Home Data Privacy Roundup Flying Under The Radar Is Not A Realistic Compliance Strategy

Flying Under The Radar Is Not A Realistic Compliance Strategy

SHARE:

Enforcement. Is. Coming.

I spent the week in Washington, DC, attending two privacy- and public policy-focused events.

One was a relatively intimate gathering of a few hundred digital advertising executives, policy folks and ad tech lawyers hosted by the IAB at a Convene in downtown DC. The other was the IAPP’s Global Privacy Summit, a nearby gathering of several thousand privacy pros in a cavernous convention center.

And I have a single takeaway from both: When people tell you something with their whole chest, it’s probably best to listen.

In session after session, state regulators got up on stage to talk in detail about their data privacy enforcement priorities.

#priorities

So, what do regulators care about?

Exactly what you’d expect them to.

They care about transparency, proper disclosures and whether a company’s privacy policy is compliant.

They care about honoring opt-out requests and making sure consumers can exercise their legal rights.

They care about kids, about protecting sensitive personal information, including precise geolocation and health data, and making sure companies don’t collect it without consent.

They care about combating manipulative design patterns.

They also release detailed public reports on the number and nature of violations and cure notices in their state, as the Connecticut attorney general’s office did in February. They post detailed FAQs on their websites about data protection. They publish enforcement advisories to encourage voluntary compliance, as the California Privacy Protection Agency did just earlier this week.

And many states, including California and Colorado, also issue compliance guidelines in the form of implementation regulations to help businesses interpret the statutes. But even if a state doesn’t have rulemaking authority itself (like Connecticut, for example), you can easily use a sister state’s regs as guidance.

Because yes, state privacy laws have their nuances – and it’s important to acknowledge these differences – but there’s also a lot of overlap.

“The regulations issued by most states are relevant to us,” said Michele Lucan, a deputy associate attorney general in Connecticut’s AG office, during a session at IAPP earlier this week. “It’s there – the detail is not lacking.”

Knock, knock

Meanwhile, regulators are also paying close attention to media reports, social media posts and consumer complaints about data protection issues.

A company can be flying blithely under the radar one day and become the subject of an investigation the next.

DoorDash is a good example. The California attorney general launched an investigation into DoorDash in 2020 after one of the company’s customers complained on social media that she had received physical advertising mailers at her home, addressed to an alias she used solely when ordering food delivery through DoorDash.

When the AG looked into the issue, it discovered that DoorDash had shared this woman’s data many times over with numerous companies – a practice not mentioned in its privacy policy.

That’s how a simple grievance aired over social media resulted in an enforcement action under the CCPA. DoorDash received a relatively small $375,000 fine, but rather tough injunctive terms.

As part of the settlement, DoorDash is required to reassess all of its agreements with marketing vendors and submit annual reports to the AG for the next three years detailing any potential sale of or method for sharing personal information.

No such thing as ‘under the radar’

Against that backdrop, I’ll share a brief anecdote.

Comic: At Least They Asked ... ?I was doing the networking thing this week after the IAB event and found myself chatting with a privacy/security pro who works for a relatively small company. He told me that he feels insulated from regulatory scrutiny because his company is probably too small and not consumer-facing enough for an enforcer to concern itself with.

To be fair, not every business is liable under every state law. There are exemptions and thresholds, including how wide-scale the processing is and/or how much revenue a company derives from selling or sharing consumer information.

But if a law applies to a company, there isn’t any protective armor against regulatory attention other than good faith compliance.

A company or client may think they’re flying under the radar, but that is a false sense of security, said Jill Szewczyk, an assistant AG focused on data privacy and cybersecurity in the Colorado attorney general’s office.

After all, it only takes one consumer complaint.

“If a customer goes to use their website and notices they’re not giving them their consumer rights,” Szewczyk said, “then that company is going to be on our radar.”

****************************************************************************

Unrelated, but I have to share: I went to a session at IAPP on Thursday about the regulator’s perspective on privacy-enhancing technologies. On stage, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said that PETs can be very valuable, but “there is no one magic PET that you can use for everything.”

The first and immediate thought that popped into my head was, “My cat would probably disagree.” 😹

That’s okay. I’ll see myself out.

🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback, although forgive me for any delayed replies. It’s been a long week.

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.