad personalisation. The Irish Data Protection Authority has been reviewing complaints into other platforms and its findings are expected early this year. Privacy regulators in Europe have been keen to emphasise that the perceived delays in enforcement activity are more as a result of the complexity of the matters and the regulations than a lack of will on their part.
The UK Information Commissioner has not yet imposed fines in the adtech space but has been undertaking, and talking very publicly about, reports and investigations in this space, with a focus on real time bidding (RTB) specifically. An interim report was issued in June 2019, followed by an updated blog post in December 2019, which contained a stark warning:
“We are now considering our next steps and deciding how best to address our ongoing concerns. …To summarise, some of what is happening now appears to us to be unlawful, based upon the evidence we have seen to date. The future of RTB is both in the balance and in the hands of all the organisations involved. Over the coming weeks, we’ll be evaluating all of the options available to us and will be providing a further update in early 2020 on our position and on any action we’re taking.”
That update and any potential action are hotly awaited.
4. It’s not just about privacy
The adtech regulatory environment in Europe isn’t just concerned with privacy. The UK’s Competition and Markets Authority announced an investigation in the summer of last year into the adtech market to assess three broad potential sources of harm to consumers in connection with the market for digital advertising: the extent of platform providers’ market power, consumer control over data and competition in the space. Its consultation closes in February 2020 with a final report due in early July 2020.
5. New solutions and commercial considerations
The impact of regulatory and industry change means that brands and publishers need to be having in-depth conversations with the agencies they use and considering carefully the technologies they deploy and how they will react to known and unknown changes in the year ahead. The Google announcements show that big changes in the technology are afoot. If browsers start blocking third party cookies, teams need to be considering the impact on contracts and providers, as well as other tracking technologies or alternative solutions. The changes also mean companies need to stay very close to initiatives such as the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework v.2.
United States
1. The impact of the CCPA – the ‘do not sell’ requirement
Companies collecting information from residents of California are now adapting to the California Consumer Privacy Act (CCPA), which came into effect on 1 January 2020 and is the most comprehensive state privacy law in the United States. The CCPA has a couple of notable impacts on the adtech industry, the first being the requirement that businesses allow consumers to opt out of the ‘sale’ of their data, as that term is defined by the CCPA.
The CCPA defines the term ‘sale’ broadly to be “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.1 This means a sale may be triggered by the exchange of data from pixels or metatags via ad exchanges or other programmatic advertising. Notably, the CCPA excludes from the definition of ‘sale’ the exchange of data between a business and a ‘service provider’. A service provider processes personal data on behalf of another company, subject to a written agreement that limits the service provider’s use of the data to the provision of services for the other company.2 If the data flows to a service provider, it is not considered a sale.
These considerations are important because, if a sale occurs, the publisher – or the party in direct proximity with the consumer – must provide California consumers with the ability to opt out of that sale. This is typically done via a ‘do not sell my personal information’ link or button on the publisher’s website. Once a consumer clicks on the link, the publisher must remove that consumer from any exchanges of data that are considered a sale and the opt-out must also flow to any parties that the business sold the data to in the 90 days prior to receipt of the request. This has presented a unique challenge for adtech companies in the ad exchange environment, since these companies typically operate as intermediaries without being in direct contact with the consumer or with the party that received the initial request from the consumer.
2. New industry solutions
As we have seen in Europe, in the United States, the adtech industry has reacted to regulatory change in developing new technical solutions to assist companies with compliance. For example, the Digital Advertising Alliance has developed a ‘CCPA tool’ that enables consumers to click on the opt-out, which would notify all participating companies that the consumer has requested to be removed from the sale of data. The participating companies that receive the request must stop the sale of that data.
Additionally, the IAB has developed the ‘CCPA Compliance Framework for Publishers and Technology Companies’. The framework includes a master agreement as well as technical specifications to facilitate CCPA compliance through ad exchanges. Essentially, companies that agree to the master agreement are signatories that commit to becoming service providers if a consumer opts out of the sale of their data. When such an opt-out occurs, a CCPA signal is sent, which notifies those companies downstream from the opt-out to switch from practices that are or may be considered selling to the practices of a service provider, meaning that their use of the data should convert to only being as necessary to provide the service. This will strictly limit data use by publishers and technology companies to only those specific and limited business purposes that are permitted under the CCPA.
Google also joined the fray, and has a section of its privacy pages devoted to “restricted data processing”, allowing a user to limit the use of their data to only service-related functions, which is similar to the concept supported by the IAB.
While the effectiveness of these solutions and their compliance will likely be tested in 2020, they certainly give adtech companies potential options for compliance with the ‘do not sell’ requirement, but companies will need to work carefully with their legal and compliance advisers in shaping the decisions made and to keep inevitable further developments under review.
3. The impact of the CCPA – notice prior to sale
The impact of the CCPA on adtech does not end there. Companies that are receiving data from consumers must also ensure they comply with the notice requirements. The requirements, which are delineated in the draft regulations,3 state that a business that does not collect information directly from a consumer does not need to provide a notice at collection to the consumer, but before it sells the data it must: (a) contact the consumer to put them on notice and explain their right to opt out; or (b) contact the source of the information to confirm the source provided notice, obtain signed attestations from the source describing how the source gave notice at collection and include an example of the notice.4
Notably, the IAB framework includes a lengthy notification requirement to facilitate compliance with this requirement for those companies that are incorporating the ‘do not sell my personal information’ link. The notification includes provisions requiring the collecting party to explain the opt-out right. It also includes provisions explaining to the consumer that they may still see interest-based ads and providing instructions on how they may opt out of those ads.
This is an interesting highlight for any company that is ‘downstream’ from the data collection point, as they must take steps to ensure compliance with this notification requirement.
4. The impact of CCPA – Is a cookie banner required?
One of the more challenging aspects of CCPA compliance is whether the CCPA requires a cookie banner-type notice. The short answer is ‘no’: CCPA compliance does not require a cookie banner. The CCPA does not mandate that the use of cookies be disclosed as part of a cookie banner, or that the company obtain consent prior to the use of cookies. Similarly, the CCPA does not expressly require that a company obtain consent from a website user before placing cookies on its browser.
However, a cookie banner is an option for companies that are using third party cookies on their website as the banner could facilitate compliance with the opt-out if the exchange of data in these instances is considered a sale under the CCPA.
5. Advertisers will continue to push for transparency
Transparency and trust in the digital ecosystem have been a major area of concern for brands for several years now5 and 2020 will be no different. Advertisers will continue to pressure publishers and the ad tech community for more transparency. In addition, advertisers’ need for trustworthy measurement and the desire to understand where their money is being spent will cause them to increase pressure on publishers and the ad tech ecosystem to provide access to data (including log files), become accredited by the Media Ratings Council and agree to third party verification and audits. The continued concern about fraud and brand safety will also make participation in industry-wide initiatives such as the Trustworthy Accountability Group and IAB Tech Lab initiatives such as app-ads.txt, sellers.json and the OpenRTB Supply Chain Object a pre-requisite for securing a brand’s business. In 2018 and 2019, we already saw many brands bring their programmatic buying in house to facilitate transparency. In 2020 we will likely see the trend continue and also see brands focusing more on premium private marketplace transactions and direct buys from trusted publishers to improve transparency.
- Cal. Civ. Code I/c 1798.140(t)(1).
- Cal. Civ. Code I/c 1798.140(v).
- California Consumer Privacy Act Proposed Regulations. The proposed regulations were subject to a 45-day comment period which ended on 6 December 2019. Final regulations are expected to be released in early 2020.
- I/c 999.305(d).
- 'Two years after the ANA’s report, a cloud still hangs over media transparency' issued by Digiday (16 July 2018);
'Report from ANA and White Ops Shows War on Ad Fraud is Succeeding' issued by White Ops (1 May 2019);
'The FT warns advertisers after discovering high levels of domain spoofing' issued by Digiday (27 September 2017)
Client Alert 2020-042