Home Data Privacy Roundup Addressing The Risky Business Of “High-Risk” Data Activities

Addressing The Risky Business Of “High-Risk” Data Activities

SHARE:
data leakage

Remember when the ad industry glommed onto the phrase “Data is the new oil”?

Well, sensitive data is crude oil, at least from the perspective of any marketer who might want to collect and use it. The process of refining crude oil is dangerous and should be conducted with extreme care.

That’s not a perfect metaphor, so sue me. Although, lawsuits are more likely to come against companies that fail to handle high-risk data properly.

Risk regs

Processing sensitive data such as biometric information, precise geolocation, children’s data and information that could reveal a person’s race, sexual orientation or health diagnosis is considered a “high risk” activity under most state privacy laws.

Some state privacy laws, including in Connecticut, Virginia and Colorado, require businesses to conduct a separate privacy impact assessment, which is like an internal audit to make sure data is being handled properly for any processing that presents a heightened privacy risk.

But, in California, the requirements are even more stringent, with two separate types of assessment: one from a cybersecurity perspective and another to determine whether the processing of personal data could present a “significant risk” of consumer harm.

“You have an obligation to do due diligence on all of your vendors above and beyond what’s in your contracts,” said Richy Glassberg, CEO and co-founder of privacy compliance tech provider SafeGuard Privacy. “And when it comes to sensitive data, you really have to do so.”

As of now, the specific requirements for how to conduct these assessments aren’t finalized, and the California Privacy Protection Agency (CPPA) hasn’t yet started its formal rulemaking process.

But it did draft cybersecurity and risk assessment regulations on its website and discussed them during its most recent board meeting in early September. The preliminary comment period closed in March, but the CPPA will collect more feedback on the drafted regs as they circulate.

It’s a long road, though.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Once the regs are finalized, it’ll be a year before they can be enforced, said Daniel Goldberg, chair of the privacy and data security group at Frankfurt Kurnit Klein & Selz and co-chair of its ad tech group.

Can’t be too careful

Putting aside the bureaucracy of it all, what do ad tech companies need to know about the risk assessment rules the CPPA is establishing?

The most important thing to remember, said Julie Rubash, chief privacy officer and general counsel at data privacy software company Sourcepoint, is that the requirements – while important to follow – will not be new to anyone who hasn’t been living under a rock.

The concept of conducting a risk assessment should be familiar to any company that’s been exposed to GDPR and/or has been working on compliance with certain regulations in the US, Rubash said.

“I actually think it’s going to be beneficial for companies because it helps lay a foundation for your entire privacy compliance program,” she said. “This is really something companies should be doing internally anyway, regardless of any regulation.”

stethoscope on laptopStill, businesses should always consider the nuances between different data privacy regulations, of which there are already 12 in the US alone (not counting Washington state’s My Health, My Data Act, which is specific to health-related data).

“Companies may be able to rely on impact assessments conducted pursuant to other privacy laws,” Goldberg said, “but should review the specific obligations under the draft regs to ensure compliance.”

Not that enforcers are necessarily waiting to pounce on companies that make good-faith efforts at compliance.

The California attorney general, which has been enforcing the California Consumer Privacy Act while the CPPA is drafting regs for the California Privacy Rights Act, is usually pretty fair in its dealings, Goldberg said.

“In my experience, the California AG’s office has taken action against companies based on alleged substantive violations as opposed to ‘gotcha’ technical violations,” he said, noting that both the AG and the CPPA will probably approach enforcement of the new regs in a similar way.

But we’ll only really know once enforcement of the CPRA begins in March of next year. Because past practice is not always a predictor of future behavior.

“Things could change at any time,” Goldberg said.

As always, thanks for reading! And if there’s anyone you can trust with your sensitive data, it’s Dr. Fluffy. Feel free to drop me a line with any feedback at allison@adexchanger.com.

Must Read

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.

Clear Channel Brings Mid-Flight Measurement To Its OOH Network

Clear Channel will provide advertisers weekly, mid-flight reports on outcomes driven by its inventory in order to bring OOH measurement closer to the speed of digital.

FTC Commissioner Mark Meador speaking at the NAD's annual conference in Washington, DC on Sept. 16, 2025. (Photo: Brian O'Doherty)

FTC Commissioner Mark Meador: ‘No Human Society Can Long Survive Without Consumer Trust’

Keeping American kids safe in what FTC Commissioner Mark Meador calls “an increasingly complex and fast-paced technological environment” is a top priority for the agency.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: "Deal ID, please."

Amazon Expands Its Programmatic Integration With SiriusXM

On Tuesday, Amazon DSP announced an expanded integration with satellite radio company SiriusXM.

Rembrand merges with Spaceback

Omar Tawakol Is Merging His AI Startup Rembrand With Spaceback

Rembrand announced that it’s merging with creative automation startup Spaceback to build a unified AI-powered platform for “content-based” CTV, digital video and display.

A comic depicting people in suits setting money on fire as a reference to incrementality: as in, don't set your money on fire!

Retail Media Is Starting To Come To Grips With The Fact That We All Know Nothing

Retail media is entering what might be called its Socratic phase. The closer we to get to understanding an ad campaign’s real impact and business results, the clearer it is that we have no idea how this thing works.