Here we go again: Privacy regulations hit the States
The much-anticipated California Consumer Privacy Act (CCPA) came into force on 1st January this year, bringing with it a headache for adtech firms based in the US. Despite the IAB publishing their tech specs to guide the industry, many are still unsure what’s required of them, how to be compliant and how the year will pan out in general. Confused? You should be…
Welcome to Groundhog Day! No, you’re not in a Bill Murray movie. It really is yet another round of tech specs published by the IAB, designed to whip us into shape as an industry and become compliant with data privacy regulation.
Except we’re not talking about GDPR this time. Nope; this belated Christmas present comes courtesy of California and it is, of course, their much-anticipated CCPA.
For 18 months, a good number of US adtech firms seemed to be in denial over GDPR in Europe. Some even took the drastic decision to pull out of the region entirely, including Kargo, Drawbridge, and Verve. But there’s only so much time an ostrich can stick its head in the sand and with the introduction of CCPA, it’s been a rude awakening for many US companies.
You only need to look at the comments businesses have made on the California Attorney General’s draft regulations. Some of them are ready to pull their hair out: “I am trying to understand what our business must do to comply… but I am not able to even begin this work, because the draft regulation does not define ‘personal information.’ THIS APPEARS TO BE A MAJOR OVERSIGHT.”
Guys, we hear you. We’ve been there. And we won’t sugarcoat it for you; the next year is not going to be pretty. But we’ve been through it with GDPR and guess what? Your concerns now were our concerns then.
Yes, the IAB Tech Lab has published their guidelines to try to get you compliant with CCPA but don’t forget, the regulation isn’t necessarily set in stone just yet. They’re still going through the comments that were made during the consultation period.
At best, the California Attorney General won’t make any substantive changes to the original version and they’ll, therefore, be finalised and effective from early April this year. However, should the Attorney General decide to make more considerable amendments to the draft, it will need to be circulated yet again for consultation and then rechecked. That means things wouldn’t be finalised until the beginning of July at the earliest.
As Dennis Buchheim, EVP and general manager of the IAB Tech Lab put it,
“GDPR, and now CCPA, are living beasts and we’ll need to continue to watch how they evolve and adapt accordingly.”
Ok fine. But at least once the Attorney General is finally happy with the regs and the IAB have updated their guidelines, that should be it, right? We’ll know where we stand?
No such luck, we’re afraid. If we take Europe and the implementation of GDPR as a potential sign of things to come in the US, we should probably point out that we’re now on our second iteration of guidelines from the IAB (TCF 2.0) because the first lot weren’t deemed to be compliant with GDPR.
And another spanner in the works: some people are still saying that even TCF 2.0 hasn’t sorted the problem, particularly in the world of RTB. Johnny Ryan, of tracking-blocking web browser Brave, explains:
“First, it is not possible to ask for GDPR compliant consent for RTB because RTB leaks what people are reading, listening to and watching to an unknown number of companies, who do unknowable things with it. Article 5 (1) requires that personal data must be protected and RTB does not do this. TCF 2.0 is being introduced because the IAB’s original framework was deeply flawed. Publishers and advertisers trusted the IAB to provide guidance about the GDPR. It is now abundantly clear that this trust was misplaced. TCF 2.0 does not solve the problems of RTB.”
Perhaps even more amazingly, despite setting their deadlines and nearly two years on from GDPR’s implementation date, one of the biggest players in the market, Google, still isn’t compliant with market standard TCF. Chetna Bindra, senior product manager for user trust, privacy and transparency at Google announced in August last year: “In line with the IAB Europe timeline, we expect to integrate with TCF 2.0 shortly after the switchover from TCF 1.1 and when 2.0 goes fully live, which we currently understand as by end of Q1 2020.”
So we wouldn’t say things are likely to run smoothly for the IAB CCPA Compliance Framework. Plus you shouldn’t forget that California is only one state. There’s still the possibility that other states will introduce their privacy bills. New York looks set to do so soon and people are saying their bill goes even further than CCPA.
In all this legislation chaos, how exactly are adtech firms supposed to survive then?
Well, the word on the street is that numbers are certainly down, publisher side. Some say that’s because of GDPR consent, for others, it’s owing to changes in cookie usage and many predict even lower numbers as CCPA comes into full force. Frankly, it’s going to be a rocky year for the industry.
That being said, there are still possibilities to try to innovate in other areas. Contextual advertising still shines like a beacon of hope—there are many opportunities to do something new in the space beyond keyword targeting.
So despite everything, we’re still staying quietly optimistic. After all, the industry has been in tough spots before and has come out on the other side.
Our advice? Keep producing creative, engaging ads that will resonate with your audience regardless of whether you have access to their data. And watch this space for more industry news and goings-on. We’ll be here to break down the key points and let you know how they’ll affect you.
Keen to know more about how Nexd can help your advertising strategy?
Listen in on a webinar hosted by Nexd CEO, Erik Tammenurm, Saving your Display Ad Campaign during the new Privacy Era.
Whether in the EU or US, privacy regulations are here to stay. Erik will explain to you how regulations are changing your ad campaigns. Watch the webinar today!