How digital privacy legislation could rock the ad industry

Examining worst case - and more likely - scenarios

“I think the question you are asking is, how fucked are we?”

I had recently been reading about the potential for yet another attempt at a national digital privacy law, and I found myselft wanting to understand two things:”

• What is the worst case scenario for the digital ad industry?

• What is likely to happen if a law actually gets passed - like say the proposed America Act.

After all, I’d written a fairly dire column a few months ago about the Digital Ad Industry’s Existential Crisis coming out of the IAB’s Annual Leadership meeting, where the fear regarding regulation was at a Defcon 3-4 level.

Since then, I’ve been wondering just how worried members of this data-driven marketing world should be about the potential for sweeping legislation, especially the kind of bill that is aimed at either combating anti trust or protecting consumers but inadvertently drops the hammer on all sorts of innocent and not so innocent bystanders in ad tech.

I asked several experts in this realm, including digital privacy lawyer Alan Chappell, who responded with the above off-color quote.
From what I can gather, here are some of the outcomes that could unfold:

1)The doomsday scenario

Just imaging that legislation passes that is even tougher than the EU’s General Data Protection Regulation (GDPR). Say a law that requires that all data collected for digital marketing purposes must be obtained directly via first party. For example, here’s a quote from Information Week on a current piece of legislation being debated in the The Subcommittee on Innovation, Data, and Commerce

“The proposed legislation speaks of minimizing data collection and associated potential harms to individuals, notification of data collection practices, and the rights of the individual to control data that pertains to them.”

Depending how something like this gets interpreted or enacted, this could be game over for the likes of The Trade Desk, as ad tech companies become super dumb pipes over night. Theoretically ad tech companies would not be able to use any data they didn’t directly and overtly collect from real people -and most people don’t have any relationships with the like of Pubmatic or Magnite.

This would be industry rocking and job killing, which is a really bad look right now - so I’d bet that nobody in DC would go this far - right?

“We are a ways away from Armageddon,” said Linnette Attai, founder of the compliance specialty firm Playwell. “While we’re closer than we’ve been to something passing, I don’t think there is an appetite for this kind of bill.”

2)The states go wild and cast a chill on some forms of digital marketing

This is where Chapell thinks we’re headed. “You’re already pretty fucked by California,” he said. When I asked why it doesn’t feel like much has changed, considering that California passed CCPA a few years ago, and a dozen state laws are n the works, he reminded me that officially CCPA enforcement starts in July, just when the industry heads out on post-Cannes vacations.

“Those guys have a significant amount of power. They can ask for just about anything and you have to hand it over,” he said.

If CCPA officials start showing up at various marketers or ad tech firms doors, you might see a pullback on anything resembling dicey targeting, such as the use of location data.

But there’s hope. Chapell said there are already signs that California officials will go to far and get slapped back by the courts. “There is a 100% chance they exceed their mandate.”

However, given how screwy it will be for American businesses to navigate umpteen state laws, there is likely to be more outcry for a straightforward national law, said Attai. Then all bets are off.

3)Kids laws cause unexpected headaches

Here’s where Attai thinks things could get messy. Numerous states, including Utah, are pushing laws aimed at protecting kids’ privacy - something pretty much no one is. against - by essentially upping the digital age limit to 18. “Children’s privacy is moving much faster,” she said. “There could be unintended consequences.”

For example, what if any site that reaches teens - think ESPN.com - would have to shut off any ad targeting or data collection whatsoever to those users. How do they manage that without wasting dollars or getting into more trouble?

4)The FTC gets drunk on banning TikTok

Here’s another area Chapell says to keep an eye on. In his view, the FTC has limited ability to go after digital privacy issues. But if Congress grants the body the ability to go after TikTok, it could become far more bold and empowered. Already, the FTC and IAB are at odds, reported AdExchanger.

The FTC is currently seeking feedback on a new set of rules. Here’s how it reads:

“The Commission invites comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”

The regulator is also scrutinizing the use of pixel tracking overall (which is pretty fundamental to the web’s functionality).

“Academic and public reporting teams have found that thousands of the most visited webpages have pixels and other methods that leak personal information to third parties.” 

This kind of language sounds…bad? I suppose it depends on how you define terms like ‘unfair’ or ‘deceptive’ or even ‘third party.’ Regardless, as Chapell put it, once the FTC start nailing companies, they establish precedent for nailing other companies.

4) The rich get richer, again

Ali Manning, a former Google and Snap executive who is COO of the digital ad firm Chalice, sees this as a real possibility - i.e. that compliance with a new national privacy law could entail significant amounts of work and expenses, which big companies can absorb but become punitive for smaller publishers and ad tech firms. “It’s easy to imagine these kinds of unintended consequences.” Given digital advertising history post-GDPR, where the walled gardens have thrived, I’d have to agree.

5)We become more like Europe

As Attai explained, overall when it comes to digital privacy, “the UK is an opt-in regime. The US is opt out.” Meaning that oversees, the burden is on companies to get people to say yes to tracking and targeting, whereas in the US, it’s the opposite. Chapell says California’s laws are aimed at shifting those dynamics, which won’t be easy. “They’d like to back everyone into opt-in vs. opt out.”

Easier said than done. However, if you’re wondering how dramatic that kind of shift could be, well, think of what happened with Apple made cross app tracking opt-in. A whole mobile economy imploded.

5)Nothing happens

Remember, this America right? I remember IAB CEO Randy Rothenberg warning us about possible digital privacy crackdowns when Obama took office. Today, there are a large number of Congress men and women who think the most important issue facing our country is Hunter Biden’s laptop, not yours. So inaction is still a great bet.

So until things change, keep on retargeting and fingerprinting!