Last week the Association of National Advertisers (ANA) strongly reasserted a position it articulated last year in favor of national privacy regulation. The trade organization is also calling for preemption of current and pending state privacy laws – especially the California Consumer Privacy Act (CCPA), which is set to take effect six months from today.
National advertisers want one law. The ANA, in a June 27 letter to the FTC stated, “a national privacy law should preempt inconsistent state laws, enhance the development of a competitive level playing field for marketers and other businesses, and assure consumers that their data will be used by business only for approved non-discriminatory purposes.”
Many of the ANA’s arguments have merit (e.g., GDPR and and CCPA tend to favor large incumbents with first-party data), while others are more cynical and appear interested in preserving as much of the status quo as possible (“consumers support the data-driven advertising model that has subsidized and enabled the vast and varied content, products, and services they are able to access at little or no cost to them”).
No federal privacy law likely before 2020. To date, multiple privacy and consumer data protection bills have been introduced in Congress by both Republicans and Democrats. However, it’s unlikely that there will be any comprehensive federal privacy legislation that gets passed before the 2020 election. That means that CCPA will take effect (the FTC can’t preempt state laws) and companies across the U.S. will be forced to contend with it as the de facto consumer privacy law of the land.
The current state of CCPA preparedness is muddled at best, according to a new survey of 345 privacy and IT professionals by IAPP and TrustArc. This is partly about the confusion surrounding the state of the law and partly exacerbated by the proliferation of vendors. There are also budget challenges and questions about who has control over privacy-related software decision-making.
Privacy vendor ranks swelling. IAPP documented roughly 50 privacy tech vendors across nine product categories in 2017. At the end of 2018, the organization identified 200 vendors across 10 product categories. And the numbers are still growing.
Source: IAPP and TrustArc, n=345 (2019)
The IAPP-TrustArc report identifies three broad categories of businesses in the market: those that are actively testing solutions today, those planning to purchase in the next year, and those not planning to purchase. Above is a chart that shows adoption by privacy product category and region. An earlier TrustArc survey found that fewer than 15% of companies were compliant with CCPA, as of May 2019.
The current IAPP-TrustArc survey identifies “Lack of budget/resources,” “getting approval” and the “immaturity of privacy tech solutions” as the top three barriers to privacy software adoption. The “need to demonstrate compliance” is the top motivator by contrast.
Private contracts, not legal exposure, will drive compliance. One vendor, Cuebiq, argues that “the need to demonstrate compliance” will drive the market. However, regulators and public officials will not be the primary parties demanding evidence of CCPA compliance. According to Cuebiq CEO Antonio Tomarchio, third-party contracts will require compliance. “Indemnification clauses in contracts from brands and agencies will demand the ability to audit data compliance under CCPA.”
Cuebiq, which also provides location analytics, offers a “Consent Management and Data Provenance (CMDP) solution,” based on blockchain. “Because data provenance is captured and easily audited,” says Tomarchio, “it offers protection for brands and agencies buying audiences.” This is only one of many privacy software solutions, as indicated, although Tomarchio says its blockchain-based approach is currently unique.
Why we should care. While there is lots of discussion of privacy compliance these days, many marketers still fantasize the whole issue will go away. It won’t. The right and pragmatic attitude is to take a “privacy forward” approach and start taking the steps outlined in this article to comply.
Even if federal legislation is passed at the 11th hour, preempting CCPA (unlikely), the measures companies have taken toward compliance today will make it that much easier to address any alternative, less strict federal framework tomorrow.