Home Data Privacy Roundup Flying Under The Radar Is Not A Realistic Compliance Strategy

Flying Under The Radar Is Not A Realistic Compliance Strategy


Enforcement. Is. Coming.

I spent the week in Washington, DC, attending two privacy- and public policy-focused events.

One was a relatively intimate gathering of a few hundred digital advertising executives, policy folks and ad tech lawyers hosted by the IAB at a Convene in downtown DC. The other was the IAPP’s Global Privacy Summit, a nearby gathering of several thousand privacy pros in a cavernous convention center.

And I have a single takeaway from both: When people tell you something with their whole chest, it’s probably best to listen.

In session after session, state regulators got up on stage to talk in detail about their data privacy enforcement priorities.


So, what do regulators care about?

Exactly what you’d expect them to.

They care about transparency, proper disclosures and whether a company’s privacy policy is compliant.

They care about honoring opt-out requests and making sure consumers can exercise their legal rights.

They care about kids, about protecting sensitive personal information, including precise geolocation and health data, and making sure companies don’t collect it without consent.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

They care about combating manipulative design patterns.

They also release detailed public reports on the number and nature of violations and cure notices in their state, as the Connecticut attorney general’s office did in February. They post detailed FAQs on their websites about data protection. They publish enforcement advisories to encourage voluntary compliance, as the California Privacy Protection Agency did just earlier this week.

And many states, including California and Colorado, also issue compliance guidelines in the form of implementation regulations to help businesses interpret the statutes. But even if a state doesn’t have rulemaking authority itself (like Connecticut, for example), you can easily use a sister state’s regs as guidance.

Because yes, state privacy laws have their nuances – and it’s important to acknowledge these differences – but there’s also a lot of overlap.

“The regulations issued by most states are relevant to us,” said Michele Lucan, a deputy associate attorney general in Connecticut’s AG office, during a session at IAPP earlier this week. “It’s there – the detail is not lacking.”

Knock, knock

Meanwhile, regulators are also paying close attention to media reports, social media posts and consumer complaints about data protection issues.

A company can be flying blithely under the radar one day and become the subject of an investigation the next.

DoorDash is a good example. The California attorney general launched an investigation into DoorDash in 2020 after one of the company’s customers complained on social media that she had received physical advertising mailers at her home, addressed to an alias she used solely when ordering food delivery through DoorDash.

When the AG looked into the issue, it discovered that DoorDash had shared this woman’s data many times over with numerous companies – a practice not mentioned in its privacy policy.

That’s how a simple grievance aired over social media resulted in an enforcement action under the CCPA. DoorDash received a relatively small $375,000 fine, but rather tough injunctive terms.

As part of the settlement, DoorDash is required to reassess all of its agreements with marketing vendors and submit annual reports to the AG for the next three years detailing any potential sale of or method for sharing personal information.

No such thing as ‘under the radar’

Against that backdrop, I’ll share a brief anecdote.

Comic: At Least They Asked ... ?I was doing the networking thing this week after the IAB event and found myself chatting with a privacy/security pro who works for a relatively small company. He told me that he feels insulated from regulatory scrutiny because his company is probably too small and not consumer-facing enough for an enforcer to concern itself with.

To be fair, not every business is liable under every state law. There are exemptions and thresholds, including how wide-scale the processing is and/or how much revenue a company derives from selling or sharing consumer information.

But if a law applies to a company, there isn’t any protective armor against regulatory attention other than good faith compliance.

A company or client may think they’re flying under the radar, but that is a false sense of security, said Jill Szewczyk, an assistant AG focused on data privacy and cybersecurity in the Colorado attorney general’s office.

After all, it only takes one consumer complaint.

“If a customer goes to use their website and notices they’re not giving them their consumer rights,” Szewczyk said, “then that company is going to be on our radar.”


Unrelated, but I have to share: I went to a session at IAPP on Thursday about the regulator’s perspective on privacy-enhancing technologies. On stage, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said that PETs can be very valuable, but “there is no one magic PET that you can use for everything.”

The first and immediate thought that popped into my head was, “My cat would probably disagree.” 😹

That’s okay. I’ll see myself out.

🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback, although forgive me for any delayed replies. It’s been a long week.

Must Read

‘Incrementality’ Is The Buzzword That Stole Prog IO

Well, that’s a wrap on Programmatic IO Las Vegas 2024! The AdExchanger editorial hopped on stage for a live recording of The Big Story to round up all the moments that made us go “a-ha” this week, including observations on commerce media, CTV and generative AI.

Paramount And Shopsense Add Programmatic Demand To Their Shoppable Ad Network

What if the new storefront is a person sitting on their couch and scrolling their phone?

Scott’s Miracle-Gro Is Seeing Green With Retail Media

It’s lawn season – and you know what that means. Scott’s Miracle-Gro commercials, of course. Except this time, spots for Scott’s will be brought to you by The Home Depot’s retail media network.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Walled Garden Platforms Are Drowning Marketers In Self-Attributed Sales

Sales are way up; ROAS is through the roof across search, social and ecommerce. At least, that’s what the ad platforms say.

Comic: Working Hard or Hardly Working?

Shadier Than Forbes? Premium Publishers Are Partnering With Content Farms To Make A Quick Programmatic Buck

The practice involves monetizing resold subdomains jammed with recycled MFA articles produced by notorious content farms.

Adalytics Claims Colossus SSP Is Misdeclaring IDs In Its Bid Requests

Colossus SSP, a DEI-focused supply-side platform owned by Direct Digital Holdings (DDH), is the subject of Adalytics’ latest report released Friday. It’s a doozy.