“The Sell Sider” is a column written for the sell side of the digital media community.
Today’s column is written by Keith Abbey, vice president of publisher growth at Sovrn.
With less than six months to California Consumer Privacy Act (CCPA) enforcement, the law is still nebulous and far from its final shape.
But that shouldn’t stop publishers from preparing for its arrival. With other state laws also in the making – including Nevada’s new consumer privacy regulation, Senate Bill 220, which goes into effect in October – publishers must plan for an increasingly tough regulatory landscape.
When the EU’s General Data Protection Regulation (GDPR) took hold in May 2018, some US publishers opted to block EU traffic. With state regulations, this isn’t a viable option – the logistics would be too complex and the revenue hit would be too great. What is more likely is that publishers might take a Band-Aid approach to compliance, doing just enough as each regulation surfaces, but this is a risky strategy while laws are so vague and varied.
The best approach for publishers is to prepare for the worst-case scenario.
Prepping for the worst
Most data privacy regulations have broad similarities. They give consumers more control over personal data by allowing them to see what is collected and who it is shared with, and the laws may empower consumers to have data corrected or deleted. Publishers will need to facilitate this process.
But the specific terms of each law are less consistent.
In the worst-case scenario, laws apply to any company that collects or processes personal information. While the current iteration of CCPA may only apply to companies with more than $25 million gross annual revenue – precluding many smaller publishers – Nevada’s Senate Bill 220 applies to all operators of internet websites and online services.
Privacy laws such as the GDPR regulate the use of automated decision-making. This restriction is potentially problematic for publishers who make revenues from programmatic advertising, where ads are targeted to the user’s individual profile. While the CCPA does not currently regulate profiling, future state laws may well cover this tactic.
Perhaps most significantly, regulations may require users to opt into data collection and sharing, compelling publishers to gain affirmative consent to audience data use. The CCPA is currently working on the basis of implied consent, only requiring opt-in for children under the age of 16, and the Nevada bill currently has no opt-in requirements. But the GDPR requires explicit opt-in, and future regulations could take the same line.
Data laws come with hefty fines ranging from 4% of annual global revenue (GDPR) to $7,500 per database record (CCPA). Some laws, like the CCPA, may allow publishers to rectify noticed violations, but some, like GDPR, will not. Some states may allow private right to action – when someone other than the state has the authority to enforce rights under a statute – while others will leave enforcement to the attorney general.
Publishers who want to stay ahead of the curve should assume laws will:
- apply universally
- impact the profiling behind automated advertising
- require explicit consent to data processing
- invoke maximum penalties with private right to action
Assessing their current data practices and implementing solutions to meet this worst-case scenario will position them for whatever shape future data regulations take.
Ending up with the best
Publishers may find privacy laws are less stringent than expected. Perhaps their size or revenues will preclude them from compliance. Maybe regulators will be lenient and limit fines for those that cooperate. Profiling may fall outside the scope of legislation, and the ability to opt out may be enough without the need to obtain specific consent.
But publishers that prepare for the worst could gain a competitive advantage. By demonstrating they care about privacy and take data protection seriously, they will build stronger relationships with their audiences based on trust and respect. And, by ensuring they have explicit consent for data processing, they can actually increase programmatic advertising revenues.
Buyers are willing to bid higher on inventory that contains a consent string delivered in the bid, according to Smart Ad Server, which found that consent drove a 95% increase in impression value post-GDPR. Finally, by taking an in-depth approach to compliance, publishers can uphold an internet that is free and open for all, enabling content access regardless of state or country, without risk of breaching a complex patchwork of data regulations.
As regulations emerge thick and fast, a lack of clarity should not stop publishers from putting their data affairs in order. Those that prepare for the worst-case scenario will not only be ready for whatever is on the horizon, they could also benefit from stronger audience relationships, which may traverse geographic borders, and higher ad revenues based on specific consent.
Follow Sovrn (@sovrnholdings) and AdExchanger (@adexchanger) on Twitter.
