The Latest On… Privacy

Developments in the area of privacy law are coming fast and furious, and you can count on OAAA to keep you informed. Here are five key developments regarding data and privacy:

1. Enforcement has started in California

The office of California’s Attorney General has started to commence enforcement actions against companies in a wide variety of industries for various failures to comply with the California Consumer Privacy Act (CCPA). These actions allege violations of many different provisions of the CCPA. Fortunately, for now, the CCPA has a 30-day cure provision for most violations. Therefore, many infractions can be fixed within such 30 day period to avoid fines and other punishment. That said, responding to a regulatory inquiry is never fun.

The authorities in California seem to be drawn to inconsistencies in companies’ public claims about CCPA compliance versus actual practices. For example, if a privacy policy says a company “sells” personal information (which has a very broad meaning) but the website does not have a “Do Not Sell My Personal Information” link on the homepage, regulators are quick to point out that one of those practices is not correct. 

All types of companies have been contacted by the California Attorney General’s office, including publishers and service providers, and not just ad tech or other data-heavy companies.

2. 2022 will be a pivotal year

New privacy laws take effect on January 1, 2023, in California, Colorado, and Virginia. While most U.S. privacy laws have taken an “opt-out” approach, Colorado and Virginia have introduced “opt-in” regulatory regimes for the collection of certain sensitive personal information (such as precise geo-location data). Opt-in models are much more challenging for companies, and limit the amount of data that can ultimately be collected and used.

The new law in California is the California Privacy Rights Act (CPRA), sometimes called “CCPA 2.0.” The CPRA required the creation of the nation’s first stand-alone privacy regulatory agency. Five commissioners and an Executive Director have already been appointed. They are staffing up and you should expect this new agency to be aggressive.

3. China

Those following the privacy debate have long focused on the European Union’s General Data Protection Regulation (GDPR). China has quickly jumped into the mix with its enactment of the Personal Information Privacy Law (PIPL), which takes effect November 1, 2021. It varies from the GDPR in a number of ways and will introduce new challenges to processing personal information in China.

4. Out of home media is safe and compliant, and, therefore, has opportunities for growth

With all of these changes in privacy laws, one thing is becoming very clear: out of home is a safe media! While privacy compliance should not be ignored or minimized in this industry, the nature of the out of home industry eliminates some of the more contentious data collection and use practices in the advertising industry. Therefore, as advertisers keep a close eye on these new privacy laws, the out of home industry can offer them a safe and compliant medium.

5. Congress

All of this complexity could be resolved if Congress were to enact a national privacy standard, but do not expect to see one in the near future:

  • Congress is focused on other priorities such as infrastructure, Covid, and the debt limit.
  • For some in Congress, the enactment of privacy laws at the state level reduces pressure on Congress to act.
  • The current congressional focus on Big Tech is on anti-trust issues, and not privacy.