You know that old saw about how regulators aren’t technical and don’t understand how online advertising works? Yeah, that’s not a thing anymore.
Regulators, and the plaintiffs’ bar for that matter, are more than comfortable poking around in the weeds.
It’s actually quite easy for them – for anyone really – to verify whether a company is adhering to its own public-facing privacy policies and disclosures.
All they have to do is go to their browser and open up the dev tools – the same tools developers use to inspect, debug and optimize sites and apps – to identify what data is being collected and which specific third parties that data is being shared with.
“This is really low-hanging fruit for regulators,” said Daniel Rosenzweig, founder of boutique law firm DBR Data Privacy Solutions, speaking at an IAB Tech Lab privacy event in New York City last month.
Don’t roll out a red carpet for the plaintiffs’ bar
The two fruits hanging the lowest right now – as in, plaintiffs’ attorneys love ‘em – are the Video Privacy Protection Act (VPPA) and the California Invasion of Privacy Act (CIPA).
The VPPA prohibits video service providers from disclosing personally identifiable information about consumers – their video viewing and rental history – without their explicit consent.
When the law was passed in 1988, this prohibition applied to physical video rentals and sales records. VPPA ain’t called the “Blockbuster law” for nothing.
But today, plaintiffs’ attorneys and class-action firms are using the VPPA to bring lawsuits against sites or apps that include video content and use tracking pixels, like those on offer from social media platforms.
“Plaintiffs are coming up with creative theories for laws that don’t necessarily reflect how technology operates today,” Rosenzweig said.
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
CIPA has similar vibes.
The law was passed in 1967 in response to growing concerns at the time about privacy violations related to wiretapping and electronic eavesdropping.
Now it’s being wielded as the basis for allegations that certain sites and apps use web tracking technologies – social media pixels, of course, but also session replay tech and customer service chat functionality – without proper notice and consent from users.
Walk the talk
Running afoul of these laws is a pricey proposition.
CIPA violations can lead to statutory damages of $5,000 per incident, and VPPA violations are $2,500 a pop.
Which is why it’s critical for companies to do what they say and say what they do.
“Your public statements and your contracts are only as good as the technology that supports it, and regulators are very aware of this,” Rosenzweig said. And so are the class-action folks.
If your privacy policy says you honor opt-outs, for instance, or that you won’t use a person’s precise geolocation for certain use cases, but then you do those things, that’s like having a target on your back.
And it’s not enough to farm responsibility out to a privacy vendor or some other partner and call it a day.
If, for example, your consent management platform doesn’t work for whatever reason – maybe it hasn’t been configured correctly or perhaps it hasn’t been properly integrated with other systems – well, that’s on you.
Mitigation in moderation
So be proactive to mitigate exposure, Rosenzweig said.
Use industry standard technologies like the IAB’s Diligence Platform for vendor management and the IAB Tech Lab’s Global Privacy Protocol (recently rebranded from the “Global Privacy Platform”) to pass consent strings.
It might also be a good idea not to transmit any video-related data to third parties (to avoid VPPA claims) and to ask all users for opt-in consent before using certain tracking technologies (to steer clear of CIPA claims).
That said, brands and publishers need to balance risk mitigation alongside their business objectives, Rosenzweig said.
Not sharing any video-related data with third parties, for example, could reduce campaign effectiveness, and going the opt-in route isn’t strictly required in the US. The majority of comprehensive state privacy laws only call for an opt-out.
All the same, be well aware that regulators and plaintiffs’ attorneys aren’t just watching; they’re actively checking sites and apps for compliance issues. And if they find one, Rosenzweig said, it’s very easy to take a screenshot and “throw it in a complaint.”
That’s why it’s important to make sure there’s nothing to find, he said.
“Go in, figure out what’s happening – hands on keyboard,” Rosenzweig said. “Work with product and work with development … to bring it all together.”
🙏 Thanks for reading! As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
🎟️ And while you’re here, I don’t mean to alarm you (please click the link; it’s probably the best cat video I’ve ever seen), but Programmatic IO: Innovate is around the corner, and tickets are going fast. Snag yours here, and we’ll see you May 19-21 in Las Vegas for great content, including a session on how to recognize red flags when companies are flogging their supposedly “fully privacy safe” and “100% CCPA compliant” solutions.
