Home Data Privacy Roundup Flying Under The Radar Is Not A Realistic Compliance Strategy

Flying Under The Radar Is Not A Realistic Compliance Strategy


Enforcement. Is. Coming.

I spent the week in Washington, DC, attending two privacy- and public policy-focused events.

One was a relatively intimate gathering of a few hundred digital advertising executives, policy folks and ad tech lawyers hosted by the IAB at a Convene in downtown DC. The other was the IAPP’s Global Privacy Summit, a nearby gathering of several thousand privacy pros in a cavernous convention center.

And I have a single takeaway from both: When people tell you something with their whole chest, it’s probably best to listen.

In session after session, state regulators got up on stage to talk in detail about their data privacy enforcement priorities.


So, what do regulators care about?

Exactly what you’d expect them to.

They care about transparency, proper disclosures and whether a company’s privacy policy is compliant.

They care about honoring opt-out requests and making sure consumers can exercise their legal rights.

They care about kids, about protecting sensitive personal information, including precise geolocation and health data, and making sure companies don’t collect it without consent.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

They care about combating manipulative design patterns.

They also release detailed public reports on the number and nature of violations and cure notices in their state, as the Connecticut attorney general’s office did in February. They post detailed FAQs on their websites about data protection. They publish enforcement advisories to encourage voluntary compliance, as the California Privacy Protection Agency did just earlier this week.

And many states, including California and Colorado, also issue compliance guidelines in the form of implementation regulations to help businesses interpret the statutes. But even if a state doesn’t have rulemaking authority itself (like Connecticut, for example), you can easily use a sister state’s regs as guidance.

Because yes, state privacy laws have their nuances – and it’s important to acknowledge these differences – but there’s also a lot of overlap.

“The regulations issued by most states are relevant to us,” said Michele Lucan, a deputy associate attorney general in Connecticut’s AG office, during a session at IAPP earlier this week. “It’s there – the detail is not lacking.”

Knock, knock

Meanwhile, regulators are also paying close attention to media reports, social media posts and consumer complaints about data protection issues.

A company can be flying blithely under the radar one day and become the subject of an investigation the next.

DoorDash is a good example. The California attorney general launched an investigation into DoorDash in 2020 after one of the company’s customers complained on social media that she had received physical advertising mailers at her home, addressed to an alias she used solely when ordering food delivery through DoorDash.

When the AG looked into the issue, it discovered that DoorDash had shared this woman’s data many times over with numerous companies – a practice not mentioned in its privacy policy.

That’s how a simple grievance aired over social media resulted in an enforcement action under the CCPA. DoorDash received a relatively small $375,000 fine, but rather tough injunctive terms.

As part of the settlement, DoorDash is required to reassess all of its agreements with marketing vendors and submit annual reports to the AG for the next three years detailing any potential sale of or method for sharing personal information.

No such thing as ‘under the radar’

Against that backdrop, I’ll share a brief anecdote.

Comic: At Least They Asked ... ?I was doing the networking thing this week after the IAB event and found myself chatting with a privacy/security pro who works for a relatively small company. He told me that he feels insulated from regulatory scrutiny because his company is probably too small and not consumer-facing enough for an enforcer to concern itself with.

To be fair, not every business is liable under every state law. There are exemptions and thresholds, including how wide-scale the processing is and/or how much revenue a company derives from selling or sharing consumer information.

But if a law applies to a company, there isn’t any protective armor against regulatory attention other than good faith compliance.

A company or client may think they’re flying under the radar, but that is a false sense of security, said Jill Szewczyk, an assistant AG focused on data privacy and cybersecurity in the Colorado attorney general’s office.

After all, it only takes one consumer complaint.

“If a customer goes to use their website and notices they’re not giving them their consumer rights,” Szewczyk said, “then that company is going to be on our radar.”


Unrelated, but I have to share: I went to a session at IAPP on Thursday about the regulator’s perspective on privacy-enhancing technologies. On stage, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said that PETs can be very valuable, but “there is no one magic PET that you can use for everything.”

The first and immediate thought that popped into my head was, “My cat would probably disagree.” 😹

That’s okay. I’ll see myself out.

🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback, although forgive me for any delayed replies. It’s been a long week.

Must Read

Comic: TFW Disney+ Goes AVOD

Disney Expands Its Audience Graph And Clean Room Tech Beyond The US

Disney expands its audience graph and clean room tech to Latin America, marking the first time it will be available outside the US. The announcement precedes this week’s launch of Disney+ with ads in Latin America.

Advertible Makes Its Case To SSPs For Running Native Channel Extensions

Companies like TripleLift that created the programmatic native category are now in their awkward tween years. Cue Advertible, a “native-as-a-service” programmatic vendor, as put by co-founder and CEO Tom Anderson.

Mozilla acquires Anonym

Mozilla Acquires Anonym, A Privacy Tech Startup Founded By Two Top Former Meta Execs

Two years after leaving Meta to launch their own privacy-focused ad measurement startup in 2022, Graham Mudd and Brad Smallwood have sold their company to Mozilla.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Nope, We Haven’t Hit Peak Retail Media Yet

The move from in-store to digital shopper marketing continues, as United Airlines, Costco, PayPal, Chase and Expedia make new retail media plays. Plus: what the DSP Madhive saw in advertising sales software company Frequence.

Comic: Ad-ception

The New York Times And Instacart Integrate For Shoppable Recipes

The New York Times and Instacart are partnering for shoppable recipe videos.

Experian Enters The Third-Party Data Onboarding Business

Experian entered the third-party data onboarder market on Tuesday with a new product based on its Tapad acquisition.