Here’s some free legal advice from a privacy lawyer: Don’t make privacy claims if you’re not going to stick to them.
Regulators notice stuff like that, and it ticks them off, said Daniel Rosenzweig, a data privacy attorney who left Norton Rose Fulbright late last year to found his own boutique law firm called DBR Data Privacy Solutions.
He’s since developed a set of technical compliance tools, including for digital data auditing, consent management, cookie banner evaluation and opt-out effectiveness.
“It’s one thing to have a disclosure that says you’re doing something like offering an opt-out,” Rosenzweig said, “but if you and your partners aren’t honoring it, that could be considered unfair and deceptive under the law.”
In other words, if a company’s technology behaves differently than described, it could be an FTC violation or infringe on any number of US state privacy laws.
And regulators are more than tech-savvy enough to investigate the inner workings of online advertising – not to mention class-action attorneys, privacy advocates and, increasingly, consumers themselves.
“Regulators have made it very clear that they are technically sophisticated, and they can see whether you’re honoring what you said in your privacy policy,” Rosenzweig said. “And if you’re not, you’ve got a problem.”
Rosenzweig shared a few more gratis legal tips with AdExchanger.
AdExchanger: Not to make you throw your former colleagues under the bus, but are most lawyers at big firms technical enough to handle the crazy complexity of the online advertising ecosystem: onboarding, identity graphs, SDKs, APIs, data clean rooms, PETs, LLMs? The list goes on.
DANIEL ROSENZWEIG: I’ve always been interested in technology, and where I went to law school [Georgetown Law] was very innovative and forward-thinking. They offered coding for lawyers – things of that nature. But that isn’t available everywhere, and that’s why it’s not a common skill set.
But it’s an important one, because I can be the bridge – like a translation layer – between developers, product engineering, lawyers and the marketing team. I’m actually working on a project right now about how a client can approach the reintroduction of certain pixels onto their site.
Lawyers are usually conservative by nature and not aware that there are different configurations available, so they might just say, “Don’t use that tool.” But if you understand how it works, you can balance implementation and compliance.
Do most companies understand their own data flows?
There are a lot of vendors and social media companies out there pushing their technology and their pixels. Before you know it, you’ve got a bunch of stuff on your site spraying information. (It’s important to note that this is not inherently in violation of the law. It’s how the internet currently operates.)
But I don’t think most companies have a real understanding of how many third parties have been introduced onto their website, and it goes back to the dynamic between lawyers and the tech team.
How else does this dynamic manifest?
Lawyers often rely on the tech team to know what a particular technology entails, and the tech team doesn’t always know what the law entails.
Take location data. There’s precise geolocation, which requires more scrutiny and maybe an opt in, and coarse location, like ZIP code or state, which is treated very differently under the law. I’ll often be on calls where someone from legal will say, “We’re collecting geolocation data,” and when I drill down, I find out they’re talking about coarse and not precise location. The nuances are important, and the context really matters.
What is the lowest-hanging fruit for companies to address from a privacy perspective? As in, something they should 100% be doing, and if they’re not doing it, they should get on it immediately.
Validate anything that’s public-facing. Relying on vendors is important, but you have to validate that the technology is behaving as it should.
What do you think of plug-and-play privacy tech?
A contract may include indemnification so that a vendor provides some sort of recourse or protection for a business in the event the vendor’s technology isn’t working and it results in a violation.
But the law is focused on the controller – meaning the business. It’s their responsibility to effectuate a consumer’s opt-out. It’s on them to make sure the opt-out is configured properly and working. The law is clear. The business is responsible.
Are too many ad tech companies whistling past the graveyard?
Ad tech knows it needs to change, although some of the responses we’ve seen may go against the intent of the law, and I mean that more from the consumer perspective than anything. Take the move toward first-party data and relying on persistent deterministic IDs, like a hashed email address. At least cookies are resettable.
The challenge will be to preserve the business while also being privacy-compliant and not intruding on consumer privacy. In my experience, most companies are not intentionally violating the law.
This interview has been lightly edited and condensed.
🙏 Thanks for reading! I’m traveling to Washington, DC, the first week in April for the IAB’s Public Policy & Legal Summit and the IAPP’s Global Privacy Summit. Say hi – or meowdy – if you see me! And, as always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
For more articles featuring Daniel Rosenzweig, click here.
