The measure is in play when CPRA comes into force

Data-driven thinkingis written by members of the media community and contains fresh insights into the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the privacy/data security and advertising/marketing practice groups at Davis+Gilbert.

The digital media industry has absorbed punches into its business model under the guise of privacy. Privacy advocates, including regulators and lawmakers, indiscriminately use the term “surveillance advertising” without recognizing the many benefits of data-driven advertising for businesses, consumers, and our economy. They also fail to recognize the many different advertising and marketing practices employed by the industry.

But we all agree that simply measuring the effectiveness of online advertising is a benign and harmless activity, right? Not so fast.

The California Privacy Rights Act (CPRA), which takes effect on January 1, 2023 and replaces the current California Consumer Privacy Act (CCPA), disrupts measurement and analytics practices.

Combining the data will be a no-go

The CCPA has already restricted the activities of “service providers” who process personal information on behalf of businesses. Under the CCPA, service providers may use a company’s personal information for permitted business purposes and for internal purposes such as improving the quality of their services, detecting fraud, and complying with laws. But they cannot use this data to build or modify consumer profiles.

The CPRA creates additional limits on what service providers can do with personal data, and these are somewhat troubling. Under the CPRA, service providers will now also be prohibited from “combining personal information they receive from or on behalf of the business with personal information they receive from or on behalf of another person or persons, or that it collects from its own interactions with the consumer.

But here’s the thing: measurement and analysis is about combining data. When an ad is shown on one website, the advertiser wants the results of that campaign to also be combined with the results of the ad showing on another website. This way, the advertiser can get a more complete picture of campaign effectiveness. But if this is no longer allowed, then the measure becomes a major obstacle.

The IAB is working on solutions for businesses to overcome these and other challenges that new laws will impose on the ad tech industry. But time is running out.

California’s new privacy agency charged with enforcing the CPRA is working to implement the regulations. The first draft, which was released on May 27, provided no relief on this combination issue. But this regulation is not yet final and will certainly be revised at least once more. In fact, much like what happened with the CCPA, they can be finalized on the eve of, or even after, the law’s effective date, further complicating compliance efforts.

In the meantime, the industry finds itself in an all-too-common position: explaining how the ad-tech industry works to legislators and regulators who mistakenly view all activities in the same light.

Follow Gary Kibel (@GaryKibel), Davis+Gilbert LLP (@dglaw) and Ad Exchange (@adexchanger) on Twitter.

Comments are closed.