When people talk about data privacy, or data collection, or tracking technology, or analytics, or click farms, or bots, or data brokers, or geolocation, or mobile apps, or social media, or influencers, in the end what they’re really talking about is digital advertising. Yet while we may feel comfortable using the phrase to broadly describe any online marketing efforts, the purpose of digital advertising is quite different from the goal of a 30 second radio spot, and shares little with its Mad Men-era ancestors beyond the name.
But today, faced with a variety of new laws and regulations designed to protect consumer privacy, lawyers and their clients are obliged to take a much deeper and more nuanced dive into modern methods of digital advertising. And many are surprised at what they find.
Too many companies are unaware of how they themselves use digital advertising tools, let alone the legal and compliance ramifications. While it has rapidly become a cliché in many circles to note the potential for disruption presented by the new California Consumer Protection Act (CCPA) and a variety of similar pending bills around the country, a surprising number of companies don’t even consider themselves to be part of the massive, multi-billion dollar digital advertising ecosystem targeted by these laws. Moreover, recent reporting by Fortune suggests that even a majority of US companies that do recognize the need for compliance are not prepared for the CCPA, a law that takes effect in only a few short months. Today, with looming regulatory responsibilities, the potential for significant penalties per infraction, and a plaintiffs’ bar readying a deluge of class action litigation, it appears that we are still faced with a dangerous knowledge gap.
That said, it’s not too late to adopt compliance strategies, no matter who you are, or where you do business. But, as a first step, we must come to terms with digital advertising, how it is used, and why it has changed so much, so quickly. Once we understand where we stand today, it will become obvious that these new laws and regulations have the power to remake our economy in dramatic and unexpected ways.
So what is digital advertising?
Digital advertising is, simply stated, targeted marketing. To the tech industry giants who lead these efforts, digital advertising tools improve our lives: information about consumers is used to provide more relevant ads, suggest content consumers want to see, improve the e-commerce experience, promote competition, and increase the efficiency of a company’s marketing dollar. To critics, however, digital advertising is participatory surveillance, with companies looking to vacuum up every detail of our conscious life. But whether you view digital advertising as a valuable tool that empirically improves the online experience of consumers and companies alike, or as the first step towards a dystopian episode of Black Mirror, both sides largely agree on how digital advertising works today.
The life-cycle of digital advertising begins when data is collected about the activity of a consumer, with their direct consent or through disclosure by notice, during their interaction with a software enabled device. This collection can happen through a visit to a web page, or through use of a mobile app with geolocation functionality while walking the aisles of a store. It could be gathered from membership in a loyalty program, your “likes” on Instagram, your purchases at a point of sale register, your use of a search engine, or by a click on a link or a sponsored ad. It could be collected while hitting a “shop now” button on a social media platform, by following an influencer, or by dropping a tracking cookie on your laptop. Essentially any online interaction of any kind, and nearly any “real life” commercial interaction beyond a small cash purchase, is captured by someone.
That information is then cross-referenced with other data obtained about that same consumer (and similar consumers) from other sources. Profiles can be built. Perhaps additional data is purchased from a data broker, which in turn obtained that information from other sources. Third party vendors are hired to analyze trends and patterns. Predictive analytics are used to micro-target that consumer (and similar consumers) in future campaigns, and to learn more about their interests, and adjacent marketing opportunities. These new campaigns are then used to collect more information, and the process begins again.
Sophisticated privacy-aware consumers can take a variety of steps to object to these activities, but the process (and especially the role of data brokers in that process) can often be somewhat opaque. The fact that new techniques for collecting and harnessing this information are introduced regularly means that even savvy companies have to pay close attention to keep up with their own activities.
It is no surprise that many consumers like digital advertising when they get useful information about products and services that they want to buy. Nor is it a shock that consumers don’t like digital advertising when they feel as though it becomes intrusive, or their personal information becomes public. More critically, however, as digital advertising has become more immersive and less easily distinguished from “content,” it has also become increasingly difficult to discern the difference between data collection activities and participation in any online activity of any kind. Fears that we will soon live in the dystopian world of Minority Report are slowly replaced by fears that we will instead live in the curated, sponsored world of The Truman Show.
The seamless nature of data collection as an unavoidable element of modern commercial life is a triumph of clever software engineering; however, it is that very achievement that has driven lawmakers and regulators to focus on whether current models for consent, notice and disclosure are adequate to address these sophisticated new technologies.
This new scrutiny is not surprising, as the laws and regulations traditionally understood to address advertising and marketing efforts were designed with a very different kind of mind. A 30 second television spot served one of two simple purposes: urging consumers to purchase a product, or building equity in a brand. Even direct response advertising, in the end, was about making a sale. Advertising was deeply intentional, and subject to multiple layers of review by agencies, their clients, and the old media giants who broadcast advertising at consumers. Digital advertising is different because the essential purpose has changed. Advertising is no longer a one way activity, but rather an iterative, interactive process that constantly refines itself based on real-time feedback received from consumers. Artificial intelligence can make decisions about the moment-to-moment exposure of an advertising campaign, rather than a senior executive huddled with her legal team. Today, insights about a customer are often more valuable than any individual commercial transaction. Whole sectors of the economy have been transformed, no longer viewing themselves as in the business of selling widgets but rather as “analytics” companies.
The practical reason why this is important, and has resonance for new statutes like the CCPA, is that the logic and momentum of digital advertising has already turned unsuspecting companies into large scale repositories of consumer data, often in multiple places within the organization, and often without a clear sense of where each piece of data originated. Companies have access to data that identifies who you are, where you are, what you read, what you watch, the identity of your friends, what you like to buy, and any number of other facts. But did they collect all of that themselves? Did they purchase it from a data broker? Did they use a loyalty program in 2005 to collect some of that information, and then combine it with data gleaned from an online promotion in 2011, and then expand with information from a social platform in 2015? Which vendors helped them acquire that information, at what point, and under what agreement? What was shared, and what are those vendors doing with that information – information that may have been shared and then sold years before by forgotten personnel no longer available to explain. And the instant marketing capitalizing on that information may be driven by software rather than a human being.
What does the California Consumer Privacy Act Require?
At its core, the CCPA is a disclosure law giving Californians the right to know what personal information is collected about them, the business purpose for collecting the information, and with whom such information will be sold or shared. The CCPA will allow Californians to request that businesses not sell their personal information to third parties and to access the specific information businesses have collected about them even if the data came from other sources. That means that the very data collected from data brokers and others that fuels digital advertising and is associated with the consumer will have to be disclosed to Californians upon request.
Critically, there appears to be a disconnect between our common understanding of the terms “personal information” and “sell” as used in the CCPA, and their practical use within the digital advertising ecosystem. Both terms are broadly defined: “personal information” includes information that “identifies, relates to, describes, or is capable of being associated with a consumer or household” as well as “internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement (1798.140(o)(1)(F)). Accordingly a cookie ID and a social security number are treated the same within this framework. Likewise, the definition of “sell” broadly includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration” (1798.140(t)(1)). Many companies who believe that they don’t “sell” any “personal information” would be surprised to realize that nearly all digital advertising used by their organization necessitates activities that might be classified as exactly that.
Specifically, it appears that the drafters of the CCPA may not have fully appreciated the nuances of data flows that exist throughout the digital ecosystem. A literal application of the CCPA goes to the core of the digital advertising infrastructure and mechanics of communicating information with technical partners. If these transactions are considered “sales” under the CCPA, applying the CCPA’s disclosure requirements and honoring consumers’ access, opt out, and deletion rights could thwart the mechanics of nearly all digital advertising, make compliance extraordinarily difficult, force massive and disproportionate expenses on companies at a moment of significant technological fluidity, and all without achieving the goal of protecting the privacy of consumer information or adequately addressing the role of data brokers.
While some of these issues may be resolved through the California Attorney General’s rulemaking proceedings, and no one can say with any certainty what the final regulatory landscape in California or other states will resemble a year from now, there are things businesses can do now to prepare for complying with the CCPA no matter what happens.
Take Stock of Your Data and Your Relationships
We live in the midst of a data explosion. In 2018 Forbes reported that 90% of all data was created in the past two years. Most organizations are doubling the amount of data they possess within 18 to 24 months. Yet many businesses do not know the scope of their data assets. Now is the time to get started with a program of systematic introspection.
Understanding what data is collected, why it is collected, how it is used, with whom it is shared (or sold), and how long it is needed are the first steps in understanding your data flows. Such an assessment may reveal caches of data that are no longer needed and could create regulatory obligations, for example, in the event of a security breach that requires notifying a regulatory body or consumers. But more importantly, as new regulations come into existence, having your digital advertising and data collection processes mapped out will make it easier to comply no matter what those new rules happen to require.
Take stock of the relationships your business may have with third parties and service providers, because the type of relationship you may have can trigger different obligations. Revisit existing contracts with third parties that involve personal data (however tangentially). Think about whether those third parties will need to show your data to yet other third parties in order to build a marketing campaign. And don’t forget to look for other relationships that may not be buttoned down in a formal contract. The CCPA exempts from the definition of “sale” certain relationships where personal data is “sold” to a service provider for a specific purpose and the service provider agrees not to use the information for another purpose, and it is critical to determine whether this may apply to you. Of course, as with all regulations, there are nuances to these exceptions, so a careful analysis of the law and the relationship is required, as is a systematic program to review and revisit those relationships.
Do What You Say and Say What You Do
The CCPA is a primarily a disclosure law, so today is also a perfect moment to review your existing privacy policies and notices. The CCPA requires that specific information be included in website privacy policies and “at or near” the time data is collected from consumers. While your present notices may be sufficient, regular reviews of these documents is good practice even without these new looming obligations.
Many businesses already have mechanisms in place to facilitate communication with consumers, which can help businesses comply with the requirement that businesses provide two or more methods for consumers to request access to their information or exercise their opt out or deletion rights. If no such mechanism exists, it is time to start thinking about how to respond to consumer requests.
The Writing is on the Wall
Even though the CCPA will not be effective until January 1, 2020, and the California AG will be writing clarifying regulations, there is plenty to do now. And as we alluded to earlier, while the CCPA is top of mind, there are nearly a dozen states considering bills that are similar to the CCPA and several potential bills at the federal level are being considered in Congress.
So study up on how your organization uses digital advertising. What tools does it use to collect information about visitors, customers, or any other interaction with third parties? What information is collected, and by whom? What information is transferred to vendors and service providers? What information is purchased from data brokers? What types of legal review are used to examine the data intensive elements of new marketing campaigns? Only through systematic introspection and a sophisticated understanding of the technology can companies prepare themselves for the regulatory obligations that will multiply over the months and years to come. The digital advertising industry may look quite different after these laws take effect, but that doesn’t mean that the industry and their clients won’t have a future ahead of them – as long as they start building that future right now.