“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.
The ad tech ecosystem in the United States is largely based on the collection of persistent identifiers and personal information generally operating on an opt-out basis. However, in a troubling sign for the industry, a number of new and proposed laws are introducing consent requirements that may impact the scope and volume of data collected from consumers. While certain sensitive personal information has always been understood to require consent to collect, these new laws expand consent to cover more commonly collected and exploited data.
The most comprehensive privacy law in the United States, the California Consumer Privacy Act (CCPA) mostly operates on an opt-out basis. The California Privacy Rights Act (CPRA, AKA CCPA 2.0) also embraces this opt-out model. Virginia, which is poised to potentially become the second state in the United States, with a comprehensive privacy law, is also embracing the opt-out model. However, other laws are chipping away at this liberal approach to data collection and use.
North Dakota recently proposed a privacy law that would have required opt-in consent for any sales of a broad swath of data, such as location, browsing history, residential details and even interests. However, the bill failed to pass in the North Dakota House of Representatives earlier this month. Given that North Dakota has barely 2% of California’s population, the impact might not have been dramatic, but it may have contributed to the opt-in trend.
Last year, in the wake of COVID and the calls to use mobile location for contact tracing, Congress proposed a bill called the “COVID-19 Consumer Data Protection Act of 2020.” This bill would have required opt-in consent for the collection of precise geolocation data, and this term was vaguely defined. This bill also did not pass.
The city of Portland, Oregon recently enacted a law, effective January 2021, that prohibits any company from using facial recognition technologies in a place of public accommodation. Surprisingly, this law does not even allow for opt-in consent. It is an outright prohibition, no matter how informed and willing a consumer may be to allow such data collection. It’s shocking to see a law that doesn’t even allow a consumer to consent to a data collection method.
And while not a law, everyone is well aware of the pending changes from Apple in iOS14 to require opt-in consent to collect the IDFA for purposes of tracking and targeted advertising.
These trends do not bode well for the ad tech industry. Consumers are unlikely to opt-in and consent in high numbers. Data segments could take a huge hit if the mere collection and sharing of cookie data, for example, required an opt-in.
Some companies are hedging their bets and looking more closely at first party data and/or consent-based mechanisms. For now, the industry should stay alert, engage with lawmakers and speak up to promote the value of our current opt-out regime.
Follow Gary Kibel (@GaryKibel), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.