Home Data Privacy Roundup Flying Under The Radar Is Not A Realistic Compliance Strategy

Flying Under The Radar Is Not A Realistic Compliance Strategy

SHARE:

Enforcement. Is. Coming.

I spent the week in Washington, DC, attending two privacy- and public policy-focused events.

One was a relatively intimate gathering of a few hundred digital advertising executives, policy folks and ad tech lawyers hosted by the IAB at a Convene in downtown DC. The other was the IAPP’s Global Privacy Summit, a nearby gathering of several thousand privacy pros in a cavernous convention center.

And I have a single takeaway from both: When people tell you something with their whole chest, it’s probably best to listen.

In session after session, state regulators got up on stage to talk in detail about their data privacy enforcement priorities.

#priorities

So, what do regulators care about?

Exactly what you’d expect them to.

They care about transparency, proper disclosures and whether a company’s privacy policy is compliant.

They care about honoring opt-out requests and making sure consumers can exercise their legal rights.

They care about kids, about protecting sensitive personal information, including precise geolocation and health data, and making sure companies don’t collect it without consent.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

They care about combating manipulative design patterns.

They also release detailed public reports on the number and nature of violations and cure notices in their state, as the Connecticut attorney general’s office did in February. They post detailed FAQs on their websites about data protection. They publish enforcement advisories to encourage voluntary compliance, as the California Privacy Protection Agency did just earlier this week.

And many states, including California and Colorado, also issue compliance guidelines in the form of implementation regulations to help businesses interpret the statutes. But even if a state doesn’t have rulemaking authority itself (like Connecticut, for example), you can easily use a sister state’s regs as guidance.

Because yes, state privacy laws have their nuances – and it’s important to acknowledge these differences – but there’s also a lot of overlap.

“The regulations issued by most states are relevant to us,” said Michele Lucan, a deputy associate attorney general in Connecticut’s AG office, during a session at IAPP earlier this week. “It’s there – the detail is not lacking.”

Knock, knock

Meanwhile, regulators are also paying close attention to media reports, social media posts and consumer complaints about data protection issues.

A company can be flying blithely under the radar one day and become the subject of an investigation the next.

DoorDash is a good example. The California attorney general launched an investigation into DoorDash in 2020 after one of the company’s customers complained on social media that she had received physical advertising mailers at her home, addressed to an alias she used solely when ordering food delivery through DoorDash.

When the AG looked into the issue, it discovered that DoorDash had shared this woman’s data many times over with numerous companies – a practice not mentioned in its privacy policy.

That’s how a simple grievance aired over social media resulted in an enforcement action under the CCPA. DoorDash received a relatively small $375,000 fine, but rather tough injunctive terms.

As part of the settlement, DoorDash is required to reassess all of its agreements with marketing vendors and submit annual reports to the AG for the next three years detailing any potential sale of or method for sharing personal information.

No such thing as ‘under the radar’

Against that backdrop, I’ll share a brief anecdote.

Comic: At Least They Asked ... ?I was doing the networking thing this week after the IAB event and found myself chatting with a privacy/security pro who works for a relatively small company. He told me that he feels insulated from regulatory scrutiny because his company is probably too small and not consumer-facing enough for an enforcer to concern itself with.

To be fair, not every business is liable under every state law. There are exemptions and thresholds, including how wide-scale the processing is and/or how much revenue a company derives from selling or sharing consumer information.

But if a law applies to a company, there isn’t any protective armor against regulatory attention other than good faith compliance.

A company or client may think they’re flying under the radar, but that is a false sense of security, said Jill Szewczyk, an assistant AG focused on data privacy and cybersecurity in the Colorado attorney general’s office.

After all, it only takes one consumer complaint.

“If a customer goes to use their website and notices they’re not giving them their consumer rights,” Szewczyk said, “then that company is going to be on our radar.”

****************************************************************************

Unrelated, but I have to share: I went to a session at IAPP on Thursday about the regulator’s perspective on privacy-enhancing technologies. On stage, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said that PETs can be very valuable, but “there is no one magic PET that you can use for everything.”

The first and immediate thought that popped into my head was, “My cat would probably disagree.” 😹

That’s okay. I’ll see myself out.

🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback, although forgive me for any delayed replies. It’s been a long week.

Must Read

To Reduce The Ad Tech Tax, Sovrn Expands Its SaaS Pricing Model

Sovrn is now offering its header bidding managed service, dubbed Ad Management, as self-serve software for a flat CPM fee.

play button with many coins isolated on blue background. The concept of monetization of the video. Making money on video content. minimal style. 3d rendering

Exclusive: Connatix And JW Player Merge To Create A One-Stop Shop For Video Monetization

On Wednesday, video monetization platforms Connatix and JW Player announced plans to merge into a new entity called JWP Connatix. The deal was first rumored in July.

Buyers Can Now Target High-Attention Inventory In The Trade Desk

By applying Adelaide’s Attention Unit scoring, buyers can target low-, medium- and high-attention inventory via TTD’s self-serve platform.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

How Should Advertisers Navigate A TikTok Ban Or Google Breakup? Just Ask Brian Wieser

The online advertising industry is staring down the barrel of not one but two potential shutdowns that could radically change where brands put their ad dollars in 2025, according to Madison and Wall’s Brian Weiser and Olivia Morley.

Intent IQ Has Patents For Ad Tech’s Most Basic Functions – And It’s Not Afraid To Use Them

An unusual dilemma has programmatic vendors and ad tech platforms worried about a flurry of potential patent infringement suits.

TikTok Video For Open Web Publishers? Outbrain Built It.

Outbrain is trying to shed its chumbox rep by bringing social media-style vertical video to mobile publishers on the open web.